SOLDIERX.COM Nobody Can Stop Information Insemination

Posted by Dave Aitel via Dailydave on Mar 04

I continue to believe there are a lot of interesting questions around
building cyber reasoning systems for vuln finding. Even the very basics
seem hard to study and understand, and the eval datasets available
are....sparse or incomplete. For example, what you really want if you're
analyzing git repos is the commit a bug was introduced, and the commit it
was fixed. But usually you get "a commit where it maybe existed".

Likewise,...

Posted by Dave Aitel via Dailydave on Feb 11

*on your child going to college in Christchurch, NZ and velvet worms*

By mid‑August the garden already practices absence — stems turning hollow,
the robin leaving its notes hanging in the air like torn corners of a song.
Under the chirp of palmetto bugs, a log eases itself back into earth.
Inside, hidden from the light, a velvet worm does the impossible: offers
herself to a spill of pale, blind threads. For days she is nothing but
hunger...

Posted by Sean Heelan via Dailydave on Jan 13

As it happens, I’ve found the most effective way to use LLMs is to de-anthropomorphise them entirely and treat them
very like fuzzers (large scale generation of results, lots of false positives/nonsense, filtered by some oracle).

The “conversation with an AI” approach where you imagine yourself as having a single artificial brain to interact with
is (currently at least) practically far less useful than one in which you are content with...

Posted by A K via Dailydave on Jan 13

Hi all,

In the latest "Security Weekly" (https://www.youtube.com/watch?v=CXefYdEGW04
)
they present the Anthropological "Hacker" Map
https://wherewarlocksstayuplate.com/map/

While the map is incomplete (how can it ever be complete?), I think it is
one of the few times, outside of David Aitel's writings about the cross-cut
between the "underground" (for a lack of a better term) and subsequent
commercial...

Posted by Don A. Bailey via Dailydave on Jan 12

I designed one of the first working fuzzers (albeit unintentionally) back
in the late 90's. I don't remember if I published it, but I still have the
code. It, however, worked - badly - but it worked. I was heavily flamed,
however, because as you stated - it was not hip. It only attacked
environment variable and command-line argument based vulnerabilities. But,
in the 90's and early 00's, we had no shortage of local suid-based...

Posted by Thomas Dullien via Dailydave on Jan 12

Hey,

I have one quibble: We are using "reasoning" in a qualitative, not
descriptive, form here -- "fuzzing is or is not reasoning", "LLMs reason or
do not reason". I am not sure this is helpful. Fuzzing is empirically
successful at finding crashes. Somebody that needs to light a fire and
smashes two stones together until they throw sparks does not, once the fire
burns, need to justify that 'stones perform...

Posted by Darren Bounds via Dailydave on Jan 12

Everything old is new and the way we reason is the same way LLMs reason. It's
not about looking for the same problem the same way it's about going to
searching for that flaw the same way with unlimited (nearly) resources.

Traditional human-led vulnerability research and discovery is, today, a short
lived venture.

Things will change very rapidly over the coming 24 months.

Memories and thoughts are the same thing, someone tried to...

Posted by Dave Aitel via Dailydave on Jan 11

Memories and thoughts are the same thing, someone tried to explain to me
recently. You have to think to remember, in other words. This is hard to
grasp for a lot of people because they *think *they have *memories*. They
wrongly think memory is a noun instead of a verb, which is ok in philosophy
and psychology but in cutting edge computer science we have to be precise
about these sorts of things.

Twenty-five years ago, when I first started...