I agree that there will be no single call or inference that presents malice. But I feel like they could still share general patterns of orchestration (latencies, concurrencies, general cadences and parallelization of attacks, prompts used to granulaize work, whether prompts themselves have been generated in previous calls to Claude). There's a bunch of more specific telltales they could have alluded to. I think it's likely they're being obscure because they don't want to empower bad actors, but that's not really how the cybersecurity industry likes to operates. Maybe Anthropic believes this entire AI thing is a brand new security regime and so believe existing resiliences are moot. That we should all follow blindly as they lead the fight. Their narrative is confusing. Are they being actually transparent or transparency-"coded"?
Well - I would recommend using a better linux distribution than Ubuntu.
I run just lighttpd these days; used to run httpd before they decided the configuration must become even more complicated. I don't have any issues
with lighttpd (admittedly only few people use it; most seem to now use nginx).
That makes no sense. Just because they aren't a security vendor doesn't mean they don't have useful information to share. Nor does it mean they shouldn't share it. They aren't pretending to be a security researcher, vendor, or anything else than AI researchers. They reported on findings on how their product is getting used.
Anyone acting like they are trying to be anything else is saying more about themselves than they are about Anthropic.
I would generally use the standard precautions (VPN/Tor/etc.) but I think these organizations would much rather have you report the content than go after you, unless you've been reporting a suspicious amount of content that indicates you frequent such circles (i.e. you're one of those internet vigilantes).
I definitely lack motivation to do anything at my job, but it’s the same will all private/hobby stuff. IT is probably not it for me anymore, however I have that job situation under control. I wish I could do something else though (not IT at all), but that also requires me to start that thing (and take some risk).
Upvoted because many people genuinely believe that agency is an illusion and therefore there's no point in trying.
The state of believing that you can do it is a state that precedes actually doing it. This is true regardless of whether the universe is deterministic.
I was at an AI/cybersecurity conference recently and the talk given by someone from Anthropic was a lot like this report: tantalizing, vague, and disappointing. The speaker alluded to similar parts of this report. It was though everything was reflected through Claude, simultaneously polished, impressive, and lost in the deep end.
I appreciate that OpenBSD sold its course on security-everywhere.
Unfortunately I also kind of lost faith in the BSD variants. There
are a few minor things such as PC-BSD suddenly vanishing, or years
before NetBSD on their mailing list admitting that Linux outperformed
their "runs on any toaster and other gimmick" strategy. But one of
the key issues I had was this:
I installed it (FreeBSD) on my second computer. I went out of my
apartment and returned hours later. Well, the FreeBSD machine was
no longer running; my linux machine on the other hand is running
non-stop for months, literally. This may be a fluke, perhaps the
computer had a problem - I am not saying this is really what the
BSDs are all about, as I also had them installed before. But then
I also asked myself "why would I want to bother with the BSDs,
if Linux simply runs better?". And I haven't found a good, convincing
answer to that for me to rationalise why I'd still be using the
BSDs. Note: I also use Linux in a non-standard way, e. g. versioned
AppDirs, but essentially Linux is simply more flexible than the BSDs
(that is my opinion) and there are more users too. There will be always
some BSD users, but to me they are like a dying breed. They would need
to market themselves as a "runs outside the nerd bubble as well"; even
Linux is still stuck in its own nerd bubble. You have to break out of
it if you want to really dominate (Linux semi-does it indirectly, e. g.
we can count many smartphones as Linux-driven, but I am still using a
desktop computer system here, so to me this is what really counts, even
if the total number is less than the smartphone users numbers).
Yeh it probably is expensive - but we currently have no other way (other than gas) to cover the low-wind/sun periods; while there are times when the UK can almost run purely off wind, there are other periods where we get ~5% of that wind energy for a week or so; the battery storage is nowhere near useful for that.
I throw Anthropic under the bus a lot for their lack of engineering acumen. If they don't have a core competency like engineering fully covered, I'd say there's a near 0% chance they have something like security covered.
The way Git computes diffs is by more or less storing all the source code in the .git directory as objects. At first glance it looks like a bunch of hashes, but tools can pull out source code from the objects tracked within the .git directory. Not least of which, the remote URL points to their username on GitHub and the author for commits can give you their email.
A good shortcut is "C-h m" which shows the help for the major mode (and current active minor modes). It will also shows all the bindings that those modes define.
> And by now the car is unattractive anyway, nobody is going to steal it so I don't need to worry too much about it.
Think you’ve got that backwards. Typically it is older cars that get stolen. 13 years old is new enough it should be harder to steal, but for joyriding or as a vehicle for doing other crimes the thieves are not looking for a new car.
I greatly enjoy the single-purpose aspect of consoles: no upgrades, no other software to manage, etc.
So a single-purpose PC-based console basically made for Steam? That sounds great to me. I don't even have a 4K TV so the performance might be just what I need.
At the end of the day AI at any level of capability is just automation - the machine doing something instead of a person.
Arguably this may change in the far distant future if we ever build something of significantly greater intelligence, or just capability, than a human, but today's AI is struggling to draw clock faces, so not quite there yet...
The thing with automation is that it can be scaled, which I would say favors the attacker, at least at this stage of the arms race - they can launch thousands of hacking/vulnerability attacks against thousands of targets, looking for that one chink in the armor.
I suppose the defenders could do the exact same thing though - use this kind of automation to find their own vulnerabilities before the bad guys do. Not every corporation, and probably extremely few, would have the skills to do this though, so one could imagine some government group (part of DHS?) set up to probe security/vulnerability of US companies, requiring opt-in from the companies perhaps?
Very much so. If programs are well-behaved, and call "int 21", etc all is well. But a lot of programs would use undocumented things, such as the list-of-lists and they'd directly peek and poke into the operating systems code.
I've had fun updating the shell, and code, of CP/M, in assembly, and writing emulators of it. But as always there is no shortage of programs making specific assumptions that make everything more complex than they should be.
