[gofreddygo]

This got me thinking, so what happens in two years?

every tom, dick and harry who can type english has the tools to attack any software that isn't patched.

tools that were accessible to specialized groups, now made available to anybody with a grudge and a few dollars for tokens.

and what does anthropic and openai do? They form an inner ring to make the latest models available first to Enterprises. Enterprises will cough up the prices that anthropic and openai set, they have no choice here. e

Eventually everybody pays. This does not sound good

[mdeeks]

Two years? That exists right now. You only have to point Codex Security at an open source repo. There are a lot of tools and companies that are spinning up today that do autonomous pentesting.

I'm not even sure a specialized model is needed here. It probably just needs the right harness around existing ones.

I expect the next two years to be absolutely brutal for hacks. Attackers have supercharged tools in their hands right now. Defenders are only getting started and will have to plow through a massive backlog of newly uncovered vulns.

The major short term downside is that open source or personal projects won't be able to afford things like Codex Security.

[nullbio]

> The major short term downside is that open source or personal projects won't be able to afford things like Codex Security.

Realistically, all open-source projects should be forced to have automated scans of this nature before their releases can be shipped. This is something the package managers and github need to figure out. It'd stop the supply chain attacks too.

[qerahb]

So first they steal all code and launder it without attribution. Then they release a tool that doesn't find anything in hardened projects and is marketed through secrecy and modern equivalents of Netcraft like this British AI institute.

Then open source projects need a McKinsey-like stamp of approval to even be released.

Sounds like there are many parasites in this process.

You know that open source users are free to scan everything if they want to?

[nullbio]

I don't like it either. But what alternative is there when a spaghetti graph of open-source dependencies serves as the backbone for the entire worlds software? I haven't seen or heard of any novel solutions to this problem yet.

[05]

> It'd stop the supply chain attacks too.

Yeah it’s hard to write a loop that makes an adversary agent write and mask malware then runs a scanning agent and if the malware is detected gives the detection details to the adversary agent with instructions to hide it better..

As usual, the attacker only needs to get lucky once.

[junon]

> all open-source projects should be forced

That's a great way to kill OSS. This is only bootlicking the idea of corporations profiting off of unpaid labor.

[nullbio]

Well something needs to be done urgently, before hospitals and critical infrastructure start getting ransomware infected on a daily basis. This isn't an unlikely scenario either, all it will take is one well resourced attacker to spin up thousands of decensored agents and have them pumping out attacks 24/7. I'm actually kind of surprised it hasn't already happened. TeamPCP is just the beginning. We're lucky they're not using ransomware, otherwise the carnage would be 100-fold.

[junon]

Then the corporations, medical system, etc needs to help support the people who make OSS software if they want the immediate, urgent change you're suggesting.

[mrtesthah]

I would say that if this sounds untenable to you, then you may want to consider that the way we architect software has itself been untenable for a while. What Mythos can accomplish today in public, an APT unit can already accomplish in secret.

[conradkay]

You'll have access to the same models as your hypothetical attackers, and a big advantage if only you have access to the source code