Hacker News: execveat

New comment by execveat in "The coming industrialisation of exploit generation with LLMs"

execveat — Mon, 19 Jan 2026 23:34:43 +0000

Defenders have threat modeling on their side. With access to source code and design docs, configs, infra, actual requirements and ability to redesign / choose the architecture and dependencies for the job, etc - there's a lot that actually gives defending side an advantage.

I'm quite optimistic about AI ultimately making systems more secure and well protected, shifting the overall balance towards the defenders.

New comment by execveat in "A small number of samples can poison LLMs of any size"

execveat — Fri, 10 Oct 2025 11:57:53 +0000

The real world use cases for LLM poisoning is to attack places where those models are used via API on the backend, for data classification and fuzzy logic tasks (like a security incident prioritization in a SOC environment). There are no thumbs down buttons in the API and usually there's the opposite – promise of not using the customer data for training purposes.

New comment by execveat in "The CrowdStrike file that broke everything was full of null characters?"

execveat — Fri, 19 Jul 2024 23:36:40 +0000

CrowdStrike does this trick where it replaces the file (being transferred over a network socket) with zeroes if it matches the malware signature. Assuming that these are the malware signature files themselves, a match wouldn't be surprising.

New comment by execveat in "As an Employee, You Are Disposable (2023)"

execveat — Fri, 12 Jul 2024 10:04:29 +0000

It's heartwarming to believe in the "family" narrative some companies promote, but it's important to remain pragmatic. This narrative is just a motivational tool to encourage employees to go above and beyond their compensated duties. It's not a binding contract though.

In reality, the power dynamic inherently favors the employer. Once an employee has invested their time and energy, the company holds all the leverage. There's little incentive for the company to uphold their end of this unspoken "deal."

Leadership changes, company priorities shift, and the "family" narrative can quickly fade when faced with financial realities or strategic decisions.

New comment by execveat in "Microsoft Chose Profit over Security, Whistleblower Says"

execveat — Thu, 13 Jun 2024 16:09:57 +0000

I might be misunderstanding, but from Andrew's Linkedin it looks like he wasn't a security researcher at MS, he was actually the person responsible for translating between security researchers and the upper management:

> Evangelize security services, practices, products, both internally and externally.

> Leading technical conversations around strategy, policy and processes with FINSEC and DoD/IC executive staff.

New comment by execveat in "Microsoft Chose Profit over Security, Whistleblower Says"

execveat — Thu, 13 Jun 2024 16:04:33 +0000

For the MS size entities, the risk calculation is way more complicated. The 1:1 between cost of mitigation vs cost of exploitation only applies to opportunistic attacks, really. At the level where APTs get involved, the data / access might be so valuable that they'd gladly outspend blue team's budget by a factor of 10-100.

New comment by execveat in "Microsoft Chose Profit over Security, Whistleblower Says"

execveat — Thu, 13 Jun 2024 15:53:37 +0000

Well, because as a security person I can only evaluate his actions from the point of security. Evaluating actions of MS business leadership is beyond my expertise.

I highly doubt that the senior leadership would willingly accept this kind of liability. But you need to put it into right terms for them to understand. Politics play important role at that level as well. There are ways of putting additional pressure on the c-suite, such as making sure certain keywords are used in writing, triggering input from legal or forcing stakeholders to formally sign off on a presented risk.

Without insight knowledge, it's impossible to figure out what went wrong here, so I'm not assigning blame to the whistleblower, just commenting that way too often techies fail to communicate risks effectively.

New comment by execveat in "Microsoft Chose Profit over Security, Whistleblower Says"

execveat — Thu, 13 Jun 2024 15:25:45 +0000

I work in infosec, and this sounds like a communication failure on the whistleblower's part.

Contrary to what many people believe, the profits should be prioritized over security for the most companies, that's only natural (after all, they don't generate any profits themselves, typically). The key is finding the right balance for this tradeoff.

Business leaders are the ones that are responsible for figuring out the acceptable risk level. They already deal with that every day, so it's nonsensical to claim they aren't capable of understanding risk. InfoSec's role for the most part is being a good translator, by identifying the technical issues (vulnerabilities, threats, missing best practices) that go beyond the acceptable risk profile and to present these findings to the business stakeholders, using the language they understand.

Either the guy wasn't convincing enough, or he failed to figure out the things business cares about & present the identified risk in these terms.

New comment by execveat in "Why do people still use VBA?"

execveat — Wed, 15 Nov 2023 10:43:14 +0000

At this point you should just leave this dumpster fire of an organization and find a more reasonable place to work. I can't relate to the people who keep inventing atrocious workarounds ignoring the problem that they work in a hostile work environment.

I work in security and can't relate to banning Python & replacing it with Microsoft crap either.

New comment by execveat in "Last Chance to fix eIDAS: Secret EU law threatens Internet security"

execveat — Thu, 02 Nov 2023 09:54:49 +0000

Allow the eIDAS certificates, but limit them to the country code TLDs to match the jurisdiction of the certificate issuer.

New comment by execveat in "Last Chance to fix eIDAS: Secret EU law threatens Internet security"

execveat — Thu, 02 Nov 2023 09:43:43 +0000

You can't block a browser at the DNS level.

New comment by execveat in "What's New in Python 3.12"

execveat — Wed, 18 Oct 2023 17:23:29 +0000

No, there is no confusion here at all (for a Python developer). I would consider it a code smell though as the whole problem is completely avoidable by better naming.

By the way, there is a vulnerability (Prototype Pollution) that is only possible due to this behaviour in JS: https://portswigger.net/web-security/prototype-pollution

Snuggsi ツ – Easy Custom Elements in ~1kB

execveat — Fri, 16 Jun 2023 19:35:37 +0000

Article URL: https://github.com/devpunks/snuggsi

Comments URL: https://news.ycombinator.com/item?id=36362585

Points: 1

# Comments: 0

New comment by execveat in "Our Plan for Python 3.13"

execveat — Thu, 15 Jun 2023 19:44:31 +0000

There also are programmers who are aware of much more complicated things being done in sister projects, like JVM and JS runtimes in this case.

New comment by execveat in "PaLM 2 Technical Report [pdf]"

execveat — Wed, 10 May 2023 20:16:36 +0000

In my experience Bing chat and phind are useless. But perplexity.ai and GPT4 are amazing. GPT-3.5 and Cloude-instant (available through poe.com) are cool as well, even though they got significantly dumbed down recently, presumably to lower the maintenance costs.

Bard Activity Setting

execveat — Wed, 10 May 2023 20:02:01 +0000

Article URL: https://myactivity.google.com/?continue=https://myactivity.google.com/product/bard/controls

Comments URL: https://news.ycombinator.com/item?id=35892699

Points: 3

# Comments: 0

New comment by execveat in "PaLM 2 Technical Report [pdf]"

execveat — Wed, 10 May 2023 19:43:52 +0000

Yeah, but Reset the chat between your questions.

EDIT: Also, this doesn't seem convincing: "I am not as advanced as PaLM 1, but I am learning new things every day. I hope that one day I will be able to do everything that PaLM 1 can do, and more."

New comment by execveat in "PaLM 2 Technical Report [pdf]"

execveat — Wed, 10 May 2023 19:42:00 +0000

It seems that Bard's version is only specified in the prompt, and it doesn't have a strong sense of identity. For me it's pretty reliable:

1. ask it what PaLM 2 is (to pollute the context) 2. ask it whether it's based on PaLM 2 (it will tell you - yes, sure)

New comment by execveat in "PaLM 2 Technical Report [pdf]"

execveat — Wed, 10 May 2023 19:38:29 +0000

ChatGPT was the same last year, but since ClosedAI added some kind of magic (fine-tuning or just embeddings auto-injection) so that models can somewhat describe themselves.

New comment by execveat in "PaLM 2 Technical Report [pdf]"

execveat — Wed, 10 May 2023 19:30:48 +0000

It's a language model, FFS. Ask it whether it uses PaLM 1 and it will confirm it as well.