I don't think anybody actually watches videos any more, so here's MWT's core point -
The flagship and lead vuln in the research is a BSD vuln, it cost $20k to discover with Mythos. Anthropic only reached a crash, and the vuln class in 99%+ cases never reaches RCE, just crashes.
So.. cool.. you spent $20k of VC money to find a crash as the flagship vuln. But... uhm... that isn't the end of the world.
The proof is going to be if any of the open source vulns turn out to be important. So far:
Anthropic set the project across open source projects and provided access and reported the vulns. Typically, you'd expect to see NCSCs spinning up advisories to patch high impact vulns, CISA telling orgs to patch etc etc etc.
What's actually happening is... uhm... a whole heap of nothing but people copy and pasting marketing about how cybersecurity is over.
It's not though, is it?
@trademark @azonenberg @GossiTheDog I love how they hype what's a vuln in the in-kernel NFS server (FFS we've been doing this shit at least 2/3 of my lifetime, stop doing NFS/sunrpc shit already) as "FreeBSD RCE".
I knew when I was like 15 that you don't run NFS unless you want to get popped.
@trademark @azonenberg @GossiTheDog Huh? Did your LLM just vomit that? Because it's completely unrelated to what I said.
What I said is that they're hyping a vuln in one small thing, an NFS server, that FreeBSD happens to have a version of that runs in kernelspace, that nobody security-conscious would be using to begin with, and calling it "vuln in FreeBSD!" to make it sound important and impressive.
Absolutely nothing to do with disclosure timeines or whether their findings are real.
@trademark @azonenberg @GossiTheDog They do this to impress investors/C-suites and to keep the grift train going.
I'm not going to address any claims about whether the "technical capabilities of their new model" are a thing.
And to be impressive, yes, they need the thing they attack to be highly regarded in terms of its reputation for security and quality. "Vuln in NFS server module that runs on FreeBSD" does not impress. "Vuln in FreeBSD" does. And it's a lie.
I have no idea how you think this is "insulting to FreeBSD".
@trademark @lispi314 @GossiTheDog @azonenberg We're not making technical recommendations for the FreeBSD team here. Anyone who actually has reason to use NFS knows the risks/tradeoffs and if they're choosing to use something that's going to get them popped that's on them, not on the FreeBSD team.
We're debunking hype that's intentionally exploiting the ignorance of people like yourself about what component was actually vulnerable and whether it's actually something important and noteworthy like Anthropic's propaganda department would have folks believe.
@trademark @lispi314 @GossiTheDog @azonenberg I am debunking the fraudulent importance from misrepresenting what software the vuln was in.
Whether their technical claims are bullshit is another completely legitimate area for debunking but not the one I'm engaged with in this thread.
@trademark @lispi314 @GossiTheDog @azonenberg Running a NFS server in kernelspace is no less backwards than running a httpd in kernelspace (something Linux folks actually tried at one point; it was eventually removed).
Yes there will always be apologists for it. I am not worried about being considered rude when I state that this is just completely untenable from both a security standpoint and a good software engineering standpoint.
@trademark @GossiTheDog @dalias @azonenberg
So you're saying that FreeBSD is bad.
In that particular capacity? Yes. Especially since no appropriate warnings are present.
Despite security model and architecture choice being monolithic, the FreeBSD project as a whole cannot be so easily considered.
Are you objecting to that as well?
Considering it cost millions (in unreported result) before that 20k$ finally got a result anyone they could pay 100$ an hour could've given them faster (that "it's a bad idea, lol, rip that out immediately")?
Yes. On an economic level it's extremely silly.
But on an ethical level it is also unconscionable. The exploitation & harms of the LLM/"AI" industry are not justified by spending more money for worse or comparable work a human could produce with orders of magnitude less resources & without such accompanying harms.
@trademark @GossiTheDog @dalias @azonenberg
Do you have a source for the millions in unreported results?
I had started an actual reply to this point but I realized I honestly don't care to actually source & argue it even if indeed monetarily their "20k$" only exists by externalizing basically all the costs.
Even if it was zero-cost or magically profitable to use it, the fact it's unethical trumps literally all of that. And that is what really needs consideration.
For instance the phrasing in for ffmpeg is clear that it is ten thousand for all runs: "Mythos Preview identified several other important vulnerabilities in FFmpeg after several hundred runs over the repository, at a cost of roughly ten thousand dollars."
That's a ridiculous amount of runs.
As for finding issues in ffmpeg, it's not very surprisingly. The project is infamous for this, to the point where many programs purposely run it exclusively in environments where all capabilities have been dropped.
Many, like myself, have been bemoaning its choice of tooling (and language) and practices for years (language has an excuse in acceleration API access being made for it, but the other two don't).
@lispi314 @GossiTheDog @dalias @azonenberg
"Ensloppifying does not increase the set of trustworthy software to be found"
This is precisely what happened with this model though. It has found bugs written decades ago by humans, leading to these bugs being fixed. Leading to at least these programs being better.
@dalias @trademark @azonenberg @GossiTheDog NFS-Ganesha is the userspace server the industry came up with specifically to not run an NFS server in kernelspace anymore.
It still sucks but at least it doesn't compromise the kernel and can actually be run with limited permissions.
Kevin Beaumont
trademark
Cassandrich
Andrew Zonenberg
LisPi
kravietz 🦇