Most people on lemmy seem to condemn use of LLMs in any way for anything, I wonder what those folks opinion of this stance is - should companies use the tools or not?
Well the problem is that for example curl got flooded with generated security reports where only 5% had some true security potential. So your llm will basically flood you with false positives
If 5% of the reports are genuine security vulnerabilities that they wouldn’t have found otherwise, that’s looking like a big win to me, not sure how you see it differently.
If you’re submitting a vulnerability to a public repo, that’s also your job. These slop reports that are wasting maintainers time should never have been reported. The person tasking the LLM is out of their depth and can’t be the human in the loop that verifies the vulnerability report before submitting because they don’t have the required knowledge to do that. It’s a shame, because if people who had the requisite knowledge were the ones submitting, the ratio of valid reports to noise would be way higher than 5% and open source maintainers wouldn’t be feeling burned the fuck out.
Sure, but nobody wants to do that, even at fair pay. Unpaid open source volunteer projects REALLY don’t want to do that, and risk burning out what is typically a solo main dev.
Cybersecurity is actually one of the few fields that can benefit from AI. There are companies like Horizon3 who are using it alongside their other threat models to do continuous pen testing.
Gonna take a guess here that what is used in cybersecurity is not LLMs but one of the more useful machine learning applications. Just a nitpick cause today “ai” and “LLM” are sadly synonymous.
No, LLMs can definitely be useful for cyber too. It’s the whole reason the US government banned Claude Fable for export.
An LLM can not just try existing exploits like a script kiddy, but with iteration it can try variations and if you know what runs on the server, inspect the source for potential exploits.
They can also look at your setup and say what issues they see (reverse proxy config, etc).
Doesn’t replace an expert, but can be useful for a first pass before you get the highly paid people involved.
I do. I reverse engineered some proprietary software using an agent. A pro could’ve maybe done it faster, but I did it AFK with little knowledge about reverse engineering.
An agent could similarly try tons of attacks against online targets. Fairly sure some are doing it.
Only for a year or so. Any company still vulnerable after these tools have been out long enough deserve it.
Most people on lemmy seem to condemn use of LLMs in any way for anything, I wonder what those folks opinion of this stance is - should companies use the tools or not?
Well the problem is that for example curl got flooded with generated security reports where only 5% had some true security potential. So your llm will basically flood you with false positives
If 5% of the reports are genuine security vulnerabilities that they wouldn’t have found otherwise, that’s looking like a big win to me, not sure how you see it differently.
The problem is identifying which 5%. Nobody wants to filter that much AI slop.
If you’re working for a company’s cybersec, that’s your job. And a much preferable one to waiting for an attacker to do it for you.
If you’re submitting a vulnerability to a public repo, that’s also your job. These slop reports that are wasting maintainers time should never have been reported. The person tasking the LLM is out of their depth and can’t be the human in the loop that verifies the vulnerability report before submitting because they don’t have the required knowledge to do that. It’s a shame, because if people who had the requisite knowledge were the ones submitting, the ratio of valid reports to noise would be way higher than 5% and open source maintainers wouldn’t be feeling burned the fuck out.
Sure, but nobody wants to do that, even at fair pay. Unpaid open source volunteer projects REALLY don’t want to do that, and risk burning out what is typically a solo main dev.
Cybersecurity is actually one of the few fields that can benefit from AI. There are companies like Horizon3 who are using it alongside their other threat models to do continuous pen testing.
Gonna take a guess here that what is used in cybersecurity is not LLMs but one of the more useful machine learning applications. Just a nitpick cause today “ai” and “LLM” are sadly synonymous.
No, LLMs can definitely be useful for cyber too. It’s the whole reason the US government banned Claude Fable for export.
An LLM can not just try existing exploits like a script kiddy, but with iteration it can try variations and if you know what runs on the server, inspect the source for potential exploits.
They can also look at your setup and say what issues they see (reverse proxy config, etc).
Doesn’t replace an expert, but can be useful for a first pass before you get the highly paid people involved.
You know what, fair enough. I don’t know enough about that particular one.
I do. I reverse engineered some proprietary software using an agent. A pro could’ve maybe done it faster, but I did it AFK with little knowledge about reverse engineering.
An agent could similarly try tons of attacks against online targets. Fairly sure some are doing it.