| ▲ | alex_young 8 hours ago |
| The whole framing is kind of uninteresting imo. If you spend more time researching code you can find more bugs to exploit / patch is not an earthshaking observation. Adding the words “by Claude” to it doesn’t materially change it. One could also pay a few humans to do the same thing. People have done that for decades. |
|
| ▲ | Glemllksdf 6 hours ago | parent | next [-] |
| It reduces the cost significantly. A good security expert earns how much per year? And that person works 8/5. Now you can just throw money at it. CIA and co pay for sure more than 20k (thats what the anthropic red team stated as a cost for a complex exploit) for a zero day. If someone builds some framework around this, you can literaly copy and paste it, throw money at it and scale it. This is not possible with a human. |
| |
| ▲ | eikenberry 4 hours ago | parent [-] | | > It reduces the cost significantly. > Now you can just throw money at it. What happens when you throw enough money at it that it raises the cost significantly. | | |
| ▲ | Glemllksdf 3 hours ago | parent | next [-] | | But thats the thing, its already competitive and its not even released. CIA and FBI and states easily pay 100k for a zero day. Plenty of companies have security expert staff on file. And it will become cheaper and easyer to use, fast. | |
| ▲ | i_think_so an hour ago | parent | prev [-] | | chef's kiss Logged in just to show some love. +1 for the economics. +1 again (if I could) for the truth-to-power. We need a lot more of this kind of multi-disciplinary skepticism to counterbalance the industrial grade rockstar ninja 10x Kool-Aid drinking. |
|
|
|
| ▲ | drob518 7 hours ago | parent | prev | next [-] |
| Right, but what is interesting is that you can buy it off the rack for the price of tokens. You don’t have to do a specialist search for a security expert, pay a recruiter, hire them, wait for the specialist to start, pay them a signing bonus, pay them an expert-level salary, pay their social security taxes, healthcare benefits, and finally pay for an exit package when you lay them off because the project got canceled. You buy tokens when you need them and you stop buying when you don’t. This was the same dynamic that made cloud computing more interesting than company-owned servers in a company-owned data center. It’s more responsive to business needs and it falls under the development expense budget, not payroll, so you can do it even during hiring freezes. |
| |
| ▲ | tracker1 3 hours ago | parent [-] | | But, you do have to have at least an employee or contractor skilled enough to actually understand the scope of a given bug report from the agent in order to determine validity. I've seen plenty of legit bug reports by humans get dismissed because the reviewer didn't understand the material impact or how the bug/exploit worked. | | |
| ▲ | drob518 an hour ago | parent [-] | | Yep, sure. So, maybe you hire one and not three. The point is, it’s going to be fewer. Of course, all that assumes the AI is actually as good as a human, which I’m still skeptical of. |
|
|
|
| ▲ | pixl97 7 hours ago | parent | prev [-] |
| This is the weirdest take I've seen. It takes humans a very long time to learn how to code/find bugs. You just can't take any human and have them do it in a reasonable amount of time with a reasonable amount of money. Claude is effectively automation, once you have the hardware you can run as many copies of the model as you want. Factories can build hardware far faster then they can train more people. It's weird to see a denial of the industrial revolution on HN. |
| |
| ▲ | alex_young 7 hours ago | parent | next [-] | | A bit uncharitable no? I’m not denying that LLMs can be used to improve security research, suggesting that their use is wrong or anything like that. Humans have used software to research security for a long time. AI driven SAST is clearly going to help improve productivity. | | |
| ▲ | pixl97 6 hours ago | parent [-] | | Quantity is a quality. Humans burned stuff for a very long time now, it's when we started burning coal in mass industrially that the global environmental impacts started stacking up to the point of considerable damage. |
| |
| ▲ | tracker1 3 hours ago | parent | prev [-] | | You still need people in the mix that understand the scope, scale and impact of the exploits/bugs found. Just letting agents go wild is how you get slop over time... You can probably get away without them to an extent, but I'd suggest that you're likely to increase the risk of errors and misbehavior in practice over time by not checking agent work. Even checking human work is often a shortcoming of processes in practice. |
|
