- Anthropic Mythos: security superpowers?
- Threat model scope matters
- Anyone ready for quantum break in 2029?
- Trains with 5G windows and noise-cancelling cabins: only in Japan
- The NAND gate of continuous mathematics: all elementary functions from one operator
Anthropic holding back Mythos because they claim it has extraordinary powers to discover security flaws (whether the claims hold up or not) was a master marketing/PR move. It instantly made a big splash, generated great demand, and as a side effect it at least made the software security community wonder, “what if it’s true?” Naturally, there are all kinds of opinions, rebuttals, and reactions.
“Extraordinary claims require extraordinary evidence” but details remain under wraps, which is reasonable even as a precaution. I haven’t followed this closely but it raises an interesting puzzle: how to safely demonstrate such a superpower without releasing it?
FBI Extracts Suspect’s Deleted Signal Messages Saved In iPhone Notification Data is an excellent object lesson in threat modeling, often missed. The leak threat (obviously a major threat for Signal) wasn’t in the protocol, or the app, but in the OS. Assuming this wasn’t simply missed, it’s due to scoping the model big enough: not just the app but including the OS it runs in. I don’t know if notifications have always been this way or it’s a recent change: that is, if it was due to scoping to just the app, simply missed, or a case of not updating the threat model to catch the change. For this last, see Publish Your Threat Models! section IX.E: “New attack vectors become possible because of changes in the environment such as new OS features.”
Perspective on Quantum Computing Timelines (Executive summary of timeline: 2029) — I wish I understood QC a tiny qubit but the writer seems to.
Bullet trains gain 5G windows and noise-cancelling cabins; Japan, again, is creating the future.
All elementary functions from a single operator contains the coolest image I’ve ever seen in a technical paper. Also over my head but very cool: I’m not sure what it means because I never imagined this was even possible.“A single two-input [NAND] gate suffices for all of Boolean logic in digital hardware. … Here we show that a single binary operator, eml(x,y) = exp(x) - ln(y), together with the constant 1, generates continuous mathematics, including trigonometry, transcendental, and algebraic functions.”
Here’s my answer to how Anthropic could safely demonstrate that Mythos capabilities would be an attacker’s hot knife cutting through the butter that we call secure software.
- Pick old unsupported versions of widely used software: Windows, MacOS, iOS, Android, Ubuntu, and so on. Nobody who cares a whit about security should be using these today.
- List all known vulnerabilities in each, including newer finds that work in them as well.
- Ask Mythos to find new undiscovered vulnerabilities not on the list.
- IMPORTANT: Check if any new vulnerabilities work in newer supported versions, and responsibly disclose that subset to the software maker.
- Publish details of all the other new discoveries. This disclosure should be harmless.
If it’s as good as they say, this should be impressive. Possibly most of these old vulnerabilities are still in the code and work in actively used releases but my hunch is that would be unlikely. If so, restrict the search to features and components that have been deprecated so there’s no chance they still work in the installed base.
“We are made of starstuff.” — Carl Sagan