Cybersecurity

10069 readers

94 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 3 years ago

MODERATORS

kid@sh.itjust.works

Lanky_Pomegranate530@midwest.social

Anthropic Lets Claude Mythos Spread Its Glasswings (gizmodo.com)

submitted 6 days ago by kid@sh.itjust.works to c/cybersecurity@sh.itjust.works

5 comments fedilink hide all child comments

top 5 comments

sorted by: hot top controversial new old

[–] Franconian_Nomad@feddit.org 5 points 6 days ago (1 children)

Cloudflare, for instance, shared that Mythos Preview was particularly adept at exploit chain construction, which is basically spotting how several bugs can be used to create a series of attacks that do more damage than a single exploited flaw.

But Anthropic also revealed that Mythos isn’t necessarily ready for primetime, which might also be part of why it’s actually keeping it to such a small and controlled base of users.

Cloudflare also noted that other models found a lot of the same bugs as Mythos—an observation that has been made elsewhere. A security company called Aisle tested several small, open-source models and was able to find the same vulnerabilities that Anthropic highlighted when it announced Mythos—vulnerabilities that went unnoticed by humans for decades.

My take is that Mythos is quite good, but is of course overhyped by Anthropic. Current models are quite capable now and experts can deploy them effectively. Good news is that a script-kiddie still will have a hart time to find and create workable exploits.

[–] midribbon_action@lemmy.blahaj.zone 5 points 6 days ago (1 children)

That cloudflare blog post already spilled the beans: it's just unreliable. The same task could be repeated three times and come up with three different answers, sometimes refusing outright, sometimes failing, sometimes returning false positives. Only a fraction of runs turned out anything useful, and that's only after running a separate instance of mythos to sort through the trash, and then multiple more verification runs.

So, the most expensive model, burning the most tokens, you still need two instances and multiple runs through the same underlying task, and it may give you an exploitable bug. My understanding from cloudflare's blog post is that their complex harness is entirely in-house, so I really think most of anthropic's partners are having an even worse experience sorting through mythos trash.

My feeling is that there is a diminishing rate of return on token burn rate. I also believe increasing the complexity of models makes it harder to set boundaries and control output.

Also, most of the bugs so far have come down to not using basic OS safeguards or the attacker already having access to your computer. They are important threat vectors that need to be addressed, but they are types of vulnerabilities we've known about for decades and built protections around.

[–] Franconian_Nomad@feddit.org 1 points 6 days ago (1 children)

Interesting. I should have read the cloudflare article, not just linked it. Of course, anthropic does the bullshit it’s known for.

But I heard several security researchers experimenting with own harnesses. Seems to make quite a difference.

[–] midribbon_action@lemmy.blahaj.zone 1 points 6 days ago (1 children)

My question is why these harnesses are even necessary. The cloudflare pipeline is not specific to any codebase, it is just secret sauce they added themselves that increases the costs dramatically. Cloudflare is not an AI company though, Anthropic is, and openai and anthropic have spent tens of millions on signing bonuses for all of the most competent AI researchers in the field.

Why is it cloudflare's job to make the model useful? Why doesn't the model do what it says it will without multiplying the token burn rate 5-10x? Why not ship a harness developed by the ai experts, if a harness is truly necessary? The idea of adverserial machine learning is more than a decade old, it's not like cloudflare stumbled on a new concept.

I believe this is just another attempt to hide the true cost of inference.

[–] Franconian_Nomad@feddit.org 1 points 6 days ago

From what I gather a different harness can make quite a difference. Seems like a model can work better or worse depending on the harness, that’s at least what I‘ve heard from the community.

A harness for coding is probably different from a harness for agentic tasks like Hermes or opencode. … probably it also helps if you don’t vibe code your harness with little or no supervision. (Cough, Claude Code, cough)