I’ve had a bunch of people ask my thoughts on Anthropic’s Mythos.
-
Anthropic set the project across open source projects and provided access and reported the vulns. Typically, you'd expect to see NCSCs spinning up advisories to patch high impact vulns, CISA telling orgs to patch etc etc etc.
What's actually happening is... uhm... a whole heap of nothing but people copy and pasting marketing about how cybersecurity is over.
It's not though, is it?
@GossiTheDog They’re doing the right thing with responsible disclosure, but omg they’re full of themselves. Zero days are not part of the daily cybersecurity churn to begin with, at all, but even so what they’ve found is unimpressive. Yet they literally take it as a given that they’ve turned the industry upside-down. Quod effing none.
-
@azonenberg @dalias @GossiTheDog I think it will be a big deal if they don't keep their promises. It's the sort of thing journalists will use for attack pieces. We do already know that some of the bugs are real, for instance Anthropic is keeping the exploit for CVE-2026-4747 secret, but somebody else used public version of Claude to create their own working exploit: https://blog.calif.io/p/mad-bugs-claude-wrote-a-full-freebsd
@trademark @azonenberg @GossiTheDog I love how they hype what's a vuln in the in-kernel NFS server (FFS we've been doing this shit at least 2/3 of my lifetime, stop doing NFS/sunrpc shit already) as "FreeBSD RCE".
I knew when I was like 15 that you don't run NFS unless you want to get popped.
-
@trademark @azonenberg @GossiTheDog I love how they hype what's a vuln in the in-kernel NFS server (FFS we've been doing this shit at least 2/3 of my lifetime, stop doing NFS/sunrpc shit already) as "FreeBSD RCE".
I knew when I was like 15 that you don't run NFS unless you want to get popped.
@dalias @azonenberg @GossiTheDog To summarize your position: "If Anthropic witholds something to give defenders time to fix it, it means they're lying and have nothing. When they do release a real bug it means that it was for some stupid thing you shouldn't be running anyway." Got it.
-
@dalias @azonenberg @GossiTheDog To summarize your position: "If Anthropic witholds something to give defenders time to fix it, it means they're lying and have nothing. When they do release a real bug it means that it was for some stupid thing you shouldn't be running anyway." Got it.
@trademark @azonenberg @GossiTheDog Huh? Did your LLM just vomit that? Because it's completely unrelated to what I said.
What I said is that they're hyping a vuln in one small thing, an NFS server, that FreeBSD happens to have a version of that runs in kernelspace, that nobody security-conscious would be using to begin with, and calling it "vuln in FreeBSD!" to make it sound important and impressive.
Absolutely nothing to do with disclosure timeines or whether their findings are real.
-
@trademark @azonenberg @GossiTheDog Huh? Did your LLM just vomit that? Because it's completely unrelated to what I said.
What I said is that they're hyping a vuln in one small thing, an NFS server, that FreeBSD happens to have a version of that runs in kernelspace, that nobody security-conscious would be using to begin with, and calling it "vuln in FreeBSD!" to make it sound important and impressive.
Absolutely nothing to do with disclosure timeines or whether their findings are real.
@dalias @azonenberg @GossiTheDog Let me try explaining more clearly: Anthropic does this to demonstrate the technical capabilities of their new model. Your denigration of the utility of the FreeBSD NFS-server does not detract from that in the slightest, so Anthropic and their customers are not going to care in the slightest. You're being rather insulting to FreeBSD though, is that intentional?
-
@dalias @azonenberg @GossiTheDog Let me try explaining more clearly: Anthropic does this to demonstrate the technical capabilities of their new model. Your denigration of the utility of the FreeBSD NFS-server does not detract from that in the slightest, so Anthropic and their customers are not going to care in the slightest. You're being rather insulting to FreeBSD though, is that intentional?
@trademark @azonenberg @GossiTheDog They do this to impress investors/C-suites and to keep the grift train going.
I'm not going to address any claims about whether the "technical capabilities of their new model" are a thing.
And to be impressive, yes, they need the thing they attack to be highly regarded in terms of its reputation for security and quality. "Vuln in NFS server module that runs on FreeBSD" does not impress. "Vuln in FreeBSD" does. And it's a lie.
I have no idea how you think this is "insulting to FreeBSD".
-
@trademark @azonenberg @GossiTheDog They do this to impress investors/C-suites and to keep the grift train going.
I'm not going to address any claims about whether the "technical capabilities of their new model" are a thing.
And to be impressive, yes, they need the thing they attack to be highly regarded in terms of its reputation for security and quality. "Vuln in NFS server module that runs on FreeBSD" does not impress. "Vuln in FreeBSD" does. And it's a lie.
I have no idea how you think this is "insulting to FreeBSD".
@dalias @azonenberg @GossiTheDog You're saying nobody should run the NFS-server they are making. How is that not insulting? Why don't you go to their mailing lists and tell them to stop? For extra effect repeat the phrase you used: "I knew when I was like 15 that you don't run NFS unless you want to get popped."
-
@dalias @azonenberg @GossiTheDog You're saying nobody should run the NFS-server they are making. How is that not insulting? Why don't you go to their mailing lists and tell them to stop? For extra effect repeat the phrase you used: "I knew when I was like 15 that you don't run NFS unless you want to get popped."
@trademark @azonenberg @GossiTheDog I don't know the project dynamics of this NFS server module, but I doubt it's something core folks are proud of. NFS is basically a domain of meeting very old legacy requirements, and for old die-hard Sun fans who run it by choice. Back in the day it had utterly zero access control. You just told the server "hey, I'm root" and it said "ok, cool". AIUI the vuln here is in part of an authentication layer bolted on.
-
@trademark @azonenberg @GossiTheDog I don't know the project dynamics of this NFS server module, but I doubt it's something core folks are proud of. NFS is basically a domain of meeting very old legacy requirements, and for old die-hard Sun fans who run it by choice. Back in the day it had utterly zero access control. You just told the server "hey, I'm root" and it said "ok, cool". AIUI the vuln here is in part of an authentication layer bolted on.
@dalias @azonenberg @GossiTheDog You are being incredibly rude and even more ignorant. FreeBSD support latest NFSv4 including Kerberos encryption and authentication. if you don't believe me ask on the relevant mailing list. Though if you do I recommend you tone down your rudeness.
-
@lispi314 @GossiTheDog @dalias @azonenberg That's not what they're saying though. From the wiki "krb5p
Kerberos authentication, integrity, and privacy. This is the most secure flavor of NFS. Not only does it provide authentication and integrity, but the entire RPC payload is encrypted. Thus a passive eavesdropper can see nothing but RPC headers. krb5p is a good choice for insecure networks, including wireless networks. " -
@lispi314 @GossiTheDog @dalias @azonenberg That's not what they're saying though. From the wiki "krb5p
Kerberos authentication, integrity, and privacy. This is the most secure flavor of NFS. Not only does it provide authentication and integrity, but the entire RPC payload is encrypted. Thus a passive eavesdropper can see nothing but RPC headers. krb5p is a good choice for insecure networks, including wireless networks. "@trademark @lispi314 @GossiTheDog @azonenberg Running a NFS server in kernelspace is no less backwards than running a httpd in kernelspace (something Linux folks actually tried at one point; it was eventually removed).
Yes there will always be apologists for it. I am not worried about being considered rude when I state that this is just completely untenable from both a security standpoint and a good software engineering standpoint.
-
@lispi314 @GossiTheDog @dalias @azonenberg Please direct your suggestions to the FreeBSD people directly, they are easily contactable.
-
@trademark @lispi314 @GossiTheDog @azonenberg Running a NFS server in kernelspace is no less backwards than running a httpd in kernelspace (something Linux folks actually tried at one point; it was eventually removed).
Yes there will always be apologists for it. I am not worried about being considered rude when I state that this is just completely untenable from both a security standpoint and a good software engineering standpoint.
@dalias @lispi314 @GossiTheDog @azonenberg Please tell this to the FreeBSD people, I am sure they will appreciate your insights.
-
@lispi314 @GossiTheDog @dalias @azonenberg Please direct your suggestions to the FreeBSD people directly, they are easily contactable.
@trademark @lispi314 @GossiTheDog @azonenberg We're not making technical recommendations for the FreeBSD team here. Anyone who actually has reason to use NFS knows the risks/tradeoffs and if they're choosing to use something that's going to get them popped that's on them, not on the FreeBSD team.
We're debunking hype that's intentionally exploiting the ignorance of people like yourself about what component was actually vulnerable and whether it's actually something important and noteworthy like Anthropic's propaganda department would have folks believe.
-
@trademark @lispi314 @GossiTheDog @azonenberg We're not making technical recommendations for the FreeBSD team here. Anyone who actually has reason to use NFS knows the risks/tradeoffs and if they're choosing to use something that's going to get them popped that's on them, not on the FreeBSD team.
We're debunking hype that's intentionally exploiting the ignorance of people like yourself about what component was actually vulnerable and whether it's actually something important and noteworthy like Anthropic's propaganda department would have folks believe.
@dalias @lispi314 @GossiTheDog @azonenberg That's not debunking. Actual debunking would be to provide evidence that what Anthropic achieved was not actually technically difficult. Instead of doing that you chose to insult FreeBSD. Instead of providing technical arguments you displayed your ignorance of the last 20 years of progress in NFS. Fascinating how somebody can be so wrong and still sound so arrogant.
-
@dalias @lispi314 @GossiTheDog @azonenberg That's not debunking. Actual debunking would be to provide evidence that what Anthropic achieved was not actually technically difficult. Instead of doing that you chose to insult FreeBSD. Instead of providing technical arguments you displayed your ignorance of the last 20 years of progress in NFS. Fascinating how somebody can be so wrong and still sound so arrogant.
@dalias @lispi314 @GossiTheDog @azonenberg Oh, and also, earlier you said: 'I'm not going to address any claims about whether the "technical capabilities of their new model" are a thing.' But this is exactly what you need to do if you want to debunk what Anthropic is saying.
-
@dalias @lispi314 @GossiTheDog @azonenberg That's not debunking. Actual debunking would be to provide evidence that what Anthropic achieved was not actually technically difficult. Instead of doing that you chose to insult FreeBSD. Instead of providing technical arguments you displayed your ignorance of the last 20 years of progress in NFS. Fascinating how somebody can be so wrong and still sound so arrogant.
@trademark @lispi314 @GossiTheDog @azonenberg I am debunking the fraudulent importance from misrepresenting what software the vuln was in.
Whether their technical claims are bullshit is another completely legitimate area for debunking but not the one I'm engaged with in this thread.
-
@trademark @lispi314 @GossiTheDog @azonenberg Running a NFS server in kernelspace is no less backwards than running a httpd in kernelspace (something Linux folks actually tried at one point; it was eventually removed).
Yes there will always be apologists for it. I am not worried about being considered rude when I state that this is just completely untenable from both a security standpoint and a good software engineering standpoint.
@dalias
Unikernel is a way of achieving the same goal in a way that is reasonable from security point of view. -
@trademark @lispi314 @GossiTheDog @azonenberg I am debunking the fraudulent importance from misrepresenting what software the vuln was in.
Whether their technical claims are bullshit is another completely legitimate area for debunking but not the one I'm engaged with in this thread.
@dalias @lispi314 @GossiTheDog @azonenberg No, it is not fraud when you call something in the FreeBSD base system for FreeBSD code. If the code had been third-party code in ports you'd have had point. But that is not the case, so you are wrong again.
-
@lispi314 @GossiTheDog @dalias @azonenberg The point of what Anthropic did was to demonstrate how good the new model is. Whether the NFS code should be in the kernel or not is an interesting discussion. However the fact is that exploiting kernel-level code usually is harder than attacking userspace programs. So when the AI succeeded in doing just that it is an indication of how technically skilled it is compared to earlier versions.
