Hacker News: decidu0us9034

New comment by decidu0us9034 in "Small models also found the vulnerabilities that Mythos found"

decidu0us9034 — Sat, 11 Apr 2026 21:28:12 +0000

Right now, we accept false positives as long as you can sort them out. I think it's pretty typical that >99% of fuzzer runs don't result in new coverage. Of course they're far from useless without feedback but it's better to have it if you can. I guess the question is does the llm approach have lower costs for validation and triaging vs just fuzzing alone, unclear to me. Anthropic would like people to believe automation is this scary new unknown

New comment by decidu0us9034 in "Small models also found the vulnerabilities that Mythos found"

decidu0us9034 — Sat, 11 Apr 2026 21:12:19 +0000

In a large codebase there will still be bugs in how these components interoperate with each other, bugs involving complex chaining of api logic or a temporal element. These are the kind of bugs fuzzers generally struggle at finding. I would be a little freaked out if LLMs started to get good at finding these. Everything I've seen so far seems similar to fuzzer finds.

New comment by decidu0us9034 in "Small models also found the vulnerabilities that Mythos found"

decidu0us9034 — Sat, 11 Apr 2026 20:55:33 +0000

I think there is already papers and presentations on integrating these kind of iterative code understanding/verificaiton loops in harnesses. There may be some advantages over fuzzing alone. But I think the cost-benefit analysis is a lot more mixed/complex than anthropic would like people to believe. Sure you need human engineers but it's not like insurmountably hard for a non-expert to figure out

New comment by decidu0us9034 in "Claude wrote a full FreeBSD remote kernel RCE with root shell"

decidu0us9034 — Wed, 01 Apr 2026 18:38:31 +0000

I could see that being an incremental time save (perhaps not worth the token spend except for the dev team, not a high-value bug). But nbody finds this kind of bug "by hand" and hasn't for a long time now. Do people here really care about kernel security or testing automation? They're just talking about it because Claude? Everything on HN is people doing unpaid promotional work for Anthropic, just talking about all the promise Claude holds and all the various ways you could be spending more money on Claude. bored aimless vibes.

New comment by decidu0us9034 in "How we hacked McKinsey's AI platform"

decidu0us9034 — Wed, 11 Mar 2026 17:14:56 +0000

Analysis of what? What does that mean? What's something you conceivably would need a consulting firm to "analyze?" I don't understand why management consulting firms would hire software people in the first place, and then punish them for not being on a client-facing project. That seems a bit contradictory to me, but this is all way out of my wheelhouse

New comment by decidu0us9034 in "Redox OS has adopted a Certificate of Origin policy and a strict no-LLM policy"

decidu0us9034 — Tue, 10 Mar 2026 22:22:23 +0000

Well it's an operating system. Ideally safety and reliability are prioritized. I think the scope and complexity of an operating system are large enough both to make a lot of changes non-trivial and to trip up LLMs. I think it's fine if you have an unstable release stream or you have bleeding edge forks that move faster than upstream. This is already the case...

New comment by decidu0us9034 in "Redox OS has adopted a Certificate of Origin policy and a strict no-LLM policy"

decidu0us9034 — Tue, 10 Mar 2026 21:58:14 +0000

It's an operating system, not a website.

New comment by decidu0us9034 in "A new California law says all operating systems need to have age verification"

decidu0us9034 — Sat, 28 Feb 2026 02:42:42 +0000

The law defines an operating system provider as "a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general computing device." If the intent were to target mobile vendors or app store vendors, I would be fine with it, but that's not the text. Of course it's the case that US lawmakers often write incoherent or extremely onerous legislation and then turn around and say, like, "Oh that's obviously not what we actually meant. We don't know what any of this stuff is, it just sounded good."

New comment by decidu0us9034 in "A new California law says all operating systems need to have age verification"

decidu0us9034 — Sat, 28 Feb 2026 02:26:40 +0000

Well the problem is, there is no consensus standard. The onus is on every individual vendor to figure out how to comply. And it's so poorly written that there is no clear path to compliance. Even attempting to comply is burdensome and subjects you to a lot of legal risk. Only the largest vendors can afford to take on this risk. For others, the only winning move is not to play. Classic regulatory capture.

New comment by decidu0us9034 in "A new California law says all operating systems need to have age verification"

decidu0us9034 — Sat, 28 Feb 2026 01:53:11 +0000

It's not privacy-respecting at all to create some side channel between your browser and OS to transmit some information about a "user profile." If this were about browser vendors it might make sense but they're targeting operating systems (presumably for the malicious vendor lock-in type of reasons you cite? idk, it's strange). I would like someone to explain how this would even be implemented securely. It's certainly non-trivial.

New comment by decidu0us9034 in "A new California law says all operating systems need to have age verification"

decidu0us9034 — Sat, 28 Feb 2026 01:30:06 +0000

I'm not sure it's worth entertaining these hypotheticals. Just another absurd CA law that's impossible to comply with. "When you set up your account and it asks for your birthdate." What does this mean? "Setup" what account? "It" what? Some graphical installer? What if I don't want to use one? How would this protocol be implemented in such a way where it's not trivially easy for the user to alter the "age signal" before sending a request? The "signal" is signed with some secret that you attest to but can't write? So it's in some enclave? What if my smart toaster doesn't have an enclave? Does my toaster now have to implement software enclave? I'm not aware of a standard, or industry standards body, or standard specification, or implementation of a specification, around this "age signal" thing. Is this some proprietary technology that some company has a patent on, and they've been lobbying for their patent to be legally mandated? If so that's very concerning and probably has antitrust implications (it is ironic that ever-tightening surveillance of people is a downstream consequence of all this deregulation of corporate persons; fine for me but not for thee I guess). I would love to know the full story here, since this is being shopped around in several states, but I haven't seen any sort of investigative journalism about this which is disappointing. This whole thing is really curious.

New comment by decidu0us9034 in "We hid backdoors in ~40MB binaries and asked AI + Ghidra to find them"

decidu0us9034 — Sun, 22 Feb 2026 21:59:51 +0000

All the docs are already in its training data, wouldn't that just pollute the context? I think giving a model better/non-free tooling would help as mentioned. binja code mode can be useful but you definitely need to give these models a lot of babysitting and encouragement and their limitations shine with large binaries or functions. But sometimes if you have a lot to go through and just need some starting point to triage, false pos are fine.

New comment by decidu0us9034 in "A16z partner says that the theory that we’ll vibe code everything is wrong"

decidu0us9034 — Sun, 22 Feb 2026 03:04:29 +0000

Sure. They're making a strong claim, but I think they mean "author of the Fascist Manifesto" as shorthand to say Marinetti was an ardent supporter of fascism and Mussolini. His support continued throughout the 30's and 40's, even after the Pact of Steel and the Racial Laws etc, even volunteering to go to the Eastern Front. I think we can say with the benefit of hindsight that the fascists' attempts to ingratiate themselves to the worker's movement were sort of ancilliary to the whole political/ideological project... I mean I'd hope any student of history agrees with that...

New comment by decidu0us9034 in "Making frontier cybersecurity capabilities available to defenders"

decidu0us9034 — Fri, 20 Feb 2026 20:18:45 +0000

People use whatever tools are the most effective and they have plenty of incentive not to talk publicly about them. I think the era of openness has passed us by. But why does stature matter anyway? If I look at chromium or MSRC bug reports, scarcely any of the submitters are from Europe/US and certainly don't have anything resembling stature. That guy hasn't done anything of note in the field in a long time from what I know, he's kind of boomer (you too, no disrespect).

New comment by decidu0us9034 in "Ghidra by NSA"

decidu0us9034 — Mon, 16 Feb 2026 22:49:19 +0000

The first is certainly interesting, but it won't help you develop 0day. I would think of it like more of a collection of fun puzzles and esoterica. For example all the heap unliking/metadata attacks and House of X stuff is pretty antiquated. These will help you win ctfs but are certainly not a prerequisite or even all that relevant to contemporary vuln research. Most of the public research I see is probably at least a year behind the current meta (and I expect the public internet will only grow more quiet over time)

New comment by decidu0us9034 in "Ghidra by NSA"

decidu0us9034 — Mon, 16 Feb 2026 22:30:43 +0000

I was wondering why so many people were suddenly hopping into my humble profession and declaring me redundant. Ah, a youtube influencer is at the center of it. Makes sense.

New comment by decidu0us9034 in "The long tail of LLM-assisted decompilation"

decidu0us9034 — Mon, 16 Feb 2026 21:47:39 +0000

"Claude struggles with large functions and more or less gives up immediately on those exceeding 1,000 instructions." Well, yeah, that's the thing, an n64 game, that's C targetting an architecture where compiler optimizations are typically lacking, the idomatic style is lots of small tightly-scoped functions and the system architecture itself is a lot simpler than say a modern amd64 pc... These days I often just feel like, why is this person telling me how easy my job is now when they seemingly don't know much about it. I just find it arrogant and insulting... Perpetually demo season.

New comment by decidu0us9034 in "I’m joining OpenAI"

decidu0us9034 — Mon, 16 Feb 2026 19:52:19 +0000

Yeah I'm not sure I understand what the goal here is. Ship of Harkinian is a rewrite not just a decompilation. As a human reverse engineer I've gotten a lot of false positives.This seems like one of those areas where hallucinations could be really insidious and hard to identify, especially for a non-expert. I've found MCP to be helpful with a lot of drudgery, but I think you would have to review the llm output, do extensive debugging/dynamic analysis, triage all potential false positives, before attempting to embark on a rewrite based on decompiled assembly... I think OoT took a team of experts collectively thousands of person-hours to fully document, it seems a bit too hopeful to want that and a rewrite just from being pushy to an agent...

New comment by decidu0us9034 in "GPT-5.2 derives a new result in theoretical physics"

decidu0us9034 — Fri, 13 Feb 2026 21:02:13 +0000

I'm not sure you can call something an optimizing C compiler if it doesn't optimize or enforce C semantics (well, it compiles C but also a lot of things that aren't syntactically valid C). It seemed to generate a lot of code (wow!) that wasn't well-integrated and didn't do what it promised to, and the human didn't have the requisite expertise to understand that. I'm not a theoretical physicist but I will hold to my skepticism here, for similar reasons.