@dfeldman@hachyderm.io avatar

dfeldman

@dfeldman@hachyderm.io

mostly security musings

He/him

This profile is from a federated server and may be incomplete. Browse more on the original instance.

dfeldman, to random
@dfeldman@hachyderm.io avatar

I was just thinking that all the LLM companies have figured out how to charge small amounts of money, by the word, for online written content, which is something newspapers and magazines always wanted to do but never figured out.

dfeldman,
@dfeldman@hachyderm.io avatar

@anderseknert the big companies offer cheap API access by the word (around $30 per million tokens -- a million is a lot of tokens), or usually $20 a month for a user-friendly interface with "unlimited" access

dfeldman, to random
@dfeldman@hachyderm.io avatar

Saying "an LLM is just fancy autocorrect" is like saying "fire is just a redox reaction like rusting iron." It's a true statement, but it's not very helpful when your house is burning down.

dfeldman, to random
@dfeldman@hachyderm.io avatar

DUMB EVENING PROJECT --
Made a site that relentlessly, automatically, mercilessly mocks today's Hacker News stories and comments using ChatGPT

quackernews.com
or if that doesn't work dfeldman.github.io/quackernews

dfeldman, to random
@dfeldman@hachyderm.io avatar

sometimes I forget that pmarca follows me on twitter and then he retweets my absolute dumbest tweets

dfeldman, to random
@dfeldman@hachyderm.io avatar

The problem with trying to sell developer tooling is that developers have no purchasing authority

Salesperson needs to spend $1,000? No big deal.
Finance needs to spend $100,000? No big deal.
Engineer wants to buy a $50 book? They need forms signed from their VP in triplicate.

dfeldman,
@dfeldman@hachyderm.io avatar

Some of the most successful tech companies, like Salesforce, Slack and Tableau, have an entire strategy of AVOIDING the IT department and going straight to business units that make money.

dfeldman,
@dfeldman@hachyderm.io avatar

That's how you can have a wildly successful product like Terraform or Redis, that literally millions of developers use, but doesn't make sense as a viable, profitable business.

dfeldman,
@dfeldman@hachyderm.io avatar

There used to be this plan of making the product open source, and then hoping that once millions of developers adopted it, they'd pay you. This has a few problems:

  1. Usually they just don't pay you.
  2. Even if they do pay you, now you have consulting/support revenue, which has significantly lower margins than product (you have to pay someone to provide support). Also investors are allergic to consulting.
  3. Someone else can just run away with the entire project and leave you with nothing.
dfeldman, to random
@dfeldman@hachyderm.io avatar

AI-generated video might take a long time to be ready for prime time, but...

already, today, you can generate a picture of a person, then have them move in the same way as a real video using mov2mov, then put words in their mouth with lipsync

It's not 100% AI generated but it's like... 90%

dfeldman, to random
@dfeldman@hachyderm.io avatar

Dumb thought: Could you legally use an LLM to rewrite open source code so it works the same, but avoids the GPL?

Quinnypig, to random
@Quinnypig@awscommunity.social avatar

Both Deloitte and I confuse and AWS re:Invent, but their website starting with “www2” elevates it to “let’s get you to bed, Grandma” territory.

dfeldman,
@dfeldman@hachyderm.io avatar

@Quinnypig but can you access it in Gopher?

dfeldman, to random
@dfeldman@hachyderm.io avatar

movies are going to become video games
video games are going to become the holodeck
the holodeck is going to become monopoly
monopoly is going to become minigolf
minigolf is going to become rollerskating
rollerskating is going to become charades
charades is going to become movies

dfeldman, to random
@dfeldman@hachyderm.io avatar

As a physics major you have so many career options! You can work at a hedge fund, or in high frequency trading, or buy side, or sell side, or as a portfolio manager, or doing FX arbitrage, or as a risk analyst, or even trading derivatives! Everyone should major in physics!

dfeldman, to random
@dfeldman@hachyderm.io avatar

I think it makes sense to run code diffs through LLMs. They won't find everything of course, but they can definitely point out issues that are invisible to humans. Like the xz attack -- it uses sed with the r\n command, which is CLEARLY intended to look like \r\n, but actually reads an arbitrary file! Etc. An LLM can notice this, most people won't.

dfeldman,
@dfeldman@hachyderm.io avatar

@anderseknert Hmm, it's a shell script embedded in an m4 macro. Not sure any static analyzers are smart enough to handle that, even though it's common for open-source configure scripts.

dfeldman,
@dfeldman@hachyderm.io avatar

@anderseknert No it's a good point! If I ever write a blog post about this I'll include that observation!

dfeldman, to random
@dfeldman@hachyderm.io avatar

Both ChatGPT and Claude were able to notice that the weird shell script added by Jia Tan to XZ executed arbitrary code. But, they didn't know specifically what it was (since it's from a binary file, and they can't handle that). I tried putting the file in in several different ways and it never works.

image/png

dfeldman, to random
@dfeldman@hachyderm.io avatar

One of the coolest security prototypes I've seen was a program that could automatically find attack paths given access control policies (like IAM roles or Kubernetes roles)

So if role X was compromised, and it shared resources with role Y, which shared resources with role Z, it would show that

This is definitely something that should exist (maybe as a company?)

dfeldman, to random
@dfeldman@hachyderm.io avatar

Idea: a learning app like Duolingo that charges you a small but noticeable amount of money like $10 a month. But if you meet your learning goal, it refunds the whole amount.

dfeldman, to random
@dfeldman@hachyderm.io avatar

Do you think xz was a state actor?

dfeldman, to random
@dfeldman@hachyderm.io avatar

Russ Cox did a really good detailed breakdown of the xz hack. (How does he have time for so much stuff??? Inhuman levels of brainpower that guy has) https://research.swtch.com/xz-script

dfeldman, to random
@dfeldman@hachyderm.io avatar

post malone
put malone
get malone
delete malone

dfeldman, to random
@dfeldman@hachyderm.io avatar

I think there's an interesting parallel between open-source software and journalism

Both are incredibly valuable for the world and no sensible person would suggest eliminating them

But also, no one wants to pay for them

dfeldman, to random
@dfeldman@hachyderm.io avatar

Ross Droplet Technique - add 1 drop of water to your pre-ground coffee

Weiss Distribution Technique - use an array of needles to gently swirl around your grounds pre-brewing

Feldman Laziness Technique - just give up and use instant coffee

  • All
  • Subscribed
  • Moderated
  • Favorites
  • JUstTest
  • kavyap
  • DreamBathrooms
  • InstantRegret
  • magazineikmin
  • osvaldo12
  • mdbf
  • Youngstown
  • cisconetworking
  • slotface
  • rosin
  • thenastyranch
  • ngwrru68w68
  • khanakhh
  • megavids
  • ethstaker
  • tacticalgear
  • modclub
  • cubers
  • Leos
  • everett
  • GTA5RPClips
  • Durango
  • anitta
  • normalnudes
  • provamag3
  • tester
  • lostlight
  • All magazines
    •