Thing definitely exists… some top level comment somewhere telling about how it doesn’t exist.

“do a thing that would take me a week” can not actually be done in seconds. It will provide results that resemble reality superficially.

If you were to pass some module in and ask for finite checks on that, maybe.

Despite the claims of agents… treat it more like an intern and you won’t be disappointed.

Would you ask an intern to “do a security audit” of an entire massive program?

The results of such AI fuzz testing should be treated as just a science experiment and not a replacement for the entire job of a security researcher.

Like conventional fuzz testing, you get the best results if you have a harness to guide it towards interesting behaviors, a good scientific filtering process to confirm something is really going wrong, a way to reduce it to a minimal test case suitable for inclusion in a test suite, and plenty of human followup to narrow in on what's going on and figure out what correctness even means in the particular domain the software is made for.

That's exactly what they're not. Models post-trained with current methods/datasets have pretty poor diversity of outputs, and they're not that useful for fuzz testing unless you introduce input diversity (randomize the prompt), which is harder than it sounds because it has to be semantical. Pre-trained models have good output diversity, but they perform much worse. Poor diversity can be fixed in theory but I don't see any model devs caring much.

Basically, don't trust AI if it says "you program is secure", but if it returns results how you could break it, why not take a look?

This is the way I would encourage AI to be used, I prefer such approaches (e.g. general code reviews) than writing software by it.

Put another way: I absolutely would have an intern work on a security audit. I would not have an intern replace a professional audit though.

It's otherwise a pretty low stakes use. I'd expect false positives to be pretty obvious to someone maintaining the code.

It’s another thing to say hey intern security audit this entire code base.

LLM’s thrive on context. You need the right context at the right time, it doesn’t matter how good your model is if you don’t have that.

Why not?

You can't relies solely on that, but having an extra pair of eye without prior assumption on the code always is good idea.

What, I ask, is the point of having laws and rules if you can just ignore the ones you don't like?

Its just a name, who cares?

Not me.

…but, if you break the law, you break the law. Not maybe maybe who cares, its not me being water boarded, I dont care…

If you break the law. You break the law.

Otherwise, who gives a duck what congress says?

Just fire them all and crown Trump King of America.

I’m being facetious. …but maybe its more of a big deal than you superficially pretend it is.

It’s just another case of the administration blatantly breaking the rules.

…so, you know. If youre ok with no laws or rules, I guess its fine.

Seems a bit chaotic to me. I prefer my governing body to be… marginally bound by some kind of responsibilty to something or someone.

Even if there was a US version, you'd still pay more regardless. This goes against one of the main grievances in the 2024 cycle: prices are too high.

Our domestic manufacturing industry is so far gone, it's doubtful whether even skillfully-applied tariffs could encourage any of it to come back on their own. Never mind this clown show, which apparently didn't even do the basic political work to make sure the tariffs would stay in place more than a year, despite having both houses of Congress.

A recent move saw India's leader break with BRICS to flag with West Asia Israel

I generally have it always plugged in, but it's not great.