I built a vulnerable app and spent $1,500 seeing if LLMs could hack it

Posted by jc4p 20 hours ago

I built a vulnerable app and spent $1,500 seeing if LLMs could hack it(kasra.blog)

353 points | 184 commentspage 3

stuckkeys 11 hours ago|

How does one apply for that “security research” pass?

auguzanellato 8 hours ago|

I tried it once and they somehow decided I'm not worth, if I try again it fails with "We couldn't start verification. You may not be eligible for this verification flow right now. Please try again later, or contact support if you think this is a mistake.", not sure if they think I'm part of an APT or whatever.

strictnein 5 hours ago||

I got it. Probably helps that I'm at a large company and my personal OpenAI accounts have spent probably close to $10k now (reimbursed by work).

It's helpful in reducing the guardrails, but there's still guardrails around security research that I bump into.

youre-wrong3 15 hours ago||

“I used pi as the base harness”

Why do people keep using bad tools with ai?

hanikesn 15 hours ago|

What's bad about it and what's a better one?

raesene9 12 hours ago||

AFAIK pi's approach is to be quite minimal and allow extensions for customization, making it a more flexible solution, but you need to do work to make it fit your use case. OP mentions one extension, but perhaps it'd have benefited from more.

Another choice would be opencode which has more functionality and is a more heavyweight option out of the box.

petesergeant 14 hours ago||

Last year I ran a code breaking competition, and it was tricky to find something that humans could break but that LLMs couldn’t. This was around October. I managed it last year but am a little dispairing of pulling it off again this year.

bitexploder 6 hours ago|

I don't even care. It is the same problem advent of code had as a public challenge with a leader board. I now mostly just think either embrace the LLM or keep it to a more in person or vetted audience. But, again, if you create a competition in the spirit of humans without LLMs and that is in the rules and someone uses an LLM that is on them IMO. I am sad advent of code decided to end their competition. LLMs are here to stay, let's embrace that and see what the new universe of competitions with LLMs can be. There will always be a place for human only competition, but for public facing ones LLM accepted is the only tenable position.

This does bring "Pay to compete" concerns and create incentive structures that encourage more LLM use. I don't know what to do about it.

latexr 13 hours ago||

> I need to stop wasting fucking money on doing stupid shit. I could’ve done so many other things with the money. I could’ve launched one of my own real apps.

Or fed, clothed, housed disadvantaged people in your community (or neighbouring ones), giving them a temporary boost that could’ve made all the difference in their lives to improve their current situation.

It’s your money (and this is definitely not the website to make well-meaning altruistic suggestions, as might be demonstrated shortly) but if you already recognise you’re not spending it well (and from your words it seems like that is fairly recurrent), consider that perhaps spending it on a different type of software sink may not be the answer. Genuinely, aim to spend it on someone else and see how it works out. You might be surprised.

aplomb1026 2 hours ago||

[flagged]

aplomb1026 2 hours ago||

[flagged]

kolesnikov-arch 2 hours ago||

[flagged]

songting591 8 hours ago||

[flagged]

thebillboard 5 hours ago||

[flagged]

aos_architect 8 hours ago|

[flagged]

More comments...