The more I read up on floats (f32/f64) the more cursed it gets. This passage got me today: > Rust does not currently guarantee that the bit patterns of NaN are preserved over arithmetic operations, and they are not guaranteed to be portable or even fully **deterministic**!

Career update: I’ve joined @OpenAI to lead Cyber with @michaelaiello. Why I joined, and what we’ll be building: It’s clear that AI is fundamentally changing how software is being written and secured. Coding agents are writing the majority of code for many developers, software is getting shipped more quickly, and vulnerabilities that were latent for 20 years are being discovered at a rapid pace. The time to bug discovery, and exploitation once discovered, are trending down (H/T @EppSecurity and @gadievron). I believe we have an unparalleled opportunity to fundamentally 𝘪𝘮𝘱𝘳𝘰𝘷𝘦 cybersecurity in ways that were previously impossible. (H/T @bubblewire’ BSidesSF keynote on reasons for optimism) Over 6 years at @Semgrep, I had the privilege of working with an amazing team building what has become the most popular open source security code scanning tool in the world, that many companies have built their application security program around. Now, at @OpenAI, I’m thrilled to be a part of a company helping shape how software is written, and how security work gets done. It is a massive opportunity, and responsibility, and I don’t take that lightly. Here are my current thoughts about where things are headed: 𝐑𝐞𝐬𝐢𝐥𝐢𝐞𝐧𝐭 𝐛𝐲 𝐝𝐞𝐬𝐢𝐠𝐧. Defenders are not going to win playing bug whack-a-mole. We need to systematically eliminate classes of vulnerabilities, via generating secure code and streamlining the detect → validate → fix process. 𝐀𝐮𝐠𝐦𝐞𝐧𝐭 𝐚𝐧𝐝 𝐞𝐦𝐩𝐨𝐰𝐞𝐫 𝐩𝐞𝐨𝐩𝐥𝐞. We should build models and tools that give defenders “superpowers,” enabling them to be more ambitious in the scope they tackle, shift from being reactive to proactive, and allow them to automate the drudgery so they can focus on the highest leverage work. 𝐒𝐞𝐜𝐮𝐫𝐞 𝐭𝐡𝐞 𝐜𝐨𝐦𝐦𝐨𝐧𝐬. The world runs on open source software. OpenAI has already spent $Ms finding and patching vulnerabilities in the most popular and widely run software, including browsers, operating systems, and core libraries. More on this soon. We’re also working on helping secure critical infrastructure. 𝐂𝐨𝐦𝐦𝐮𝐧𝐢𝐭𝐲 𝐚𝐧𝐝 𝐩𝐚𝐫𝐭𝐧𝐞𝐫𝐬. Securing the world is a community effort. I’m looking forward to partnering with cybersecurity vendors, researchers, practitioners, governments, and more to do together what we can’t do alone. 𝐓𝐢𝐦𝐞 𝐭𝐨 𝐛𝐮𝐢𝐥𝐝. Tactically, here are some domains I’m excited about: - Finding, validating, and reliably patching software vulnerabilities at scale. - Eliminating classes of vulnerabilities and making software resilient by design. - Giving broad access to the best cyber models to empower defenders, not just to a select few. - Creating and sharing Skills and playbooks that help in many security domains. - Building platforms that enable defenders to easily orchestrate security work. - Making enterprise agents safe and reliable. Time to build 😎 — What would help you most? What should we build? Let me know.

I’m literally overhearing two employees at my optometrist discussing how someone logged into the office’s email from NY and now they have to change the password 🫠

concerning

Full Disclosure: 1-Click GitHub Token Stealing via a VSCode Bug blog.ammaraskar.com/github-t…

Sassy...

TIL of terminal.shop Absolutely brilliant idea

Do I know anyone here who has or is working on mission critical or safety critical rust? I’d love to chat!

I forgot how jarring it was to free up your previously busy schedule.

not a bad return on a 1 month Claude code max sub 😏

frog told the LLM "do not hallucinate" "there," he said, "now the LLM will not make mistakes" "but the LLM can still hallucinate" said toad "that is true" said frog

why: I am so tired of worrying about & spending lots of time fixing memory leaks and crashes and stability issues. it would be so nice if the language provided more powerful tools for preventing these things.

🙃

After seeing the hilarious response to the master hard reset that a majority of the apex ladder asked for, this tweet came to mind.

Recently I've been spending a lot of time in the Solana ecosystem. This led to the discovery of two critical vulnerabilities in a popular router that allowed stealing all funds from router owned token accounts. Writeup here: atlas-it.consulting/post/sol…

also put fucking 2FA on your accounts in the future I don’t shill that because it’s useless I do it because it actually secures your shit

This is a very cool public initiative! And exactly the kind of thing that Lean is good for :)