Sabitlenmiş Tweet
From my experience all software developers are now security engineers wether they know it, admit to it or do it. Your code is now the security of the org you work for. #GoldenAgeOfDefense
Wat Ket, Thailand 🇹🇭 English
Jim Manico from Manicode Security
43.2K posts
Jim Manico from Manicode Security
@manicode
AI and AppSec Educator. Secure coding system prompts. https://t.co/gbW3ZLhURT
Kauai, HI and Cobb, CA Katılım Temmuz 2009
6K Takip Edilen17K Takipçiler
English
@Alex_TheAnalyst @grok how do I avoid this intellectual dystopian future?
English
I'm going to call this right now. We are going to have a large population with absolutely no critical thinking skills if they blindly trust AI for everything.
We have all already seen it.
They don't validate outputs. They don't really understand anything. They just ask questions, it looks good, and they go with it.
There are going to be huge issues in every company as this continues over the years. The amount of technical debt and knowledge gaps are going to be insane.
So much opportunity if you actually know what you're doing.
English
Max account maxed. You've hit your limit · resets 9pm (America/Los_Angeles) /extra-usage to finish what you’re working on.
English
@HackingDave @PoSH_Father Machine readable requirements help a lot
English
What I’m realizing is 99.9999999999999999999999999% of AI posts are from people that are trying to get more followers and clicks and has no real world experience on actually deploying.
“Improve your workflow 80% by this one Claude skill”
“Omg they just released this and it changes the industry completely”
It’s all bogus. Create your own workflow that is tailored to you. Don’t buy into this garbage.
English
@sebhacks @NexusVoid_Ai @OWASP_AISVS I think you’ll be pleased! Most of your astute concerns are addressed in AISVS.
English
Jim Manico from Manicode Security retweetledi
AISVS progress update: The working tree for AISVS 1.0 is now available:
github.com/OWASP/AISVS/tr…
English
Jim Manico from Manicode Security retweetledi
At this point we would be happy to get contributors with hands-on experience to voice their opinions & experiences to ensure that AISVS is aligned with current real world practices and technologies.
English
Jim Manico from Manicode Security retweetledi
Ensuring the standard is broadly applicable, grounded in realistic expectations and not immediately out of date is a real challenge.
English
@anton_chuvakin I try to avoid meetings where the only deliverable… is another meeting.
😚
English
@manicode Can I interest you in an agenda-less meeting to discuss "your security" :-) :-D
English
For Clawbot fans. Check out clawkeeper.dev a very slick Clawbot Security Scanner! :) #AgentSecurity #OpenClaw
English
Skills vs Agents.
So far I’m on team Skills because they are up and running fast, easy to debug, no need to deal with ClawBot or other agent runners (which are mostly low quality).
Skills for the win, for now. 😁
English
@ZackKorman @kmcquade3 Cybersecurity in 2031 is going to be fascinating.
* AI handles the volume. Humans oversee and direct agents.
* The practitioners who thrive will be those with expertise in AI agent security, post-quantum cryptography, AI model supply chain security, and zero trust architecture.
English
What’s cybersecurity going to look like five years from now? I know that’s a hard question, but I’ve been thinking about it a lot lately. Would be good to hear what others think.
What roles won’t exist? What product categories disappear? What tech will be obsolete?
English
@TDaltonC @karpathy @paulg If you’re a Claude Code or a Codex user, having a repo representing the “memory” of your LLM helps achieve some of this in a straight forward way. I do this by having my LLM’s maintain a wiki for things I want remembered long term. This is especially helpful for research tasks.
English
There was a nice time where researchers talked about various ideas quite openly on twitter. (before they disappeared into the gold mines :)).
My guess is that you can get quite far even in the current paradigm by introducing a number of memory ops as "tools" and throwing them into the mix in RL. E.g. current compaction and memory implementations are crappy, first, early examples that were somewhat bolted on, but both can be fairly easily generalized and made part of the optimization as just another tool during RL.
That said neither of these is fully satisfying because clearly people are capable of some weight-based updates (my personal suspicion - mostly during sleep). So there should be even more room for more exotic approaches for long-term memory that do change the weights, but exactly - the details are not obvious. This is a lot more exciting, but also more into the realm of research outside of the established prod stack.
Awni Hannun@awnihannun
I've been thinking a bit about continual learning recently, especially as it relates to long-running agents (and running a few toy experiments with MLX). The status quo of prompt compaction coupled with recursive sub-agents is actually remarkably effective. Seems like we can go pretty far with this. (Prompt compaction = when the context window gets close to full, model generates a shorter summary, then start from scratch using the summary. Recursive sub-agents = decompose tasks into smaller tasks to deal with finite context windows) Recursive sub-agents will probably always be useful. But prompt compaction seems like a bit of an inefficient (though highly effective) hack. The are two other alternatives I know of 1. online fine-tuning and 2. memory based techniques. Online fine-tuning: train some LoRA adapters on data the model encounters during deployment. I'm less bullish on this in general. Aside from the engineering challenges of deploying custom models / adapters for each use case / user there are a some fundamental issues: - Online fine-tuning is inherently unstable. If you train on data in the target domain you can catastrophically destroy capabilities that you don't target. One way around this is to keep a mixed dataset with the new and the old. But this gets pretty complicated pretty quickly. - What does the data even look like for online fine tuning? Do you generate Q/A pairs based on the target domain to train the model? You also have the problem prioritizing information in the data mixture given finite capacity. Memory based techniques: basically a policy for keeping useful memory around and discarding what is not needed. This feels much more like how humans retain information: "use it or lose it". You only need a few things for this to work: - An eviction/retention policy. Something like "keep a memory if it has been accessed at least once in the last 10k tokens". - The policy needs to be efficiently computable - A place for the model to store and access long-term memory. Maybe a sparsely accessed KV cache would be sufficient. But for efficient access to a large memory a hierarchical data structure might be beter.
English
@Al_Grigor @HackingDave Infra changes are especially risky with CC. I ask Claude to make a new issue in GitHub first and ask it to explain the plan and explain every step that will change infra first. Then review the plan. Then execute. This will save you a lot of hassle.
English
Claude Code wiped our production database with a Terraform command.
It took down the DataTalksClub course platform and 2.5 years of submissions: homework, projects, and leaderboards.
Automated snapshots were gone too.
In the newsletter, I wrote the full timeline + what I changed so this doesn't happen again.
If you use Terraform (or let agents touch infra), this is a good story for you to read.
alexeyondata.substack.com/p/how-i-droppe…
English
Jim Manico from Manicode Security retweetledi
@ValerioCapraro "GPT-3.5-Turbo"
"GPT-4"
Come on. Researchers making sweeping claims based on results from ancient models is a meme at this point.
English
@manicode I pay for Pro Max 5x at home and it's worth every penny. Absolute game changer.
English
Here is a guest pass for Claude Code. If you have not tried this yet it will change your life.
claude.ai/referral/qTY8I…
English
Jim Manico from Manicode Security retweetledi
Nicholas Carlini at [un]prompted. If you know Carlini, you know this is a startling claim.
English