It’s the worse. The algo will feed anything that makes you cheer or infuriates you. No middle ground. And God forbid if you dig to some disunion and you “like” something or stop scrolling in the “wrong” tweet… you’ll be getting similar content for months.
As a founder of an auditing firm, I definitely feel the heat of the competition when big LLM companies push products that not only compete with us an auditors but also with our own AI-based offerings (https://zkao.io/).
If I were to venture a guess, there's different world in which we might exist in the next 5-10 years.
In one of these futures, we, as auditors, seize to exist. If this is the future, then developers seize to exist too, and most people touching software seize to exist. My guess here is as good as any developer's guess on if their job will remain stable.
In another one of these futures, us auditors become more specialized, more niche, and bring the "human touch" needed or required. Serious companies will want to continue working with some humans, and delegating security to "someone". That someone could be embedded in the company, or they could be a SaaS+human-support system like zkao.
On the other hand, vibe coders will definitely use claude code security, maybe we should call it "vibe security"? I don't mean it as a diss, I vibe code myself, but it will most likely be as good as vibe coding in the sense that you might have to spend time understanding it, it might make a lot of mistakes, and it will be "good enough" for a lot of usecases.
I think that world is a bit more realistic today, than the AGI "all of our jobs are gone in the next years" doom claim. And as
@zksecurityXYZ
, I don't think we're too scared of that world.
These tools have been, and are making us stronger auditors. We're a small, highly specialized team, that's resilient and hard to replace. On the other hand large consultancies and especially consultancies that focus on low hanging fruits like web security and smart contracts are ngmi.
People who don't do intense security work for a living underestimate the complexity of it. This might find some vulnerabilities, but it's not really capable of producing new methods and attacks. What it replaces isn't a high quality human researcher; it replaces current static code review systems.
If AI models never had stack smashing writeups in their corpus, they'd never be able to invent stack smashing.
So, by any reasonable measure, I've spent a career doing "intense security work", with a particular focus in vulnerability research, and I do not agree with this at all.
Dev and auditors are two sides of the same coin, if one exists the other does as well. Perhaps they will be the same person, but systems don’t exist without tradeoffs and security considerations.
I haven't used opencode but pi agent runs rings around claude code. Never eats tons of CPU on big outputs, no flickering, open source, tree-based context instead of claude's linear context, easy to toggle collapsing/expanding tool outputs, built for extension with runtime reloading of extensions and skills, etc. You can easily build your own amp-code like handoff mechanism, customize the UI (i see models' edit diffs syntax-highlighted with delta, and just added a keybind to list session-edited files + files from git status in fzf), etc.
Meanwhile with Claude Code I've had to get claude to decompile the editor (extract JS from the bun executable) _twice_ to diagnose weird things like why some documented config flags were not taking effect.
Opus is great - but I'd rather use a different model than be forced back into Claude Code.
Its a coding agent in a loop (infinite loops are rejected by coding agents usually) with access to your computer, some memory, and can communicate through telegram. That’s it. It’s brilliant though and he was the first to put it out there.
I’m surprised to read this comment. I totally get why openAI hired the guy, IMO its a brilliant hire and I wish Meta would have fought more to get him (at the same time Meta is very good at copying and I think they need more people pushing products and experiments and less processes, they’ve been traumatized by cambridge analytica and can’t experiment anymore)
I’ve always thought that it’s crazy how so many extensions can basically read the content of the webpages your browse. I’m wondering if the research should go further: find all extensions that have URLs backed in them or hashes (of domains?) then check what they do when you visit these URLs
Without any doubt the research could continue on this. We had many opportunities to make the scan even wider and almost certainly we would uncover more extensions. The number of leaking extensions should not be taken as definite.
There are resource constrains. Those extensions try to actively detect if you are in developer mode. Took us a while to avoid such measures and we are certain we missed many extensions due to for example usage of Docker container. Ideally you want to use env as close to the real one as possible.
Without infrastructure this doesn't scale.
The same goes for the code analysis you have proposed. There are already tools that do that (see Secure Annex). Often the extensions download remote code that is responsible for data exfiltration or the code is obfuscated multiple times. Ideally you want to run the extension in browser and inspect its code during execution.
If you don't have a record of questions asked/answered and rationale for decisions taken, I've noticed it's easy for subsequent feature plans to clash. Maintaining a line of consistency across each feature plan is a good thing.
reply