Sabitlenmiş Tweet
My very opinionated rant on getting started with AI and static analysis.
parsiya.net/blog/wtf-is-ai…
English
Parsia Hakimian
9K posts
Parsia Hakimian
@CryptoGangsta
"Trust this man, he has a Power Glove." Appsec and Static Analysis @ MSFT. ^(🇮🇷|🇺🇸|🇨🇦)-ian$
Vancouver, BC / Redmond, WA Katılım Haziran 2009
961 Takip Edilen3.6K Takipçiler
(Hoping) They are alive and well somewhere,
The smallest sprout shows there is really no death
- Song of Myself by Walt Whitman
English
@udunadan They mentioned gpt-4o-mini was performing better than larger models.
A lot of overlap with the presentation and this blog: team-atlanta.github.io/blog/post-afc/
English
@CryptoGangsta Did they specify how mini was mini? Maybe specific models were mentioned?
English
Attended an internal talk by Taesoo Kim (of team Atlanta AIxCC) and holy shit it was a breath of fresh air. An actual nuanced take about LLM vuln research from someone who has already done it as opposed to all the Claude code hype people here.
English
@udunadan 3. Issue with Claude Code style VR: AI finds and AI judges. Requires a lot of human capital to verify the code and see the proof. They had much better luck with AI having access to validation harness where it could actually test its hypothesis. Granted a lot of AIxCC is fuzzing.
English
@udunadan What stuck with me was:
1. Larger models do not automatically mean better. They had better answers from mini models that think less and do not hallucinate for specific tasks
2. The LLMs were a small part of AIxCC, the harness and validations are the major part. /1
English
When you want to learn a new skill, one of the best ways is to observe a master practicing their craft. So when I wanted to truly understand engagement bait, I went to the LinkedIn mines.
My takeaway so far is that we should add “agree?” at the end of every post.
Agree?
English
@skytaleSythe @HaifeiLi Haha. I got lucky and sold a bunch at 540 and 520 but yeah I have kept everything since the.
English
@HaifeiLi I don’t know cloudflare said that. I was making fun of the market randomly selling companies
English
Currently I’ve seen two cybersecurity CEOs publishing articles on LinkedIn basically saying “Claude Code Security has nothing to do with our business; actually AI benefits us; don’t sell our stocks tomorrow”, on a Sunday afternoon. 😅
Haifei Li@HaifeiLi
lol, at this point, I don’t why Anthropic needs funding, they can literally short stocks before they announce their new AI tool for the sector and easily make billions.
English
@m19o__ It's the perfect opportunity to create SARIF for Markdown!
English
I bet everyone debating Claude's SAST doesn't even know what the hell SARIF is.
English
@amaanq It just the building block of every static analysis tool, no biggie ;). Thank you very much for maintaining tree-sitter.
English
I use models for static analysis everyday. You have to give them targeted prompts and use “traditional sast” to pinpoint the code to ~10KBs of hotspots to get good results. Granted a small code base in my scope is 100MBs of code so YMMV.
I am still long tree-sitter.
Claude@claudeai
Introducing Claude Code Security, now in limited research preview. It scans codebases for vulnerabilities and suggests targeted software patches for human review, allowing teams to find and fix issues that traditional tools often miss. Learn more: anthropic.com/news/claude-co…
English
@HaifeiLi Haha yeah I am sure. I literally have to use traditional sast to reduce the code to a few KBs before LLMs become usable so I am still long Office and tree-sitter.
English
@CryptoGangsta Good for you! Meanwhile I'm still buying the dip because I don't think they can vibecoding another Office, I mean, c'mon!:)
English
@HaifeiLi Haha. My grant price was $420 so I am not that much under water. I actually do not hold a lot of MSFT outside of recent vests after I saw SP500 is basically tech so I cashed out to buy a home
English
@CryptoGangsta I don’t know man, but as an $MSFT holder like you I was on the “first time?” meme.😂
English
@udunadan I only use OpenAI models running in our own Azure subscription.
English
@moyix Text has always been dangerous. Instruction manuals and warnings on packaging. We haw now decided to talk to machines so we need the same guard rails.
English
I must be getting old because I see people taking about “skills” and how they can be malicious and how some people are building “skill scanners” and I have a hard time understanding how we messed up so bad we made text files dangerous
English
@TR4NNYKISSER People lionize and dream of being "the only person who knows X and changes $$$/hr." In my industry (security), a lot of entry level steps like helpdesk have been effectively cannibalized or outsourced but are still expected by the old guard.
English
@TR4NNYKISSER There is an unfortunately not so small section of experienced engineers who think this is good and provides job security. We’ve had companies who claimed to only hire seniors, Netflix being the most prominent off the top of my head.
The industry has been going down this path.
English
it's an interesting microcosm how the specific capabilities of LLMs to produce functional simple code prices junior developers out of work preventing them from accumulating the experience and skills to do the work LLMs absolutely cannot. the industry is lobotomising itself
forloop@forloopcodes
IT IS GOING TO POP openai is a $14b hole in the tech economy bragging about 20b revenue while they are bleeding 1.2b a month on inference. they are currently begging abu dhabi for 100b because their microsoft credits ran out and their h100s are not enough. if they dont hit agi by christmas the liquidation will be historic the saaspocalypse wiped 1.5 trillion in market cap last week just because one instance of 4.6 replaces a 50 member team at a startup for the price of a netflix sub vibe coding is a cancer in tech. people are generating 10kloc of unreviewed 5.3 codex garbage every hour. 45% of this code is literally vulnerable to xss and exposed api keys open source is being murdered by vibe coded slop. 90% of github prs this month are just bot spam from junior devs trying to karma farm with broken code they didnt even read. maintainers are literally turning off the pull request button because they cant spend 10 hours a day closing hallucinated garbage by the time a freshman finishes their cs degree, 1$ api call will be able to reverse engineer and refactor their entire senior project in 30 seconds. the only people surviving the pop are the ones who own the power plants and the copper mines
English