Parsia Hakimian

My very opinionated rant on getting started with AI and static analysis. parsiya.net/blog/wtf-is-ai…

(Hoping) They are alive and well somewhere, The smallest sprout shows there is really no death - Song of Myself by Walt Whitman

Making a concentrated coffee effort to stop mindlessly doomscrolling so replacing that time with watching at least one hacker video every day. Today was @CryptoGangsta’s PowerPoint glove. Need this thing for @WSIIAOfficial 😂 youtu.be/SJ-kfVUoENk?si…

@udunadan They mentioned gpt-4o-mini was performing better than larger models. A lot of overlap with the presentation and this blog: team-atlanta.github.io/blog/post-afc/

@CryptoGangsta Did they specify how mini was mini? Maybe specific models were mentioned?

Attended an internal talk by Taesoo Kim (of team Atlanta AIxCC) and holy shit it was a breath of fresh air. An actual nuanced take about LLM vuln research from someone who has already done it as opposed to all the Claude code hype people here.

@udunadan 3. Issue with Claude Code style VR: AI finds and AI judges. Requires a lot of human capital to verify the code and see the proof. They had much better luck with AI having access to validation harness where it could actually test its hypothesis. Granted a lot of AIxCC is fuzzing.

@udunadan What stuck with me was: 1. Larger models do not automatically mean better. They had better answers from mini models that think less and do not hallucinate for specific tasks 2. The LLMs were a small part of AIxCC, the harness and validations are the major part. /1

@tetsuo_cpp You should Be Writing Like This.

When you want to learn a new skill, one of the best ways is to observe a master practicing their craft. So when I wanted to truly understand engagement bait, I went to the LinkedIn mines. My takeaway so far is that we should add “agree?” at the end of every post. Agree?

@skytaleSythe @HaifeiLi Haha. I got lucky and sold a bunch at 540 and 520 but yeah I have kept everything since the.

@CryptoGangsta @HaifeiLi Sigh - sitting at $387.20 - $420 I miss you…

lol, at this point, I don’t why Anthropic needs funding, they can literally short stocks before they announce their new AI tool for the sector and easily make billions.

@HaifeiLi I don’t know cloudflare said that. I was making fun of the market randomly selling companies

@CryptoGangsta Cloudflare said that too? So it’s three now.:)

Currently I’ve seen two cybersecurity CEOs publishing articles on LinkedIn basically saying “Claude Code Security has nothing to do with our business; actually AI benefits us; don’t sell our stocks tomorrow”, on a Sunday afternoon. 😅

@m19o__ It's the perfect opportunity to create SARIF for Markdown!

I bet everyone debating Claude's SAST doesn't even know what the hell SARIF is.

@amaanq It just the building block of every static analysis tool, no biggie ;). Thank you very much for maintaining tree-sitter.

@CryptoGangsta Nice to see tree-sitter mentioned :)

I use models for static analysis everyday. You have to give them targeted prompts and use “traditional sast” to pinpoint the code to ~10KBs of hotspots to get good results. Granted a small code base in my scope is 100MBs of code so YMMV. I am still long tree-sitter.

@m19o__ Thank you

@CryptoGangsta Loved your blog posts

@HaifeiLi Haha yeah I am sure. I literally have to use traditional sast to reduce the code to a few KBs before LLMs become usable so I am still long Office and tree-sitter.

@CryptoGangsta Good for you! Meanwhile I'm still buying the dip because I don't think they can vibecoding another Office, I mean, c'mon!:)

@HaifeiLi Haha. My grant price was $420 so I am not that much under water. I actually do not hold a lot of MSFT outside of recent vests after I saw SP500 is basically tech so I cashed out to buy a home

@CryptoGangsta I don’t know man, but as an $MSFT holder like you I was on the “first time?” meme.😂

@udunadan I only use OpenAI models running in our own Azure subscription.

People using publicly available models (ChatGPT, Claude, etc.) for zero day research, aren't you concerned for the privacy of your findings?

@moyix Text has always been dangerous. Instruction manuals and warnings on packaging. We haw now decided to talk to machines so we need the same guard rails.

I must be getting old because I see people taking about “skills” and how they can be malicious and how some people are building “skill scanners” and I have a hard time understanding how we messed up so bad we made text files dangerous

@TR4NNYKISSER People lionize and dream of being "the only person who knows X and changes $$$/hr." In my industry (security), a lot of entry level steps like helpdesk have been effectively cannibalized or outsourced but are still expected by the old guard.

@TR4NNYKISSER There is an unfortunately not so small section of experienced engineers who think this is good and provides job security. We’ve had companies who claimed to only hire seniors, Netflix being the most prominent off the top of my head. The industry has been going down this path.