How many layoffs does a company have to do before realizing it’s in their best interest to start asking other companies to take the employees they don’t want to employ anymore?
Also, 75% placement seems wildly successful. Why isn’t Cisco also a head hunting firm?!
It’s absolute baseline, but yes, it relies entirely on the platform’s permissions model, the administrator who assigns permissions, and the application authors to not create vectors for env var dumps. :)
But honestly, if you’re in the container, and the application running in the container can get secrets, so can a shell user.
_Maybe_ there’s a model where the platform exposes a Unix domain socket and checks the PID, user, group of the connection, and delivers secrets that way? This has its problems, too, like it being non-standard, only possible in some scenarios and otherwise fallible… but better than nothing? If you reap the container when that process dies, you can’t race for the same PID, at least. I dunno
You’re thinking too much. When you run the app, the system decrypts the secrets and makes them available as env vars (or some other mechanism).
In an admin ui, you list the names of secrets only, and provide a “reveal” or a “replace” on each one. They are never decrypted unless explicitly asked for.
Is this perfect? Absolutely not. The key is controlled by the company, but it can be derived in a manner that doesn’t allow for the dump of everything if it’s leaked.
Yes! I’ve been trying (and failing!) to get people to understand this. Build the high leverage tools while the tokens are cheap. Unfortunately, I haven’t figured out the right set of high leverage tools. :)
As another data point, I pay for Pro for a personal account, and use no skills, do nothing fancy, use the default settings, and am out of tokens, with one terminal, after an hour. This is typically working on a < 5,000 line code base, sometimes in C, sometimes in Go. Not doing incredibly complicated things.
I use the models to look for vulnerabilities all the time. I find stuff often. Have I tried to do build a new harness, or develop more sophisticated techniques? No. I suspect there are some spending lots of tokens developing more sophisticated strategies, in the same way software engineers are seeking magical one-shot harnesses.
Why? They claim this small model found a bug given some context. I assume the context wasn’t “hey! There’s a very specific type of bug sitting in this function when certain conditions are met.”
We keep assuming that the models need to get bigger and better, and the reality is we’ve not exhausted the ways in which to use the smaller models. It’s like the Playstation 2 games that came out 10 years later. Well now all the tricks were found, and everything improved.
The benefit here is reducing the time to find vulnerabilities; faster than humans, right? So if you can rig a harness for each function in the system, by first finding where it’s used, its expected input, etc, and doing that for all functions, does it discover vulnerabilities faster than humans?
Doesn’t matter that they isolated one thing. It matters that the context they provided was discoverable by the model.
There’s no doubt that stuff is print making. My point is that there are multiple ways of doing (within each of these): relief, Intaglio, lithography, screen printing, offset.
So if you say, “I’m a print maker,” it describes basically nothing. :)
This is just a general statement, not directed at you. Sorry it felt that way.
I like your stuff! I’ve been coveting a plotter for a while, but I’m pretty sure it won’t get used enough to justify the expense. :/
I do find the term “printmaking” hilarious because there’s just sooo many ways to make prints. I tried to get into linocut fairly recently, but the battleship grey linoleum I had wasn’t very good. It cracked and crumbled pretty easily. I did get some of pink Speedball “blocks,” but it gets expensive pretty quickly. I guess more to the point is the feeling that I lack much to say. But, that’s an excuse. :)
Email: - [email protected]
Elsewhere: - https://github.com/apg
[ my public key: https://keybase.io/apg; my proof: https://keybase.io/apg/sigs/FVP39qxp7ptdAG2Nfeigd5-mN2nceMwWnPl2-EIhP4I ]