| ▲ | CaptainFever 16 hours ago |
| [flagged] |
|
| ▲ | yunnpp 15 hours ago | parent | next [-] |
| Thank you for your kind comment. I recommend you watch the actual talk, and then understand what exploiting RCEs in things like the Linux kernel at such a scale that defenders can no longer keep up with actually means. The latter is their claim, not mine. Also realize that, unlike a security researcher, an attacker doesn't necessarily need to review the model out carefully to filter out the slop before a bug submission. They mostly just need to run the shit. |
| |
| ▲ | akerl_ 15 hours ago | parent [-] | | Is your pitch that the reports are slop? Or that they’re so dangerous it’s morally indefensible to share the research? | | |
| ▲ | yunnpp 15 hours ago | parent [-] | | A good chunk of the reports are false positives (slop) per the researcher's own admission in his talk. I have no issue sharing the bug reports either; the bugs are better fixed. What I take issue with is that they have basically released the weapon first without thinking about the consequences. And again, if you watch the talk, you'll see how he literally calls others to action to fix the problem. They made a problem and are asking you to fix it, and it will also cost you money, which conveniently goes to them. Any industry with even a semblance of regulation would find this very disturbing. | | |
| ▲ | akerl_ 14 hours ago | parent [-] | | The “weapon” here is identifying vulnerabilities that were already present and exploitable by malicious actors? | | |
| ▲ | yunnpp 10 hours ago | parent [-] | | A very shallow dismissal of my point. Is there no room for depth in your logical analysis? First of all, we don't know whether this particular bug was already being exploited in the wild. We do know that there is a community of experts looking at the Linux kernel and reporting bugs. Yet this bug had never been reported until now. So either nobody ever looked there (unlikely), or they did and didn't find it. Conversely, the LLM found it with a prompt that even a 5-year old can type. That significantly lowers the effort for the attacker, so much that it changes the game. It is, to use a crude analogy, like deploying firearms in a field traditionally fought with sword and shield. So yes, that's the weapon, and these guys released the stuff to the public with no oversight. That should get some people thinking. | | |
| ▲ | akerl_ 10 hours ago | parent [-] | | > So either nobody ever looked there (unlikely), or they did and didn't find it. Those aren't the only two options. |
|
|
|
|
|
|
| ▲ | tosti 15 hours ago | parent | prev [-] |
| More like, if you pay a fee to use a service, you can find the bombs already hidden somewhere in your premises. |
| |
| ▲ | tptacek 15 hours ago | parent [-] | | And? They didn't put the bombs on your premises. Before "the service", you had bombs you didn't know about; after, you get to know about them. | | |
| ▲ | par1970 15 hours ago | parent [-] | | But the service also tells criminals and adversaries about the bomb locations. | | |
| ▲ | tptacek 15 hours ago | parent [-] | | And? So do a variety of other services. Was it your impression that the criminals and adversaries were behind the 8 ball on this? AI is reviving debates about vulnerability research that we thought we killed off in the 1990s. |
|
|
|
