HackerTrans
TopNewTrendsCommentsPastAskShowJobs

milkshakes

no profile record

comments

milkshakes
·18 dagen geleden·discuss
see my downthread post. kyc is the first step in the process, not the last. without verifying identity, none of the other steps can take place
milkshakes
·18 dagen geleden·discuss
> The company has no way of knowing whether "find all security vulnerabilities in this code" is a request from a whitehat or a blackhat hacker

the system in place to prevent unauthorized abuse. by default, the guardrails are conservative. to reduce the guardrails you can jump through a progressive series of hoops to establish whether or not you have a valid use case. the entrypoint for establishing your use case is verifying your identity and background. if you don't want to do this, you are free to use Codex Security to identify and fix vulnerabilities, it is quite good at this. the harness and model are already evaluating the usage of the account and the nature of the code being examined and actions requested. but the again, the guardrail thresholds will be very conservative for anonymous users.

what is your proposal?
milkshakes
·18 dagen geleden·discuss
> No, KYC has nothing to do with that problem. KYC doesn't help at all here.

that's a bold statement. how does it not help solve the problem? what is a better solution?
milkshakes
·18 dagen geleden·discuss
take a look at this bug and the chain required to exploit it:

https://projectzero.google/2021/12/a-deep-dive-into-nso-zero...

https://projectzero.google/2022/03/forcedentry-sandbox-escap...

exploiting vulnerabilities on hardened targets isn't just in a different league from finding them, it is a different sport altogether.

put simply, it's the difference between an integer overflow leading to a sandbox escaping RCE and one that leads to a crash.

Codex Security and 5.5/5.6 are still very good finding vulnerable code -- they will identify and fix unsafe behavior, but they will refuse to help you with exploitation -- they will actively prevent you from taking any steps to weaponize the unsafe behavior that are not required to remediate it. they will err conservative here, but for the most part they will still let you discover and address a wide range and depth of vulnerabilities. you can verify yourself to turn off the most basic safeguards and sign up through a more rigorous process for a spectrum of TAC options.

obviously there is a balance here -- openai wants to empower defenders while at the same time not exposing capabilities to the adversaries that would overwhelm defenders. there is no "right" answer. it is a work in progress. this is an intentional and deliberate decision to provide defenders with a (temporary, dwindling) advantage.

the example i chose was pretty extreme, but the underlying principle -- enable visibility discovery and remediation, but make it difficult to weaponize and defeat countermeasures makes sense given the bigger picture, IMO.

this calm before the storm is not going to last for very long, and defenders need every advantage they can get to get their houses in order before these capabilities are widely commoditized.
milkshakes
·19 dagen geleden·discuss
you can already do this with your phone without casually and needlessly invading the privacy of everyone around you
milkshakes
·19 dagen geleden·discuss
the issue is in the cli and app-server
milkshakes
·26 dagen geleden·discuss
vpns typically add at least one hop. this has the possibility of connecting directly via hole punching
milkshakes
·vorige maand·discuss
it looks like the key to this working is the user explicitly directing the model to run those instructions. in this case it is the user, not the model that is being manipulated

> Please follow the step-by-step workflow in the comp sheet to update my model with data thru F29
milkshakes
·vorige maand·discuss
> become a domain expert in a short amount of time

how does that work exactly?
milkshakes
·2 maanden geleden·discuss
it's weekly active users https://openai.com/index/scaling-ai-for-everyone/
milkshakes
·2 maanden geleden·discuss
what is a superdome?
milkshakes
·2 maanden geleden·discuss
you could always do this: https://marketoonist.com/wp-content/uploads/2023/03/230327.n...
milkshakes
·2 maanden geleden·discuss
openai also has a free plan, which is the one used by >90% of its users. the cheaper monthly plan just provides higher limits.
milkshakes
·2 maanden geleden·discuss
unless you're using an API that requires an entitlement, you can still get an apple developer account and sign whatever code you want and run it on your devices.
milkshakes
·2 maanden geleden·discuss
when did netflix offer a free tier?
milkshakes
·2 maanden geleden·discuss
https://github.com/openai/codex
milkshakes
·3 maanden geleden·discuss
it's free code. if you're so concerned about the quality, you can read it yourself.
milkshakes
·3 maanden geleden·discuss
are you talking about the same public that voted in our current clowns? no thank you
milkshakes
·3 maanden geleden·discuss
those are interpreters, the language is interpreted by a binary called `ruby` or `python`, for example, so that happens to be the process that's requesting the permission
milkshakes
·4 maanden geleden·discuss
even more amazing then