reply on: Researchers question Anthropic claim that AI-assisted attack was 90% autonomous \ stacker news ~AI

pull down to refresh

157 sats \ 13 replies \ @optimism 4h \ parent \ on: Researchers question Anthropic claim that AI-assisted attack was 90% autonomous AI

Its worse. code analysis? Like Claude finding 0days? Why doesn't it say "hey Claude discovered some vulns and we reported them to the respective software maintainers"? Because how did Claude get the source code? Did it also hack a MS dev workstation and fetch the code?

100 sats \ 12 replies \ @0xbitcoiner OP 3h

I’m not sure I’m understanding what you’re saying. Are you saying the attacker had access to the victims’ source code?

In the report they don’t mention who was attacked, they only say that the vulnerabilities identified by the human attacker were exploited.

The operation targeted roughly 30 entities and our investigation validated a handful of successful intrusions.

Initial targets included major technology corporations, financial institutions, chemical manufacturing companies, and government agencies across multiple countries.

Basically, they ‘just’ exploited API vulnerabilities using credentials that were found in the earlier phases. At least that’s how I understood it, I might be wrong.

33 sats \ 11 replies \ @optimism 3h

Major tech corporations, financial institutions, chemical manufacturing companies and government agencies run systems with known RCE and/or SQL injection vulns?

100 sats \ 1 reply \ @Cje95 2h

They/we (government entities in the US) are always having our computers updated and restarted so they are constantly addressing it. We also are limited with the number and type of programs, software, and internet connections we can have. Places like the NNSA and National Labs are extremely strict in what outside electronics you can even bring in heck Apple Watches are not allowed there is only one type of Garmin watch you can wear (if you want to wear a smart watch).

0 sats \ 0 replies \ @optimism 2h

Yeah. I haven't heard about any CISA people getting laid off either.

0 sats \ 8 replies \ @0xbitcoiner OP 3h

That’s already beyond what I know!

33 sats \ 7 replies \ @optimism 2h

I've worked with several government departments, fintechs and manufacturers in several countries over the years. This would mean there is a serious regression if they no longer pay attention to infosec and run vulnerable software like that. If its 0days then Anthropic could have saved the day - would be something better to brag about than this fantasy story.

100 sats \ 6 replies \ @0xbitcoiner OP 2h

I get what you’re saying, but in this case there was supposedly a human operator who interpreted the data collected by the AI and then directed the attack. What I mean is that those 0-day vulnerabilities might not have been found by the AI, but by the human. But this is just me wondering, I have no idea how it actually went down.

33 sats \ 5 replies \ @optimism 2h

But if you send code to analyze to Claude, then Anthropic has that code. So they have the 0day code. You cannot ask Claude to analyze something without sending everything to anthropic.

100 sats \ 4 replies \ @0xbitcoiner OP 2h

Right. Maybe I missed it, but I didn’t see anywhere in the report saying the AI was the one that found the 0day vulnerability.

55 sats \ 3 replies \ @optimism 2h

Yeah they just imply it with the 90%. "Give SuperClaude a list of targets and yeah... pwned" lol

view all 3 replies