logoalt Hacker News

denverllctoday at 12:16 PM5 repliesview on HN

One of the major differences between Amodei’s and Hagseth’s views is that Hagseth said that in their world they don’t distinguish between “defensive” and “offensive” capabilities.

In other words, a weapons missle defense system is equivalent to an attack one.

I think that applying this thinking to software is a mistake. A lot of commercial software uses open source libraries under the hood, and and while the large corporations might have access to Mythos/Fable/gpt 5.6, the open source library maintainers typically don’t. That leaves them vulnerable to foreign adversaries who do have access to AI models. Attackers don’t need Mythos-level capability then, they just need to outperform whatever the maintainers are using.

Which means that Anthropic’s decision to restrict security research on even Sonnet makes that gap (and thus an attackers opportunity) even larger.

I say this as a coder who wants to release some of my internal libraries to open source. The risk now is that I open up my own products (which use those libraries) to vulnerability scanners while not having those kinds of detection methods myself. This, it’s safer to not release and keep internal than to risk increasing my own attack risk.

Hopefully we will come to see that software is not equivalent to missle defense — writing safe code is different than attacking others’.


Replies

pratikeltoday at 3:20 PM

OpenAI gives access to cyber models for open source maintainers

https://openai.com/index/patch-the-planet/

show 1 reply
maxericksontoday at 2:46 PM

Wouldn't open source enable review from people with access to the scanners prior to release?

Seems like there is a fair chance that it will mostly be an actual spike, where's a bunch of existing vulnerabilities get cleaned up and then published software mostly has less vulnerabilities going forward.

show 1 reply
solenoid0937today at 5:09 PM

How much money do you think a nation state has to spend on exploiting an OSS library? More or less than the owner of the OSS library? There's your answer.

Furthermore, of course Glasswing participants are scanning their dependencies as well. Why would you think they aren't!?

mft_today at 1:25 PM

If we take the noise about Mythos' capabilities as read, then releasing it freely into the world could result in chaos, as attackers find myriad new vulnerabilities and use them, and code owners frantically hunt for them and fix any that are exploited. (Noting, of course, how legendarily quick and agile large corporations aren't, compared to motivated individuals or small groups.). Eventually, given unfettered access to Mythos and sufficient time, things would settle down again once everything was patched, but who knows what would happen in the process?

So I suspect this has less to do with the underlying ethics or logic, and more to do with Anthropic not wanting to be held responsible for unleashing a potential period of chaos onto the world.

Of course, if someone has access to a tool that can find vulnerabilities in code, the process is identical whether the ultimate intent is to fix or exploit them (which may be Hegseth's underlying logic?). So to avoid this 'world chaos' scenario, Anthropic needs to somehow restrict Mythos access, avoiding bad players. And the only heuristics available at scale are either task-based assessment by AI (with downgrading of anything marginally risky to older models) or selection of trusted organisations by humans.

(By the by, to your point, it would also make sense to expand Glasswing to open source maintainers, at scale. I can't tell to what extent this has been part of that project?)

show 2 replies
KaiserProtoday at 3:54 PM

You're right on that, https://www.hurstpublishers.com/book/full-stack-spies/ goes over it in much more lucid detail.

Hegseth is to blindisded by macho-ism to value anything that requires patience and planning (see iran) If Fable is able to cheaply (ie less than $40k) find serious CVEs in common software, then it costs america much more to defend against it. especially as they are keeping the price of zero days artificially high.