This weekly roundup thread is intended for all culture war posts. 'Culture war' is vaguely defined, but it basically means controversial issues that fall along set tribal lines. Arguments over culture war issues generate a lot of heat and little light, and few deeply entrenched people ever change their minds. This thread is for voicing opinions and analyzing the state of the discussion while trying to optimize for light over heat.
Optimistically, we think that engaging with people you disagree with is worth your time, and so is being nice! Pessimistically, there are many dynamics that can lead discussions on Culture War topics to become unproductive. There's a human tendency to divide along tribal lines, praising your ingroup and vilifying your outgroup - and if you think you find it easy to criticize your ingroup, then it may be that your outgroup is not who you think it is. Extremists with opposing positions can feed off each other, highlighting each other's worst points to justify their own angry rhetoric, which becomes in turn a new example of bad behavior for the other side to highlight.
We would like to avoid these negative dynamics. Accordingly, we ask that you do not use this thread for waging the Culture War. Examples of waging the Culture War:
-
Shaming.
-
Attempting to 'build consensus' or enforce ideological conformity.
-
Making sweeping generalizations to vilify a group you dislike.
-
Recruiting for a cause.
-
Posting links that could be summarized as 'Boo outgroup!' Basically, if your content is 'Can you believe what Those People did this week?' then you should either refrain from posting, or do some very patient work to contextualize and/or steel-man the relevant viewpoint.
In general, you should argue to understand, not to win. This thread is not territory to be claimed by one group or another; indeed, the aim is to have many different viewpoints represented here. Thus, we also ask that you follow some guidelines:
-
Speak plainly. Avoid sarcasm and mockery. When disagreeing with someone, state your objections explicitly.
-
Be as precise and charitable as you can. Don't paraphrase unflatteringly.
-
Don't imply that someone said something they did not say, even if you think it follows from what they said.
-
Write like everyone is reading and you want them to be included in the discussion.
On an ad hoc basis, the mods will try to compile a list of the best posts/comments from the previous week, posted in Quality Contribution threads and archived at /r/TheThread. You may nominate a comment for this list by clicking on 'report' at the bottom of the post and typing 'Actually a quality contribution' as the report reason.
Jump in the discussion.
No email address required.
Notes -
I wonder if Anthropic is really this naive.
Known to the NSA does not equate to known to the devs of the relevant software, quite the opposite. I don't see why you should criticize Anthropic for saying nothing on the topic of state level actors, especially when they're still on contract for providing services to the DOW.
Agreed, I think the median 0day the NSA exploits is one they found or bought and not one which they made some US company insert on purpose.
That being said, I think that it would be overly naive to suppose that a big US company with ties to the USG stumbles on a treasure trove of 0days and decides that obviously they will report all of them, rather than keeping a few choice ones for the spooks.
Even if this was their intent originally, obviously the intelligence community has moles and ways to coerce cooperation. "This is a matter of national security!!11", literally convinced the Americans to let them torture prisoners on the record. Few companies would be foolish enough to trust the court system to protect them from their ire.
It occurred to me that maybe the Iran attack happened when it did to burn a bunch while they still could but that might be over determined.
More options
Context Copy link
You're probably correct, but don't forget about the (probably small, but not null) class of exploits that they simply trick US companies into inserting. The NSA has a wide range of strategies. They paid RSA to use their exploitable Dual_EC_DRBG, for instance, but apparently that was mostly to buy enough credibility to get it called "the standard" and adopted freely by other crypto companies too.
Even their work with DES was a mix of white-hat (they knew about a vulnerability and pushed for changes that they secretly knew would eliminate it) and black-hat (they pushed to drop the standard key size from 64 to 48 bit, then settled for 56, because they knew they had the compute to brute-force those) security, and the only "made some US company insert on purpose" there was legislative, for a brief period in the late 90s when companies were only allowed to export encryption software with 56-bit or shorter keys.
More options
Context Copy link
More options
Context Copy link
The NSA probably, from time to time, has discussions with the devs of the relevant software on the subject of when to patch unknown-to-the-public vulnerabilities.
Of course, to your point about their work with the DOW, it's quite likely that Anthropic is well aware of this because they are one of the relevant organizations.
But if not, the thought of them turning loose MYTHOS and it immediately turning around and blowing up the NSA's zero-day horde is extremely funny. And since apparently this was automated and allegedly submitted a large number of such patches, it seems pretty plausible this in fact occurred.
I genuinely think that their actions are more likely to represent a divergence of interests with the NSA, which isn't that surprising given recent events. I would be very surprised if they found every zero-day that the NSA already knows, but this probably doesn't make them happy. Anyway, now that Mythos is out of the bag, most (intelligent) devs are going to be giving their code closer scrutiny, regardless of whether they have access or not. Arguably, they should have started last year.
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link