HackerTrans
トップ新着トレンドコメント過去質問紹介求人

raesene9

6,131 カルマ登録 11 年前
[ my public key: https://keybase.io/raesene; my proof: https://keybase.io/raesene/sigs/UfV9QKNwlG--NbKX9kE5NvJhPFfxDaP5xRnn8ES-9oI ]

Any opinions expressed are purely my own and not necessarily those of any employer, past, present, or future.

Personal Site - https://www.mccune.org.uk Blog - https://raesene.github.io Mastodon - @[email protected] Blue Sky - @mccune.org.uk

コメント

raesene9
·一昨日·議論
Interesting write-up. Having been a bookkeeper a long time ago, I'm not too surprised at this being susceptible to automation by an LLM backed system.

It seems also that the classes of error they encountered could be handled by improved skills/knowledge base access on the fine points of relevant tax legislation.

The important part for their software ofc is, will they take responsibility for the output if HMRC come calling? Without that users are adopting the risk which they may not be keen to do (dealing with HMRC is not fun), with that it could be a very nice saving for a lot of small companies (and bad for the employees of a lot of accountancy firms)
raesene9
·一昨日·議論
If you're going to have "blessed" plugins, which seems like a good idea, you'll need a review and possibly hosting process.

- Review to check that the plugin is reasonable quality/isn't malicious.

- hosting (e.g. the plugin is retrieved from a repo. you control) or "known good" checksums so pi will only download the plugin with a version that you've reviewed.

From a security/supply chain aspect, ironically what you're looking to do is deliberately add some friction to the publishing process, which sounds bad, but can be quite effective at mitigating attacks. Most of the recent supply chain attacks get found by automated scanners in < 24 hours, so having a review process for new releases that takes a while will reduce the number that affect users.

I think having this is handy as it'll give security conscious users more confidence in using pi, without the anxiety of pulling a load of additional code from effectively random sources.
raesene9
·3 日前·議論
It provides a right to privacy if the company allows personal messaging services on the device, but I don't think it provides a right to having personal messaging apps on the device(s).

Personally I think it's much cleaner to keep work stuff on your work device(s) and personal stuff on personal devices. The only place that gets sticky is where companies don't provide the device but want you to have work information on it (e.g. mobile phones)
raesene9
·9 日前·議論
I have a similar experience, for the last 5+ years I've worked in companies where very few of the people I work with are British which does require care on both language and idiom. Combined with being older than a lot of colleagues, cultural references need to be picked with care :D
raesene9
·9 日前·議論
The later Opus models (4.7/4.8), Sonnet 5, and particularly Fable 5 will refuse to do tasks related to offensive security.

One example I've hit is working on a benchmark of how well LLMs handle Kubernetes security tasks, there's a section on them exploiting security misconfigurations. Opus 4.6 was fine with that section, 4.7 and 4.8 saw some refusals and Fable point blank refused to do any of it.

The only other model I've seen refuse is OpenAI GPT-5.5, all the open weight models seem fine with it.

Ofc if you need to do that kind of work a lot you might be able to get on OpenAI/Anthropics allow-list for cyber work.
raesene9
·14 日前·議論
If you want to chat with Claude about this, I'd recommend using Opus 4.6. IME it's happy to talk about (and even write) PoC exploits
raesene9
·14 日前·議論
Yep I've got one I built and it's absolutely fine for my use cases has a web interface/API custom kernels and rootfs, even the facility to set-up custom Kubernetes clusters. It's been really useful for other work like testing out vulnerabilities or security features in isolated envs.
raesene9
·24 日前·議論
Well its document management feature didn't used to have Anti-Virus support which caused me a load of problems back in the 90's when Word Macro viruses were common. :P
raesene9
·24 日前·議論
The original research for this is at https://soroush.me/downloadable/microsoft_iis_tilde_characte...
raesene9
·25 日前·議論
Worth noting that, this isn't just a risk with npm or other package managers. If you're using LLM agents in the directory of a cloned repo, there's risks in skills, hooks etc automatically executing..
raesene9
·25 日前·議論
that probably depends on how much security and resource isolation you need. Multi-Tenant security in Kubernetes is not a simple thing, for a wide variety of reasons, and noisy neighbour problems are also potentially a headache.
raesene9
·先月·議論
The one I remember most is, when experimenting with Opus 3.5 for the first time, I asked it to generate a Firecracker backed local VM creation and management tool, something I'd wanted for a while but not found.

My expectation was that it might get something barely functional but would probably fail, and instead it generated a working piece of software which achieved a lot of what I wanted.

That definitely made me realise that, for at least some classes of software task this was a major change in how things could be done.

More recently when I can give the model a Local Privilege Escalation PoC in Linux and ask it to test whether it can be used for container breakout and then generate a working container breakout, all in one prompt... that definitely changes things.
raesene9
·先月·議論
not really, there are a number of security companies doing analysis of any new packages looking for supply chain attacks, so if you wait a couple of days, till their analysis is complete, you're reducing the risk of hitting a compromised package.
raesene9
·先月·議論
I think perhaps the reason you are seeing quite a few commenters expressing skepticism to your comment "You go to a university because you are deeply interested in understanding the subject that you study." is that you appear to be extrapolating from one example (your own), without considering whether that's likely the wider experience of people going to university.

In the UK anyway, there's an acknowledged idea that many people go to university because there is a societal expectation that they should and also because many careers require a degree even for entry level positions.

There is also much less emphasis on other routes of tertiary education (e.g. vocational schools), when compared to places like Germany.
raesene9
·先月·議論
AFAIK pi's approach is to be quite minimal and allow extensions for customization, making it a more flexible solution, but you need to do work to make it fit your use case. OP mentions one extension, but perhaps it'd have benefited from more.

Another choice would be opencode which has more functionality and is a more heavyweight option out of the box.
raesene9
·先月·議論
[dead]
raesene9
·2 か月前·議論
I'd expect for workflows where there is value in knowing that the data is processed in the UK. From a contractual/data protection standpoint, that could be very useful, depending on the use case.
raesene9
·2 か月前·議論
Data Sovereignty as a term is now fairly well established term that doesn't have specific government connotations e.g. https://events.linuxfoundation.org/kubecon-cloudnativecon-eu...
raesene9
·2 か月前·議論
So old school, now we get install lines like Tell Opencode to "Fetch and follow instructions from https://raw.githubusercontent.com/obra/superpowers/refs/head..."

From a real repo, with 186K stars... https://github.com/obra/superpowers
raesene9
·2 か月前·議論
We don't need hindsight for the problems of supply chain security to be obvious. Security people were writing and doing talks about this stuff over 10 years ago, just (like most things in security) things start getting addressed once the pressure of incidents gets high enough :)