Hacker News: ievanshttps://news.ycombinator.com/user?id=ievansHacker News RSShttps://hnrss.org/hnrss v2.1.1Fri, 24 Apr 2026 20:25:43 +0000<![CDATA[New comment by ievans in "Bitwarden CLI compromised in ongoing Checkmarx supply chain campaign"]]>Top comment has a great explicit refutation:

> This plan works by letting software supply chain companies find security issues in new releases. Many security companies have automated scanners for popular and less popular libraries, with manual triggers for those libraries which are not in the top N.

]]>Thu, 23 Apr 2026 19:38:57 +0000https://news.ycombinator.com/item?id=47880626ievanshttps://news.ycombinator.com/item?id=47880626https://news.ycombinator.com/item?id=47880626<![CDATA[New comment by ievans in "Making frontier cybersecurity capabilities available to defenders"]]>Not super surprising that Anthropic is shipping a vulnerability detection feature -- OpenAI announced Aardvark back in October (https://openai.com/index/introducing-aardvark/) and Google announced BigSleep in Nov 2024 (https://cloud.google.com/blog/products/identity-security/clo...).

The impact question is really around scale; a few weeks ago Anthropic claimed 500 "high-severity" vulnerabilities discovered by Opus 4.6 (https://red.anthropic.com/2026/zero-days/). There's been some skepticism about whether they are truly high severity, but it's a much larger number than what BigSleep found (~20) and Aardvark hasn't released public numbers.

As someone who founded a company in the space (Semgrep), I really appreciated that the DARPA AIxCC competition required players using LLMs for vulnerability discovery to disclose $cost/vuln and the confusion matrix of false positives along with it. It's clear that LLMs are super valuable for vulnerability discovery, but without that information it's difficult to know which foundation model is really leading.

What we've found is that giving LLM security agents access to good tools (Semgrep, CodeQL, etc.) makes them significantly better esp. when it comes to false positives. We think the future is more "virtual security engineer" agents using tools with humans acting as the appsec manager. Would be very interested to hear from other people on HN who have been trying this approach!

]]>Fri, 20 Feb 2026 18:59:59 +0000https://news.ycombinator.com/item?id=47092277ievanshttps://news.ycombinator.com/item?id=47092277https://news.ycombinator.com/item?id=47092277<![CDATA[New comment by ievans in "Strengthening supply chain security: Preparing for the next malware campaign"]]>"Staged publishing: A new publication model that gives maintainers a review period before packages go live, with MFA-verified approval from package owners. This empowers teams to catch unintended changes before they reach downstream users—a capability the community has been requesting for years."

Overdue but welcome!

]]>Wed, 07 Jan 2026 19:08:19 +0000https://news.ycombinator.com/item?id=46530998ievanshttps://news.ycombinator.com/item?id=46530998https://news.ycombinator.com/item?id=46530998<![CDATA[Poisoning Attacks on LLMs Require a Near-Constant Number of Poison Samples]]>Article URL: https://arxiv.org/abs/2510.07192

Comments URL: https://news.ycombinator.com/item?id=45675398

Points: 2

# Comments: 0

]]>Wed, 22 Oct 2025 21:28:32 +0000https://arxiv.org/abs/2510.07192ievanshttps://news.ycombinator.com/item?id=45675398https://news.ycombinator.com/item?id=45675398<![CDATA[Dayssincelastsupplychainattack.com]]>Article URL: https://www.dayssincelastsupplychainattack.com/

Comments URL: https://news.ycombinator.com/item?id=45171010

Points: 2

# Comments: 0

]]>Mon, 08 Sep 2025 17:20:32 +0000https://www.dayssincelastsupplychainattack.com/ievanshttps://news.ycombinator.com/item?id=45171010https://news.ycombinator.com/item?id=45171010<![CDATA[Dayssincelastsupplychainattack.com]]>Article URL: https://www.dayssincelastsupplychainattack.com/

Comments URL: https://news.ycombinator.com/item?id=45054313

Points: 3

# Comments: 1

]]>Thu, 28 Aug 2025 16:48:00 +0000https://www.dayssincelastsupplychainattack.com/ievanshttps://news.ycombinator.com/item?id=45054313https://news.ycombinator.com/item?id=45054313<![CDATA[New comment by ievans in "Reflections on OpenAI"]]>This is explicitly not the conclusion Pascal drew with the wager, as described in the next section of the Wikipedia article: "Pascal's intent was not to provide an argument to convince atheists to believe, but (a) to show the fallacy of attempting to use logical reasoning to prove or disprove God..."

]]>Wed, 16 Jul 2025 14:12:17 +0000https://news.ycombinator.com/item?id=44582607ievanshttps://news.ycombinator.com/item?id=44582607https://news.ycombinator.com/item?id=44582607<![CDATA[Chromium Security: The Rule of 2]]>Article URL: https://chromium.googlesource.com/chromium/src/+/main/docs/security/rule-of-2.md

Comments URL: https://news.ycombinator.com/item?id=43416943

Points: 2

# Comments: 0

]]>Wed, 19 Mar 2025 20:29:31 +0000https://chromium.googlesource.com/chromium/src/+/main/docs/security/rule-of-2.mdievanshttps://news.ycombinator.com/item?id=43416943https://news.ycombinator.com/item?id=43416943<![CDATA[New comment by ievans in "Archival Storage"]]>Do you store your SSDs powered? They can lose information if they're not semi-frequently powered on.

]]>Mon, 17 Mar 2025 23:44:35 +0000https://news.ycombinator.com/item?id=43394020ievanshttps://news.ycombinator.com/item?id=43394020https://news.ycombinator.com/item?id=43394020<![CDATA[New comment by ievans in "Show HN: Globstar – Open-source static analysis toolkit"]]>For C, you might be interested in https://github.com/weggli-rs/weggli or https://github.com/semgrep/semgrep (I work on the latter). Both are also tree-sitter based.

]]>Fri, 28 Feb 2025 18:27:11 +0000https://news.ycombinator.com/item?id=43208767ievanshttps://news.ycombinator.com/item?id=43208767https://news.ycombinator.com/item?id=43208767<![CDATA[New comment by ievans in "CLI tool to insert spacers when command output stops"]]>Looks like the `ets` readme has a direct comparison:

> The purpose of ets is similar to that of moreutils ts(1), but ets differentiates itself from similar offerings by running commands directly within ptys, hence solving thorny issues like pipe buffering and commands disabling color and interactive features when detecting a pipe as output. (ets does provide a reading-from-stdin mode if you insist.) ets also recognizes carriage return as a line seperator, so it doesn't choke if your command prints a progress bar. A more detailed comparison of ets and ts can be found below.

]]>Mon, 23 Dec 2024 18:32:00 +0000https://news.ycombinator.com/item?id=42496539ievanshttps://news.ycombinator.com/item?id=42496539https://news.ycombinator.com/item?id=42496539<![CDATA[New comment by ievans in "Refactoring Python with Tree-sitter and Jedi"]]>I wrote up a Semgrep rule as a comparison to add! (also tree-sitter based, `pip install Semgrep`, https://github.com/semgrep/semgrep, or play with live editor link: https://semgrep.dev/playground/s/nJ4rY)

    pattern: |-
       def $FUNC(..., database, ...):
           $...BODY
    fix: |-
      def $FUNC(..., db, ...):
          $...BODY

]]>Sat, 28 Sep 2024 03:47:49 +0000https://news.ycombinator.com/item?id=41677710ievanshttps://news.ycombinator.com/item?id=41677710https://news.ycombinator.com/item?id=41677710<![CDATA[New comment by ievans in "Eliminating Memory Safety Vulnerabilities at the Source"]]>So the argument is because the vulnerability lifetime is exponentially distributed, focusing on secure defaults like memory safety in new code is disproportionately valuable, both theoretically and now evidentially seen over six years on the Android codebase.

Amazing, I've never seen this argument used to support shift/left secure guardrails but it's great. Especially for those with larger, legacy codebases who might otherwise say "why bother, we're never going to benefit from memory-safety on our 100M lines of C++."

I think it also implies any lightweight vulnerability detection has disproportionate benefit -- even if it was to only look at new code & dependencies vs the backlog.

]]>Wed, 25 Sep 2024 22:21:06 +0000https://news.ycombinator.com/item?id=41652478ievanshttps://news.ycombinator.com/item?id=41652478https://news.ycombinator.com/item?id=41652478<![CDATA[98% of PyMySQL forks are vulnerable to SQL Injection]]>Article URL: https://www.cramhacks.com/p/stop-forking-deps

Comments URL: https://news.ycombinator.com/item?id=41368925

Points: 1

# Comments: 0

]]>Tue, 27 Aug 2024 15:54:45 +0000https://www.cramhacks.com/p/stop-forking-depsievanshttps://news.ycombinator.com/item?id=41368925https://news.ycombinator.com/item?id=41368925<![CDATA[Semgrep: Semantic Grep for Code]]>Article URL: https://github.com/semgrep/semgrep

Comments URL: https://news.ycombinator.com/item?id=40212548

Points: 2

# Comments: 0

]]>Tue, 30 Apr 2024 16:01:14 +0000https://github.com/semgrep/semgrepievanshttps://news.ycombinator.com/item?id=40212548https://news.ycombinator.com/item?id=40212548<![CDATA[New comment by ievans in "Difftastic, a structural diff tool that understands syntax"]]>Absolutely agreed, and copying from a comment I wrote last year: I think the fact that tree-sitter is dependency-free is worth highlighting. For context, some of my teammates maintain the OCaml tree-sitter bindings and often contribute to grammars as part of our work on Semgrep (Semgrep uses tree-sitter for searching code and parsing queries that are code snippets themselves into AST matchers).

Often when writing a linter, you need to bring along the runtime of the language you're targeting. E.g., in python if you're writing a parser using the builtin `ast` module, you need to match the language version & features. So you can't parse Python 3 code with Pylint running on Python 2.7, for instance. This ends up being more obnoxious than you'd think at first, especially if you're targeting multiple languages.

Before tree-sitter, using a language's built-in AST tooling was often the best approach because it is guaranteed to keep up with the latest syntax. IMO the genius of tree-sitter is that it's made it way easier than with traditional grammars to keep the language parsers updated. Highly recommend Max Brunsfield's strange loop talk if you want to learn more about the design choices behind tree-sitter: https://www.youtube.com/watch?v=Jes3bD6P0To

And this has resulted in a bunch of new tools built off on tree-sitter, off the top of my head in addition to difftastic: neovim, Zed, Semgrep, and Github code search!

]]>Thu, 21 Mar 2024 16:44:23 +0000https://news.ycombinator.com/item?id=39780995ievanshttps://news.ycombinator.com/item?id=39780995https://news.ycombinator.com/item?id=39780995<![CDATA[Semgrep Secrets]]>Article URL: https://semgrep.dev/blog/2023/introducing-semgrep-secrets/

Comments URL: https://news.ycombinator.com/item?id=38001501

Points: 3

# Comments: 0

]]>Tue, 24 Oct 2023 16:28:32 +0000https://semgrep.dev/blog/2023/introducing-semgrep-secrets/ievanshttps://news.ycombinator.com/item?id=38001501https://news.ycombinator.com/item?id=38001501<![CDATA[The Evolution of Open Source Business Models]]>Article URL: https://tomtunguz.com/evolution-of-open-source-business-models/

Comments URL: https://news.ycombinator.com/item?id=37397366

Points: 3

# Comments: 0

]]>Tue, 05 Sep 2023 20:36:42 +0000https://tomtunguz.com/evolution-of-open-source-business-models/ievanshttps://news.ycombinator.com/item?id=37397366https://news.ycombinator.com/item?id=37397366<![CDATA[White House RFI on Open-Source Software Security and Memory Safe Languages]]>Article URL: https://www.whitehouse.gov/oncd/briefing-room/2023/08/10/fact-sheet-office-of-the-national-cyber-director-requests-public-comment-on-open-source-software-security-and-memory-safe-programming-languages/

Comments URL: https://news.ycombinator.com/item?id=37082064

Points: 17

# Comments: 2

]]>Thu, 10 Aug 2023 21:32:09 +0000https://www.whitehouse.gov/oncd/briefing-room/2023/08/10/fact-sheet-office-of-the-national-cyber-director-requests-public-comment-on-open-source-software-security-and-memory-safe-programming-languages/ievanshttps://news.ycombinator.com/item?id=37082064https://news.ycombinator.com/item?id=37082064<![CDATA[Guardrails for PromQL Using Semgrep]]>Article URL: https://semgrep.dev/blog/2023/promql-and-semgrep

Comments URL: https://news.ycombinator.com/item?id=37052385

Points: 14

# Comments: 0

]]>Tue, 08 Aug 2023 17:15:23 +0000https://semgrep.dev/blog/2023/promql-and-semgrepievanshttps://news.ycombinator.com/item?id=37052385https://news.ycombinator.com/item?id=37052385