• 1 Post
  • 9 Comments
Joined 2 years ago
cake
Cake day: June 4th, 2023

help-circle

  • I’m glad you’re enjoying it. I’m not going to be having a switch 2 any time soon but I do really like Nintendo games, so I’m glad I’ll be able to get some of the excitement through you :).

    I’m a bit sad about the free roaming part being a bit bare bones. When they first announced it I was hoping for the creativity of a Mario Odyssey crossed with Breath of the Wild in a Kart, discovering secrets and fun places everywhere.

    Also with respect to pricing: I think it depends on the game to decide what an honest price is. I would gladly give 100 or more for the joy that Slay the Spire has given me over the years. I think that a big and polished Mario game is not immediately the worst offender for being this expensive. It’s when the less polished and more cash grabbing AAA games start to follow this example that it becomes a problem. I do like how some games decide their price points differently, like Clair Obscur for example.





  • If I were to ask my Magic 8 Ball “Is the word ‘difinitely’ misspelled?” 100 times, it’s going to reply in the affirmative over 16% of the time.

    This comparison makes no sense. Your example has a binary question. In that case, any system that replies correctly at even a rate of around 50% would be useless. However, the problem space in this scenario is way larger than 2 options and still way larger than 100 options. Being correct in even a small number of 100 attempts is still statistically significant.

    The fact that an LLM is unable to reason and that it is based on statistics doesn’t change anything about this behavior. At the end of the day you get a tool that is able to point you to actual new information that you by yourself did not arrive at.

    Imagine that you put a lot of effort in a better model specifically for vulnerability research and you get it up to a correctness rate of a mere 10%. I would gladly hire some programmers to sift through these reports and possibly find overlooked vulnerabilities.


  • This is literally the very first experiment in this use case, done by a single person on a model that wasn’t specifically designed for this. The fact that it is able to formulate a correct response at all in this situation impresses me.

    It would be easy to criticize this if it were the endpoint and this was being advertised as a tool for vulnerability research, but as discussed at the end of the post, this “quick little test” shows both initial promising results and had the fortunate byproduct of actually revealing a new vulnerability. By no means is it implied that it is now ready for use in this field.

    The issue with hallucinations is one that in my opinion is never going to be totally fixed. That is why I hate the use of AI as a final arbiter of truth, which is sadly how a lot of people use it (I’ll quickly ask ChatGPT) and companies advertise it. What it is good at however, is coming up with plausible ideas, and in this case having an indication for things to check in code can be a great tool to discover new stuff, as is literally the case for this security researcher finding a new vulnerability after auditing the module themselves.


  • I hate AI. Why?

    • Because of its extreme energy consumption compared to what it achieves
    • Because it is all in the hands of the worst companies on this planet
    • Because capitalists are foaming at the mouth to use it to fuck over workers
    • Because it is devaluing art and reducing it to another commodity to “produce”

    However

    I also took the time to read the original blog post, and it is a fascinating story.

    The author starts out with using an existing vulnerability as a benchmark for ChatGPT testing. They describe how they took the code specific to the vulnerability and packaged it for ChatGPT, how they formatted the query and what their results were. In 100 runs only 8 correctly identify the targeted vulnerability, the rest are false positives or claim that there are no vulnerabilities in the given code.

    Then they take their test a step further and increase the amount of code shared with ChatGPT so that it also includes stuff of the module that had nothing to do with the original vulnerability. As expected, this larger input decreases performance and also reduces the vulnerability detection rate for the targeted vulnerability. However, in those 100 runs, another vulnerability was described that wasn’t a false positive. An actual new vulnerability that the author didn’t know about was discovered. Again, the signal to noise ratio is very low, and one has to sift through a lot of wrong reports to get a realistic one, but this proved that it could be used as a useful tool for helping to detect vulnerabilities.

    I highly recommend reading the blog post.

    As much as I like to be critical about AI, it doesn’t help if we put our heads in the sand and act as if it never does something cool.