I think we are in largely uncharted territory here, especially given the implications. Is Anthropic's approach optimal? Probably not. But given the stakes involved, gating access seems like a reasonable place to start.…
In case it helps, we open-sourced a tool to audit dependencies for this kind of supply-chain issue. The motivation was that there is a real gap between classic “known vulnerability” scanning and packages whose behavior…
I think that concern is valid in general terms, but it’s not clear to me that it applies here. The goal here seems to be removing low-value output; e.g., sycophancy, prompt restatement, formatting noise, etc., which is…
Have had similar issues with costs sometimes being all over the map. I suspect that the major providers will figure this out as it’s an important consideration in the enterprise setting
My sense is that the asymmetry is non-trivial issue here. In particular, a threat actor needs one working path, defenders need to close all of them. In practice, patching velocity is bounded by release cycles, QA issues…
I definitely agree w/ you that big organizations are generally better able to navigate the enterprise sales process, but mainy trying to say that customers might choose to work with a bigger company's products for…
My sense is that if a threat actor were able to build a quantum computer to the scale of being able to compromise public-key primitives based on the difficulty of integer factorization and discrete logarithms under the…
Q-day estimates are sensitive to several factors; e.g., hardware qubit counts, error correction overhead, and algorithmic efficiency (e.g., better factoring approaches could compress the timeline meaningfully without…
I wonder if there will be a different phenomena — namely everyone just developing their own personal version of what they want rather than relying on what someone else built. Nowadays, if the core functionality is…
Nice weekend project! Even though there are copious resources out there (textbooks, videos, etc.), those may not appeal to everyone. People have different preferred modalities for consuming information and there is…
Definitely miss those!
I don’t know if that’s necessarily true. I do think that a big part of enterprise sales involves building a comprehensive solution that works well within the customer’s ecosystem. Start-ups usually tend to build point…
[dead]
I agree with this. What you focus on depends on the circumstances. I believe PaulG likes to say that premature optimization is the root of all evil. Early on, you’re trying to ship and get a functioning product out the…
I suspect the big jump came from the release of Claude Opus 4.5/4.6 and GPT-5.x-Codex between Nov ‘25 and Feb ‘26, which were trained with heavy reinforcement learning on long coding projects, rewarding only real…
Definitely. But I think the nature of that impact is not entirely clear. In the legal context, LLMs are also hallucinating extensively, citing made up case law, etc. It’s not yet clear whether they are potentially…
Fixing a bug is in the wheelhouse of AI to the extent that the fix can be verified — since there is a clear objective function. The real question is whether there are unintended side effects (e.g., new bugs that get…
+1 This is the core question to ask.
I suspect that for a nation-state type threat actor, this wouldn’t be much of a deterrent. Any type of reputation system like this would work to a point until motivated threat actors find a way to game it.
It does mean something to me, but perhaps not as profound as whoever coined the term was hoping!
Thanks for sharing. Can’t believe he’s still teaching that class after two and a half decades!
I remember reading that book (along with the Dragon book!)
What a fantastic resource!
What a fantastic resource! Thanks for sharing!
:-) That might not even be enough as I hear (but haven't verified) that Claude does a pretty good job of making sense out of legacy COBOL code!
I think we are in largely uncharted territory here, especially given the implications. Is Anthropic's approach optimal? Probably not. But given the stakes involved, gating access seems like a reasonable place to start.…
In case it helps, we open-sourced a tool to audit dependencies for this kind of supply-chain issue. The motivation was that there is a real gap between classic “known vulnerability” scanning and packages whose behavior…
I think that concern is valid in general terms, but it’s not clear to me that it applies here. The goal here seems to be removing low-value output; e.g., sycophancy, prompt restatement, formatting noise, etc., which is…
Have had similar issues with costs sometimes being all over the map. I suspect that the major providers will figure this out as it’s an important consideration in the enterprise setting
My sense is that the asymmetry is non-trivial issue here. In particular, a threat actor needs one working path, defenders need to close all of them. In practice, patching velocity is bounded by release cycles, QA issues…
I definitely agree w/ you that big organizations are generally better able to navigate the enterprise sales process, but mainy trying to say that customers might choose to work with a bigger company's products for…
My sense is that if a threat actor were able to build a quantum computer to the scale of being able to compromise public-key primitives based on the difficulty of integer factorization and discrete logarithms under the…
Q-day estimates are sensitive to several factors; e.g., hardware qubit counts, error correction overhead, and algorithmic efficiency (e.g., better factoring approaches could compress the timeline meaningfully without…
I wonder if there will be a different phenomena — namely everyone just developing their own personal version of what they want rather than relying on what someone else built. Nowadays, if the core functionality is…
Nice weekend project! Even though there are copious resources out there (textbooks, videos, etc.), those may not appeal to everyone. People have different preferred modalities for consuming information and there is…
Definitely miss those!
I don’t know if that’s necessarily true. I do think that a big part of enterprise sales involves building a comprehensive solution that works well within the customer’s ecosystem. Start-ups usually tend to build point…
[dead]
I agree with this. What you focus on depends on the circumstances. I believe PaulG likes to say that premature optimization is the root of all evil. Early on, you’re trying to ship and get a functioning product out the…
I suspect the big jump came from the release of Claude Opus 4.5/4.6 and GPT-5.x-Codex between Nov ‘25 and Feb ‘26, which were trained with heavy reinforcement learning on long coding projects, rewarding only real…
Definitely. But I think the nature of that impact is not entirely clear. In the legal context, LLMs are also hallucinating extensively, citing made up case law, etc. It’s not yet clear whether they are potentially…
Fixing a bug is in the wheelhouse of AI to the extent that the fix can be verified — since there is a clear objective function. The real question is whether there are unintended side effects (e.g., new bugs that get…
+1 This is the core question to ask.
I suspect that for a nation-state type threat actor, this wouldn’t be much of a deterrent. Any type of reputation system like this would work to a point until motivated threat actors find a way to game it.
It does mean something to me, but perhaps not as profound as whoever coined the term was hoping!
Thanks for sharing. Can’t believe he’s still teaching that class after two and a half decades!
I remember reading that book (along with the Dragon book!)
What a fantastic resource!
What a fantastic resource! Thanks for sharing!
:-) That might not even be enough as I hear (but haven't verified) that Claude does a pretty good job of making sense out of legacy COBOL code!