alt Hacker News> Both the defense is weaker due to LLMs and attacks become stronger
Are you claiming that LLMs are better at offensive security than defensive security? Or somehow that the offensive actors have access to better LLMs than people using them to defend? Otherwise it'd seem like the playing field just went up for both sides, unless one is famously lagging behind because no like to pay for better security? But that's also nothing new.
Replies
I don’t think it matters so much if LOM are better at offensive security or defensive security. I think offensive security was previously an extremely niche skill set (how many people off the street would be able to solve even a few CTF problems 5 years ago?).
Now anyone can point an LLM at any software they want and say go to town. Even if it doesn’t do a great job or better than a good human or anything like that it’s so much more than what they could do before, and a lot of security vulnerabilities are kind of low hanging fruit anyway.
IMO the assumption is probably that, with LLMs generally, software complexity and surface area going up faster than we're tackling it through hardening, testing, etc. - even with the help of defensive models.
I would also imagine bad actors are in the majority, and so we're seeing restrictions on models like Mythos in an attempt to balance the field a bit.
Even if defense keeps up it kind of depends on entities keeping up to date.. complex software stacks can make that hard, or falling behind a major version, etc. I think defense is harder than offense in this era
It's order vs chaos, and LLMs are on the side of chaos.
The question is whether LLMs write more secure code than humans. If we get a lot of vibe coded software coming online by non-SWEs do we think that would be more or less secure?
Defense is weaker because of vibe coding.
Computer security is asymmetric. Attacking is easier than defending. Attackers need to find one hole in the security. Defenders need to patch every hole.
He's just karma farming with the ever so creative "LLM=bad" hot take..
I don't know what's sadder: that people are doing that on HN, or that it's clearly working....
Ignoring LLMs, the status quo for defense is that you're pwnable from the silliest of mistakes, and the status quo for offense is that even one lucky shot lets you in. Suppose you brought in 1000x more people to projects on both sides; you'd expect a much higher chance of at least one failure for the defenders and at least one success for the attackers.
LLMs don't have the same dynamics, but the same underlying idea is worth bearing in mind. Above and beyond that, yes, defense is harder for LLMs than offense. They struggle mightily when pulling together too many threads, and some projects are just too big. On the defensive side, exploits are usually very tiny and asymmetrically acceleratable via LLMs.