Google says criminal hackers used AI to find a major software flaw

CrzyLngPwd

People used LLMs to find flaws in Google software.

simmerup

Can google please use AI to find bugs then? Software is in such a state now, Gmail is full of bugs around sharing attachments to the position that I have to tell my dad to turn his phone off and on again in order to attach a document

SecretDreams

If "bad guy AI" can find flaws, can "good guy AI" patch them faster when backed by trillion dollar companies?

4128-1228

The Google Threat Intelligence Group wants to increase its relevance and casually point out the it was not Mythos which found the exploit ! Security "researchers" are overpaid buffoons who hype things for their own salaries and their companies. And the stenographers from the press dutifully copy everything. This is a despicable game to fool politicians into giving money and favorable AI legislation. Strangely enough these buffoons never offer their models to open source developers. It is always a select group of highly paid other buffoons that throws some very occasional results over the wall.

s3p

>But new A.I. models like Anthropic’s Mythos, which was announced last month, appear to be so good at finding such holes that Anthropic shared it only with a limited number of firms and government agencies in the United States and Britain. Immediate distrust of the article. GPT 5.5 is out with nearly the same capability. The author might be parroting company marketing, unable to discern that a lot of this is much less complex than it seems. For all we know this group could have had a model examine some obscure line of code thousands of times until it found something.

sowbug

Security will be a wedge to restrict the sophistication of open-weight and local LLMs, just as it's been used to demonize and restrict cypherpunk technologies.

ppqqrr

...says yet another company hell bent on integrating it into every facet of our lives. This reads like a celebration, if you ask me.

atrocities

Can we link to the actual google article, instead of these editorialized articles about the article? https://cloud.google.com/blog/topics/threat-intelligence/ai-...

gman2093

Black hat hacking seems to be a well-fit use case for these LLMs. Attackers only need to be right once, so the sometimes-wrongness of the attacks might be trivial. This probably devalues stashes of zero-day exploits for those that have been witholding them.

0xWTF

Wait until the bio version of this shows up.

wnc3141

But in exchange we get to also waste vast energy and carbon while depleting job prospects for just about any college grad.

bouncycastle

Meanwhile, I cannot ask ChatGTP how to pick my own lock. Even though this information is available in a book in the library.

skywhopper

Drives me nuts that the NYT just uncritically cites Anthropic’s unverified claims of “thousands of zero-days” without a hint of skepticism.

xnx

Dupe: https://news.ycombinator.com/item?id=48096712

skeledrew

Wild that they think restricting access to models will help much. Access to Chinese models will definitely not be restricted and have enough capability to find exploits as well.

QuantumNoodle

Okay, when fuzzing techniques came out there was a big surge in discovered and exploited bugs. AI is more general and I expect there be a similar surge. However fuzzing is cheap but compute and techniques can be "owned." The economics of AI is unless you pay for it, it is difficult to self host (expensive hardware, open source models are catching up). State actors + hackers will have more resources to make better offense. What worse, in my experience AI produced code is blind to overall system behavior. So I fear the exploits will be either low hanging/trivial to exploit errors or bigger system level bugs.

crazygringo

> “We have high confidence that the actor likely leveraged an A.I. model to support the discovery and weaponization of this vulnerability,” the report said. I wonder what gives them that "high confidence", as opposed to this being just a traditional zero-day? I'm not being snarky or critical, I'm genuinely wondering what about an attack could possibly indicate it was discovered with LLM assistance? Like, unless the attackers' computers have been seized and they've been able to recover the actual LLM transcript history? But nothing in the article indicates that the hackers have been caught, just that a patch was developed.

nsoonhui

There was a discussion a few days ago on White House considers vetting AI models prior to release ( https://news.ycombinator.com/item?id=48013608 ).

zx8080

It's the narrative "For your own security in the internet (and children's safety), show us your ID now, please". Tired of this trend.

srcreigh

> Google said in research published Monday What research? Where is it published?