Hailey1d ago

so it cost anthropic $20k to find this openbsd crash bug which amounts to putting a negative integer in a tcp field where a negative integer was not expected by the c code which does some cavalier int cast bullshit, ie. a vuln which is totally fuzzable, and quite certainly would have been found by the fuzzers of the 2010s had anyone cared to burn that much compute on fuzzing openbsd.

The difference today is not that anybody suddenly cares about investing that much in openbsd (is the build server still a donated machine running in Theo's basement?), but that openbsd's reputation for security makes it really good marketing if you can find a bug, any bug, it doesn't matter; and that marketing value is what makes it worth spending $20k on fuzzing.

Show threadVal Packett 🧉1d ago
@hailey 20K?????? oof. lots of things could be found by paying a couple researchers 20K i think heh
Show threadHenri
@valpackett @hailey
The 20k is just the equivalent cost of the tokens. It is not a literal payment for just this OpenBSD test. They are spending billions on this model, probably
9:58pmWeb
Show threadVal Packett 🧉2h ago
@slyecho @hailey I know, yeah. That is still the most useful metric I think, as it reflects "consumer side" cost for using the product as advertised. But yeah taking into account the cost of making the product makes it sound even more ridiculous for sure