o3 spent that time "thinking" and built the profile using only the URLs/titles, no content fetching.

Thanks all for your feedback. Adjusted the title to clearly reflect that I'm the agent here.

Recalling Simon Willison’s recent geoguessing challenge for o3, I considered, “What might o3 be able to tell me about myself, simply based on a list of URLs I’ve chosen to save?”

You can also use https://github.com/noperator/raink to brainstorm TLDs that are relevant to some topic you care about. For example:

    curl -s https://data.iana.org/TLD/tlds-alpha-by-domain.txt |
        raink -f /dev/stdin -p 'which of these TLDs is most related to the concept of "hacking"?' |
        jq -r 'map(.value)[:10]'
    
    [
      "BLACK",
      "COMSEC",
      "TOOLS",
      "SECURITY",
      "ZERO",
      "EXPOSED",
      "FORUM",
      "SHELL",
      "BOT",
      "SOFTWARE"
    ]

Those are all in the IANA list but not all can be registered—just showing as PoC. See https://bishopfox.com/blog/raink-llms-document-ranking for more background.

Are you the creator of that project?

I'd assume so? Usernames on HN and GitHub match?

Agree. I think LLMs are usually not "harnessed" correctly for complex, multi-step problems—hence the `raink` CLI tool: https://github.com/noperator/raink

That's awesome. Will take a closer look!

A concept that I've been thinking about a lot lately: transforming complex problems into document ranking problems to make them easier to solve. LLMs can assist greatly here, as I demonstrated at inaugural DistrictCon this past weekend.

So would this be 1600 commits and one of which fixes the bug (which might be easier with commit messages?) or is this a diff between two revisions, with 1600 chunks, each chunk a “document” ?

I am trying to grok why we want to find the fix - is it to understand what was done so we can exploit unpatched instances in the wild?

Also also

“identifying candidate functions for fuzzing targets“ - if every function is a document I get where the list of documents is, what what is the query - how do I say “find me a function most suitable to fuzzing”

Apologies if that’s brusque - trying to fit new concepts in my brain :-)

Great questions. For commits or revision diffs as documents—either will work. Yes, I've applied this to N-day vulnerability identification to support exploit development and offensive security testing. And yes, for fuzzing, a sensible approach would be to dump the exported function attributes (names, source/disassembled code, other relevant context, etc.) from a built shared library, and ask, "Which of these functions most likely parses complex input and may be a good candidate for fuzzing?" I've had some success with that specific approach already.

> palm rejection while using the stylus

Do you mean that it doesn't sufficiently reject palm touch while writing with stylus? I'm a long-time Onyx BOOX user and hoping that DC-1 writing experience is as good or better.

PRs welcome ;)

I just like to be notified when I need to tap something with explicit intent.

The concern is that if you don't know how many times you should be tapping the YubiKey when you clone a git repo, then an attacker could slip in its own signing requests and you would dutifully tap the YubiKey to authorize them. If you do know how many times to tap, do you still need the notification?

(It's true that if an attacker slipped in a request right before I was expecting to tap my YubiKey, I would tap it a second time to get my operation to succeed under the assumption that it didn't detect my touch the first time. But I would become suspicious if that kept happening.)