pull down to refresh
100 sats \ 14 replies \ @0xbitcoiner OP 4h \ parent \ on: Researchers question Anthropic claim that AI-assisted attack was 90% autonomous AI
đ
I donât know enough to draw any solid conclusions, but what Dan Tentler said made me suspicious of this report. I do believe there might be some AI-driven automation involved, but jumping from that to claiming it was over 90% autonomous is hard to believe, and I imagine itâs hard to measure anyway. My guess is theyâre working off rough estimates. From the diagram in the report, it looks like there could be some automation in each stage, but the results still get handed back to a human operator, and thatâs where the big question about the real level of automation comes in.
Its worse. code analysis? Like Claude finding 0days? Why doesn't it say "hey Claude discovered some vulns and we reported them to the respective software maintainers"? Because how did Claude get the source code? Did it also hack a MS dev workstation and fetch the code?
reply
Iâm not sure Iâm understanding what youâre saying. Are you saying the attacker had access to the victimsâ source code?
In the report they donât mention who was attacked, they only say that the vulnerabilities identified by the human attacker were exploited.
The operation targeted roughly 30 entities and our investigation validated a handful of successful intrusions.
Initial targets included major technology corporations, financial institutions, chemical manufacturing companies, and government agencies across multiple countries.
Basically, they âjustâ exploited API vulnerabilities using credentials that were found in the earlier phases. At least thatâs how I understood it, I might be wrong.
reply
Major tech corporations, financial institutions, chemical manufacturing companies and government agencies run systems with known RCE and/or SQL injection vulns?
reply
They/we (government entities in the US) are always having our computers updated and restarted so they are constantly addressing it. We also are limited with the number and type of programs, software, and internet connections we can have. Places like the NNSA and National Labs are extremely strict in what outside electronics you can even bring in heck Apple Watches are not allowed there is only one type of Garmin watch you can wear (if you want to wear a smart watch).
Thatâs already beyond what I know!
reply
I've worked with several government departments, fintechs and manufacturers in several countries over the years. This would mean there is a serious regression if they no longer pay attention to infosec and run vulnerable software like that. If its 0days then Anthropic could have saved the day - would be something better to brag about than this fantasy story.
reply
I get what youâre saying, but in this case there was supposedly a human operator who interpreted the data collected by the AI and then directed the attack. What I mean is that those 0-day vulnerabilities might not have been found by the AI, but by the human. But this is just me wondering, I have no idea how it actually went down.
reply
reply
Right. Maybe I missed it, but I didnât see anywhere in the report saying the AI was the one that found the 0day vulnerability.