Hacker News: tptacek

New comment by tptacek in "Small models also found the vulnerabilities that Mythos found"

tptacek — Sun, 12 Apr 2026 03:29:15 +0000

That's not what they did.

New comment by tptacek in "Small models also found the vulnerabilities that Mythos found"

tptacek — Sun, 12 Apr 2026 02:23:55 +0000

That is a point. It might even be true. But showing a small model an example of vulnerable code and asking to confirm that it is vulnerable code isn't evidence for that point!

New comment by tptacek in "AI Job Loss Tracker"

tptacek — Sun, 12 Apr 2026 00:41:57 +0000

This is a brochure site from "The Alliance for Secure AI", which I am unfamiliar with, but whose site gives "AGI weirdo". Am I misreading?

https://secureainow.org/

New comment by tptacek in "Sam Altman's response to Molotov cocktail incident"

tptacek — Sun, 12 Apr 2026 00:28:32 +0000

I disagree with almost all of this but I'm not here to single you out.

New comment by tptacek in "Sam Altman's response to Molotov cocktail incident"

tptacek — Sat, 11 Apr 2026 20:51:34 +0000

By that I meant it didn't read like they were trying to push back on him.

New comment by tptacek in "Small models also found the vulnerabilities that Mythos found"

tptacek — Sat, 11 Apr 2026 19:35:41 +0000

No, they didn't. They distinguished it, when presented with it. Wildly different problem.

New comment by tptacek in "Small models also found the vulnerabilities that Mythos found"

tptacek — Sat, 11 Apr 2026 19:28:12 +0000

Aisle and Anthropic are literally talking about two different problem spaces.

New comment by tptacek in "Sam Altman's response to Molotov cocktail incident"

tptacek — Sat, 11 Apr 2026 19:13:04 +0000

There isn't one (much as I might think there should be). Threads about Mangione were also uncivil and activating.

New comment by tptacek in "Sam Altman's response to Molotov cocktail incident"

tptacek — Sat, 11 Apr 2026 18:19:24 +0000

HN isn't a "science and technology" site.

New comment by tptacek in "Sam Altman's response to Molotov cocktail incident"

tptacek — Sat, 11 Apr 2026 18:18:49 +0000

You're being nice about it but I think you're inadvertently expressing literally the sentiment Dan was referring to.

New comment by tptacek in "Small models also found the vulnerabilities that Mythos found"

tptacek — Sat, 11 Apr 2026 18:07:36 +0000

Hold on, I misread your comment because I'm knee-jerk about code scanners, which were the bane of my existence for a while. Reworking... and: done. The original comment was just the first graf without the LLM qualification. Sorry about that.

The general approach without LLMs doesn't work. 50 companies have built products to do exactly what you propose here; they're called static application security testing (SAST) tools, or, colloquially, code scanners. In practice, getting every "suspicious" code pattern in a repository pointed out isn't highly valuable, because every codebase is awash in them, and few of them pan out as actual vulnerabilities (because attacker-controlled data never hits them, or because the missing security constraint is enforced somewhere else in the call chain).

Could it work with LLMs? Maybe? But there's a big open question right now about whether hyperspecific prompts make agents more effective at finding vulnerabilities (by sparing context and priming with likely problems) or less effective (by introducing path dependent attractors and also eliminating the likelihood of spotting vulnerabilities not directly in the SAST pattern book).

New comment by tptacek in "Small models also found the vulnerabilities that Mythos found"

tptacek — Sat, 11 Apr 2026 17:28:08 +0000

If you cut out the vulnerable code from Heartbleed and just put it in front of a C programmer, they will immediately flag it. It's obvious. But it took Neel Mehta to discover it. What's difficult about finding vulnerabilities isn't properly identifying whether code is mishandling buffers or holding references after freeing something; it's spotting that in the context of a large, complex program, and working out how attacker-controlled data hits that code.

It's weird that Aisle wrote this.

New comment by tptacek in "Molotov cocktail is hurled at home of Sam Altman"

tptacek — Fri, 10 Apr 2026 22:59:01 +0000

They are nothing remotely like "tech bros", is my point.

New comment by tptacek in "Molotov cocktail is hurled at home of Sam Altman"

tptacek — Fri, 10 Apr 2026 22:41:50 +0000

People in "local politics" are random neighbors, almost none of whom are "in politics" in the colloquial sense.

New comment by tptacek in "Molotov cocktail is hurled at home of Sam Altman"

tptacek — Fri, 10 Apr 2026 22:40:15 +0000

Mostly just by not being emotionally destabilized by edgy comments, is all.

New comment by tptacek in "Molotov cocktail is hurled at home of Sam Altman"

tptacek — Fri, 10 Apr 2026 22:12:34 +0000

These are message boards. The obvious sentiment, that firebombing attacks are awful (perhaps cut a little bit with "the perpetrator appears to be someone deeply in need of help) is boring. This is an availability bias issue: the only sentiments that actually spool out into threads are edgy. Once you learn to spot these effects, message boards make a lot more sense and are less jarring.

New comment by tptacek in "Molotov cocktail is hurled at home of Sam Altman"

tptacek — Fri, 10 Apr 2026 22:11:23 +0000

I operate in at least one social circle that is heavily not-technical (local politics) and I do not see this at all.

New comment by tptacek in "Molotov cocktail is hurled at home of Sam Altman"

tptacek — Fri, 10 Apr 2026 22:10:41 +0000

There's nothing "un-controversial" about trying to mitigate a firebombing attack with a broad critique of capitalism. It's an edgy take, just own it.

New comment by tptacek in "Native Instant Space Switching on macOS"

tptacek — Thu, 09 Apr 2026 20:59:45 +0000

God damnit I didn't know until 15 seconds ago that the Space-switching animation in macOS was annoying. Thanks a lot!

New comment by tptacek in "Netflix Prices Went Up Again – I Bought a DVD Player Instead"

tptacek — Thu, 09 Apr 2026 20:50:12 +0000

I wouldn't watch ad-sponsored TV either, but you either want to watch the shows or you don't; your time is extremely valuable! I wouldn't assume the price of the show is that much a factor.