It is fixable.
Model requires proof that you are a legitimate developer of that piece of software.
Every Anthropic/OpenAI account will have a list of projects the model is allowed to work on for security issues.
It is fixable.
Model requires proof that you are a legitimate developer of that piece of software.
Every Anthropic/OpenAI account will have a list of projects the model is allowed to work on for security issues.
https://en.wikipedia.org/wiki/XZ_Utils_backdoor
> A subsequent investigation found that the campaign to insert the backdoor into the XZ Utils project was a culmination of over two years of effort, starting in 2021, by a user going by the name "Jia Tan". They used sock puppetry in a pressure campaign against the original maintainer of XZ Utils, eventually being given maintainer permissions on the project.
Can we retire the “seatbelts are useless because they can’t prevent every loss of life” approach to risk mitigation please?
If the acceptance criteria is “would prevent every single past instance and every imaginable future instance”, then yes, no mitigation is every sufficient to address any problem in the world, so we might as well give up.
But I don’t think that’s the right lens to use.
That depends on whether it's a issue of accidents or a "you have to get lucky every time, we only have to get lucky once" issue.
I'm onboard with this! I just object to the term "fixable".
sure. how many cases like these we had so far? 1, 2? and how long did they work to get commit access?
> how many cases like these we had so far?
As with clever, careful serial killers, it's tough to count the ones we haven't caught.
It's not that tough. You can get an idea by how many people are being murdered. A successful serial killer results in dead people, and a successful infiltration results in malware being executed. If there are no murdered people with unattributed causes of death, or there are no open-source projects with unattributed causes of malware being shipped, you can conclude there are roughly 0 active serial killers / infiltrators.
It's possible there are infiltrators who are still working on long-term infiltration and haven't yet attempted to add any malicious code anywhere, but the point is that in terms of actual attempts, we've seen a single one and it wasn't even successful despite years of prep.
> You can get an idea by how many people are being murdered.
No, we can't, as that happens a lot via non-serial killers.
A truly successful serial killer is likely one who hides in that noise. No taunting the cops, distributed geographic locations, random methods, avoiding calling cards, and careful not to leave too many traces.
It seems likely that some of the 350k unsolved homicides in the US can be explained this way.
> It's possible there are infiltrators who are still working on long-term infiltration and haven't yet attempted to add any malicious code anywhere…
Or the code's already there, latent, as it would've been in the XZ case, which got discovered by chance and someone very dedicated to looking into a performance glitch.
We only know how many were discovered.
Since we do not know the ratio to undiscovered this "1-2" is meaningless to assess the risk of this sort of attack.
Ok, and how is that determined? How does anthropic know my "kernel" project isn't a personal toy and not the Linux kernel? How does anthropic determine I'm a legitimate kernel hacker? What proof do I give them and how does it tie back to my email? What would the steps be to create a new project? Do I need to send anthropic a list of my team members each time and keep them updated as the company changes? Shall I be giving them access to our company's active directory?
> What proof do I give them and how does it tie back to my email?
Presumably your ID so that feds may pay you a visit when they feel like it, your email need not apply.
I’m surprised that there’s even enough pushback against ID verification to matter, all the corpos are probably salivating at the idea of having fully accurate profiles of everyone, think of the ad and product targeting. The govt. would also love that, for different reasons.
I'd honestly much rather give my ID to a Chinese model than an American one. If the American ones start requesting ID I'm out. I'm on a gemini organizational account right now that gives me pro but is directly tied to my organizational SSO. So that's something already. I just refuse to upload my face and drivers license anywhere ever.
How will the "feds" pay you a visit in Albania or China?
Simple - you wouldn’t be given access to those models, and probably all VPN access would be blocked too. Since this is a hypothetical, throw in a social credit score as well to require a proven “track record”, but maybe that’s too exaggerated (although credit scores already exist for different purposes).
It’s not too hard to imagine a future where you can only use certain things only with the govt. mandated spyware installed - bank apps already often don’t work on rooted Android phones (and you’re expected to use those apps to confirm payments) and all sorts of certification exam software is basically that already if you take a test remotely.
It follows that the same principle would just get pushed further, like what Discord wanted to do etc. Same with how Apple requires your documents for a developer account, Hetzner for a hosting account or Twitch for getting paid by them and tax stuff.
In the dystopian direction, exit visa requirements for people with access? Families back home as hostages like North Korea does?
This is a credentials and access list oAuth style problem, and not really intractable.
For package X, I should be able to present my npm (homebrew, apt, nuget, etc) credentials with publishing rights for the package.
If package X is of sufficient public interest (user count, nature/sensitivity of user data, downstream distribution, etc), then the public interest + cryptographic credentials should permit access to best-available security auditing.
Yes, we still are trusting trust, that the owner of the package itself is not malicious, but that's not a sharp degradation from status quo.
This is not tractable, because there is nothing stopping me from copy-pasting someone else's project into my own namespace. Under most OSS licenses I have express permission to do so.
If you try to do some kind of dupe-detection, someone can use a lightweight LLM to make superficial changes until it's considered a different project.
Finally, the meatspace status quo is that it is totally acceptable to pay someone to find security bugs in someone else's open-source software, such as the Linux kernel.
> If you try to do some kind of dupe-detection, someone can use a lightweight LLM to make superficial changes until it's considered a different project.
Even if you don't, a lot of source code can be legitimately copied thanks to the GPL/MIT/BSD/etc. I'm allowed to take all of zlib and integrate it into my own project if I so chose.
Yup, I just added something to that effect, sorry if my edit arrived after you replied.
[dead]
You are talking about creating a big moat, which might be a worse precedent than removing fable access altogether.
And what if I’m a crazy person and want to fork the Linux kernel as I’m legally allowed to do?
> If package X is of sufficient public interest (user count, nature/sensitivity of user data, downstream distribution, etc), then the public interest + cryptographic credentials should permit access to best-available security auditing.
Your private fork doesn't meet the conditions described.
Not just allowed to do, encouraged to do as part of legitimate development.
> How does anthropic know my "kernel" project isn't a personal toy and not the Linux kernel?
The Linux Kernel is in its training data. I just tested it. I copied about 20 random lines from the linux kernel and asked which codebase this was from and it could immediately tell.
The Linux kernel is also in the free bsd project. I'm allowed to copy as little or as much of the kernel as I like into my personal project thanks to the GPL.
Being able to attribute the source of a line of code doesn't help you to know if a repository can be legitimately hacked on.
As you could imagine, I might just take all or part of the Linux USB stack from the kernel to retrofit it into my own kernel.
Everyone is legitimate developer on open source software...
lol worst idea ever
Sounds like a good solution my Führer