vpz

@david_chisnall I think it’s entirely possible that Mythos never touched the Claude Code source that was leaked. Furthermore, it wouldn’t surprise me that Anthropic doesn’t have a great code quality or code security review pipeline even though Anthropic may be marketing a model to help other companies with security tasks. My internal penetration testing team has found dozens of critical vulnerabilities in dedicated security products that claim high security and who say companies should buy their product to improve their security posture. Some of these companies have good security research teams that regularly post detailed security analyses on the weaknesses they’ve found in other products. Yet they didn’t find what a small team found in their own product even with access to the people who made it, source code, etc.? More likely it’s corporate silos operating independently. That could be what is happening here too.

@mattblaze@federate.social This post reminds me a lot about Operational Technology security. It is also non-trivial to fix certain security issues and they treat it like a kind of restricted knowledge. The physical system they manage was made by a company that no longer exists and it would be tens of millions of dollars to replace. But now things are ever more connected and networked. Knowledge of the process, as-in the plant’s process, becomes weaponizable information.