If AI can do mass exploitation then it can also do mass patching. Some malware in the past has been used to mass patch machines.
Get to it. Give the teams doing this presidential pardons and full immunity. Apply patches and mitigations on all the things. Impress us all. One big downtime, get 'er done.
I don't even believe that AI is real. To me it's just a predictive chat bot using LLM with big-data shoved up it's back-side. As for trust, I do not trust anyone or anything but if our choices are mass exploitation and mass patching, I will take the latter if people are not patching their own stuff especially if AI can gain access to it already. If AI can get to it so can spooks right now. There is a lot of hardware with state operated unofficial remote access and some of their companies are listed in In-Q-Tel's website. Worst case, the USA gets more control of the back-doors, lawful intercepts and such. I guess I will support that over other countries having control.
If there is a third option where companies drop everything, all hands on deck to patch all the things I would take that but it's just never been a priority. That's why I was always a big fan of ransomware separating customer data away from companies that should not have had it in the first place.
How could some worm imposed patching work? If a piece of software is insecure and you switch the binary to secure, the insecure version would uploaded in the next update - and secure version likely treated like malware itself.
Turtles all the way down right? Well the way malware was used by the feds in the past was go get rid of the existing RAT and fix the vulnerability that the malware used in the first place so the machine could not be re-infected by the same vectors. These were not all inclusive patch processes, just enough to kill the RAT and its attack vectors to shut down a specific crime network so that another criminal group could not just move in and take over in it's place.
It would be simpler require critical software to focus on security and quickly shift to secure approaches. I mean, there are was article about how small water districts are short on funds and so choose to allow remote access to water treatment machinery so their engineers can work weekends at home. Imposing regulation that stop such d--- f--- tradeoffs seems obvious. HOWEVER, the paradigm of cost-reduction via breakneck (and so insecure) development and lack of regulation on critical process is very, very entrenched. The proponents of "go fast and break things" would prefer powerful bug finders be treated like demons to be exercised rather than start requiring sane security practices.
Fundamentally I agree with everything you said but I think you also explained in your own response why this will not happen. If they don't have the funds to do it right then it will be done wrong. It's a pattern that never ends and why it's so easy to shut down utilities.
Suddenly when we invest 100m into cyber security (project glasswire) and 100b in training toppling governments is months away, but if you were to train and hire a team of people for the same amount of money it's nothing new.
There might be a bigger reason why five eyes is doing this, but even with all the knowledge I have of the (publically known) capabilities of five eyes I really don't see why this statement exists. Either we're on the verge of real, efficient computer intelligence or this is just fearmongering that has been elevated from mouth to mouth making it sound way more severe than it actually is.
State sponsored actors have already had the capability of mythos, the only thing mythos allows is reducing the amount of precursor knowledge needed in order to perform explotation.
I've been slowly working on "mythos at home" article with solid proof of replicating many of the (claimed) capabilties that mythos has with opensource models and GLM-5.2 has been pretty instrumental in advancing it forward.
I strongly believe there is either something extremely serious being hidden from the public (nothing new, five eyes operates in secrecy) or this is overblown fearmongering being brought up to the upper decision center that are afraid that non state sponsored entities now have the capability to achieve what was previously only possible when you're backed by a state.
On the bright side, glm-5.2 is pretty good at autonomously optimizing software so at least we're not going to be locked out of the frontier for long.
--
Side note: The amount of vulerabilities found in blockchains around gpt and opus 4.7 release does show that it is a real problem and I am not denying that. There have been several government agencies that have suffered from data leaks last few months as well as general more public CVE's such as copyfail. But I still believe if the same kind of money was invested into people we'd have similar if not better results.
The security products industry has a long and storied history of using national security folks in marketing or marketing-adjacent ways (putting them on boards to lend an air of legitimacy, etc). I don't doubt that such people know a lot about national security, but I don't think they know shit about computers, generally.
NSA and others employ thousands of people who actually are super good at computers. If this message was coming from those people--actual credible experts--I'd be a lot more interested. Instead, what it seems like is happening here is the same organizational brain rot that's happening everywhere. Out of touch leadership, a skewed information environment, and bad incentives align to produce utterly insane conclusions divorced from reality. In short, psychotic delusions.
This is, probably, just marketing noise. Nothing to worry about, except that the people spouting it have been psychologically compromised. So if their job function is essential, that's a problem.
Hmm. The article seems to be about AIs enabling cyberattacks.
How bad would a cyberattack have to be to topple a government? I guess I could see a parliamentary government losing public confidence if it failed to prevent a severe enough attack. I'm not sure I see it for something like the US, where elections are fixed. It might swing the next election, but that's not the same as "toppling a government", is it?
Aren't there plenty of countries which aren't exactly super-stable anyway? Might not take much to have select countries pushed over the edge. Especially if you have territorial disputes with neighboring countries looking to take advantage. For the U.S., what if Social Security payments suddenly stopped for 6 months? What if the U.S. lost records of Treasury Bills, and they couldn't be redeemed for a while? What if electricity went out for 30% of the population for three months? I would think it pretty cold comfort that the government didn't topple, because the next election results were a mix of democrats and republicans.
misinformation (already exists)
personalized attacks to influence voting behavior (already exists)
attacks of the financial system (the big one here)
Basically more of the same, but at much larger scale. The only way I could see five eyes react to this is if it turns out that our financial system is compromised.
Suppose "hackers" released extremely embarrassing/incriminating but true information [the remaining Epstein files with documentation or whatever]. Suppose social engineering and communication channel control was used to play the summary on every news station. Suppose enough congressmen/MPs/etc were put on record calling for an administration/government's resignation (through falsifying public and private communication). Such an extreme media/communication channel hack might ultimately be revealed but it could create powerful enough momentum that it could force administration out.
Effective enough news investigations have toppled governments already.
Governments able to topple themselves with 100% natural incompetence, meanwhile, have been invented millennia ago. AI is catching up.
If AI can do mass exploitation then it can also do mass patching. Some malware in the past has been used to mass patch machines.
Get to it. Give the teams doing this presidential pardons and full immunity. Apply patches and mitigations on all the things. Impress us all. One big downtime, get 'er done.
That's pretty much the plot for one of the latter Terminator movies, right?
https://en.wikipedia.org/wiki/Terminator_3:_Rise_of_the_Mach...
Do you trust the AI to build perfect patches? Do you trust it to not leave backdoors in the process?
If it's smart enough to do the first, I don't trust it to do the second.
I don't even believe that AI is real. To me it's just a predictive chat bot using LLM with big-data shoved up it's back-side. As for trust, I do not trust anyone or anything but if our choices are mass exploitation and mass patching, I will take the latter if people are not patching their own stuff especially if AI can gain access to it already. If AI can get to it so can spooks right now. There is a lot of hardware with state operated unofficial remote access and some of their companies are listed in In-Q-Tel's website. Worst case, the USA gets more control of the back-doors, lawful intercepts and such. I guess I will support that over other countries having control.
If there is a third option where companies drop everything, all hands on deck to patch all the things I would take that but it's just never been a priority. That's why I was always a big fan of ransomware separating customer data away from companies that should not have had it in the first place.
How could some worm imposed patching work? If a piece of software is insecure and you switch the binary to secure, the insecure version would uploaded in the next update - and secure version likely treated like malware itself.
Turtles all the way down right? Well the way malware was used by the feds in the past was go get rid of the existing RAT and fix the vulnerability that the malware used in the first place so the machine could not be re-infected by the same vectors. These were not all inclusive patch processes, just enough to kill the RAT and its attack vectors to shut down a specific crime network so that another criminal group could not just move in and take over in it's place.
It would be simpler require critical software to focus on security and quickly shift to secure approaches. I mean, there are was article about how small water districts are short on funds and so choose to allow remote access to water treatment machinery so their engineers can work weekends at home. Imposing regulation that stop such d--- f--- tradeoffs seems obvious. HOWEVER, the paradigm of cost-reduction via breakneck (and so insecure) development and lack of regulation on critical process is very, very entrenched. The proponents of "go fast and break things" would prefer powerful bug finders be treated like demons to be exercised rather than start requiring sane security practices.
Fundamentally I agree with everything you said but I think you also explained in your own response why this will not happen. If they don't have the funds to do it right then it will be done wrong. It's a pattern that never ends and why it's so easy to shut down utilities.
Nice try, you aren't gonna get me to love AI guys.
Suddenly when we invest 100m into cyber security (project glasswire) and 100b in training toppling governments is months away, but if you were to train and hire a team of people for the same amount of money it's nothing new.
There might be a bigger reason why five eyes is doing this, but even with all the knowledge I have of the (publically known) capabilities of five eyes I really don't see why this statement exists. Either we're on the verge of real, efficient computer intelligence or this is just fearmongering that has been elevated from mouth to mouth making it sound way more severe than it actually is.
State sponsored actors have already had the capability of mythos, the only thing mythos allows is reducing the amount of precursor knowledge needed in order to perform explotation.
I've been slowly working on "mythos at home" article with solid proof of replicating many of the (claimed) capabilties that mythos has with opensource models and GLM-5.2 has been pretty instrumental in advancing it forward.
I strongly believe there is either something extremely serious being hidden from the public (nothing new, five eyes operates in secrecy) or this is overblown fearmongering being brought up to the upper decision center that are afraid that non state sponsored entities now have the capability to achieve what was previously only possible when you're backed by a state.
On the bright side, glm-5.2 is pretty good at autonomously optimizing software so at least we're not going to be locked out of the frontier for long.
--
Side note: The amount of vulerabilities found in blockchains around gpt and opus 4.7 release does show that it is a real problem and I am not denying that. There have been several government agencies that have suffered from data leaks last few months as well as general more public CVE's such as copyfail. But I still believe if the same kind of money was invested into people we'd have similar if not better results.
The security products industry has a long and storied history of using national security folks in marketing or marketing-adjacent ways (putting them on boards to lend an air of legitimacy, etc). I don't doubt that such people know a lot about national security, but I don't think they know shit about computers, generally.
NSA and others employ thousands of people who actually are super good at computers. If this message was coming from those people--actual credible experts--I'd be a lot more interested. Instead, what it seems like is happening here is the same organizational brain rot that's happening everywhere. Out of touch leadership, a skewed information environment, and bad incentives align to produce utterly insane conclusions divorced from reality. In short, psychotic delusions.
This is, probably, just marketing noise. Nothing to worry about, except that the people spouting it have been psychologically compromised. So if their job function is essential, that's a problem.
Hmm. The article seems to be about AIs enabling cyberattacks.
How bad would a cyberattack have to be to topple a government? I guess I could see a parliamentary government losing public confidence if it failed to prevent a severe enough attack. I'm not sure I see it for something like the US, where elections are fixed. It might swing the next election, but that's not the same as "toppling a government", is it?
Aren't there plenty of countries which aren't exactly super-stable anyway? Might not take much to have select countries pushed over the edge. Especially if you have territorial disputes with neighboring countries looking to take advantage. For the U.S., what if Social Security payments suddenly stopped for 6 months? What if the U.S. lost records of Treasury Bills, and they couldn't be redeemed for a while? What if electricity went out for 30% of the population for three months? I would think it pretty cold comfort that the government didn't topple, because the next election results were a mix of democrats and republicans.
Suppose "hackers" released extremely embarrassing/incriminating but true information [the remaining Epstein files with documentation or whatever]. Suppose social engineering and communication channel control was used to play the summary on every news station. Suppose enough congressmen/MPs/etc were put on record calling for an administration/government's resignation (through falsifying public and private communication). Such an extreme media/communication channel hack might ultimately be revealed but it could create powerful enough momentum that it could force administration out.
Effective enough news investigations have toppled governments already.
Nonsense. The fearmongering around the word guessing machine is ridiculous. It can't even tell you how many Bs are in the word Blueberry.
[dead]