<monero.arbo:matrix.org> re: Claude Mythos preview blog.mozilla.org/en/firefox/ai-security-zero-day-vulnerabilities

<syntheticbird> @monero.arbo:matrix.org: tl;dr corporate mozilla bullshit about how they really care about security.

<syntheticbird> There is nothing in this that permit someone to distinguish between groundbreaking AI vulnerability assessement or Firefox codebase being utter garbage

<syntheticbird> nothing about the severity of the vulnerabilities have been disclosed

<syntheticbird> nothing about when these vulnerabilities will be disclosed

<syntheticbird> so much for a company that market on transparency

Come on. It's 100% transparent. You're looking at it and not even seeing it.

<syntheticbird> moneromooo: mrelay.p2pool.observer/m/monero.social/ugcVvmaFcUcDvZZHmQAwxxws.png (image.png)

<monero.arbo:matrix.org> honestly find this take dangerously dismissive and if anything it reinforces my fear that people here are writing off AI security concerns with undue confidence > <@syntheticbird> tl;dr corporate mozilla bullshit about how they really care about security.

<monero.arbo:matrix.org> Nothing you said is wrong per se but I don't think any of it amounts to a good reason to dismiss out of hand what an open source project the size of Mozilla is saying about its effectiveness

<ixr3:matrix.org> @syntheticbird: It found 1 high severity and 2 medium severity vulnerabilities. mozilla.org/en-US/security/advisories/mfsa2026-30

<ixr3:matrix.org> Nothing significant

<syntheticbird> If anything a security critical project must show skepticism about and seriousness when it comes to security related matters. I know that what I am saying right now is in the great legacy of others here who have expressed hatred against AI generated reports. None of what I am saying here is meant to dismiss the possibility for [... too long, see mrelay.p2pool.observer/e/_Lff9_sKZVA4TG1O ]

<syntheticbird> 1. I'm awaiting for serious evidence of what has been claimed because so far we just have big meaningless numbers. Most of the AI reports the H1 team gets and other projects are bogus and slop. That's mythos claims soudns extraordinary and therefore requires extraordinary proofs.

<syntheticbird> 2. This one is purely opinionated, I have zero trust in mozilla corporation. They have for a very long time been subject to financial dependence and have shown lot of tomfuckery when it comes to how they handle their own employees.

<syntheticbird> @ixr3:matrix.org: Thank you. That indeed make more sense

<syntheticbird> In 271 vulnerabilities, only 3 were of significance.

<syntheticbird> That is makes the claim fell from extraordinary to within the expectation of AI tools

<ixr3:matrix.org> @syntheticbird: Yes. While others humans found many more

<syntheticbird> that only reinforce my hatred towards the way this article has been wrote to suggest an epic grounbreaking discovery in software security

<syntheticbird> saying zero-days, is just appealing to the public because people imagine an RCE or LPE upon hearing it

<monero.arbo:matrix.org> well this is a bit of a tangent but I am aware mozilla has generated a lot of ill will, still I have a soft spot for them because they seem like the only thing standing between us everything being chromium based

<monero.arbo:matrix.org> on topic, I gotta say that while most individual vulnerabilities might not be that big, a bunch of smaller ones can potentially be chained together into something bigger

<monero.arbo:matrix.org> anyway, I just don't want us to find out that these tools are effective by being exploited by a group using one. not ideal.

<syntheticbird> @monero.arbo:matrix.org: Servo and ladybird are very far from to be on par with Gecko or Chromium. I indeed share that frustration

<syntheticbird> @monero.arbo:matrix.org: If we talk about browser in particular. You will never find someone selling a single vulnerability. They always an exploit chain, which is extremely rare to pull off and so far, in browser again, are limited to a few versions most of the time

<ixr3:matrix.org> @monero.arbo:matrix.org: In that case, some should have been marked as higher severity.

<syntheticbird> just to say that even if people discover single vulnerabilities in browser they aren't particularly gonna communicate or trade them unless they pull up an entire chain.

<monero.arbo:matrix.org> for sure

<syntheticbird> people = malicious actor

<syntheticbird> @ixr3:matrix.org: nah. CVSS scoring is broken for this

<syntheticbird> Either you follow the criteria or you don't

<syntheticbird> but you can perfectly get a sandbox escape and code execution with medium severity vulnerabilities only

<syntheticbird> this is critical in practice, but not in cvss criteria

<syntheticbird> the scope is playing a lot in the score

<ixr3:matrix.org> Mozilla does increase the severity if it's chainable if I'm right > <@syntheticbird> nah. CVSS scoring is broken for this

<syntheticbird> @ixr3:matrix.org: I'll take your word for it. Didn't know they were a CVE authority

<ixr3:matrix.org> They mention it in that case

<ixr3:matrix.org> I follow each CVE of mozilla

<hinto> > <@monero.arbo:matrix.org> well this is a bit of a tangent but I am aware mozilla has generated a lot of ill will, still I have a soft spot for them because they seem like the only thing standing between us everything being chromium based

<hinto> there is a pattern of relatively much smaller orgs that defacto uphold certain values being easy scapegoats by the very communities that benefit from them, almost as if all industry problems are pinned on them

<syntheticbird> i hate tribalism

<syntheticbird> @hinto: i agree with that statement but is it a pattern you have observed on your own, does it have a name ?

<syntheticbird> if this is studied in a field then that's a topic i would like to know more about

<ixr3:matrix.org> I don't understand why Mozilla is promoting Mythos at the expense of their own brand. Calling 271 vulnerabilities when only three are significant. > <@monero.arbo:matrix.org> re: Claude Mythos preview blog.mozilla.org/en/firefox/ai-security-zero-day-vulnerabilities

<jpk68:matrix.org> Even by Mozilla's own admission, the exploits were nothing that couldn't have been found by a human researcher > <@monero.arbo:matrix.org> Nothing you said is wrong per se but I don't think any of it amounts to a good reason to dismiss out of hand what an open source project the size of Mozilla is saying about its effectiveness

<ixr3:matrix.org> @ixr3:matrix.org: Listing 271 sounds alarming. It doesn't make users feel any safer.

<syntheticbird> @ixr3:matrix.org: you would be surprised

<syntheticbird> most people are updooter

<syntheticbird> the more zero days patched the safer they feel

<syntheticbird> while this should actually be the opposite

<ixr3:matrix.org> @syntheticbird: Yes hahahaha

<syntheticbird> they don't have the concept of attack surface and they don't intuitively understand that each new version brings its lot of new vulnerabilities

<jpk68:matrix.org> Ladybird has improved a lot recently... two weeks ago it had a bunch of rendering issues with SVG graphics on the beta site, but it's seemingly all fixed now > <@syntheticbird> Servo and ladybird are very far from to be on par with Gecko or Chromium. I indeed share that frustration

<jpk68:matrix.org> *the beta Monero site

<syntheticbird> nice. I should try it out then

<jpk68:matrix.org> You have to build it from source still (including vendored ffmpeg and Skia, lol)

<jpk68:matrix.org> It takes like an hour

<ixr3:matrix.org> I'm not dismissing AI security concerns. I'd like Mythos to scan the Monero code, but I dislike the marketing around it. Humans are still far better > <@monero.arbo:matrix.org> honestly find this take dangerously dismissive and if anything it reinforces my fear that people here are writing off AI security concerns with undue confidence

<monero.arbo:matrix.org> @ixr3:matrix.org: fair take for sure

<monero.arbo:matrix.org> yeah that's very notable, it's just that the available man-hours to hunt for them didn't really exist. hence why they hadn't been found before > <@jpk68:matrix.org> Even by Mozilla's own admission, the exploits were nothing that couldn't have been found by a human researcher

<boog900> @vtnerd:monero.social: do you know if it is normal for stem txs to group up in a single message, AFAIK they should be sent as soon as you receive one so they shouldn't bunch up.

<boog900> I have nodes sending me 10s or 100s of stem txs in a single message and my node knows them all already

<vtnerd> independent, exponential delays to its neighbors on the P2P graph."

<vtnerd> I interpreted this to mean there should be bulk transmits, to confuse receive order (the txes should be sorted), but realistically this could be interpreted to mean each connection AND each tx has an independent timer

<vtnerd> I recall Bitcoin implementing it the way monero does now, but it's possible I botched this somehow

<vtnerd> Unfortunately diffusion was basically defined as "whatever Bitcoin happens to be doing right now"

<boog900> That's for fluff though right, these are txs sent in stem state

<vtnerd> Oh stem, sorry, it should be immediate, let me double check

<vtnerd> The only time this should occur is when a node receives multiple from a stem. I.e. a node received 2 in one shot via stem, then the current algorithm will forward both in one shot via stem

<vtnerd> But it otherwise wouldn't occur naturally. A spy node could be interfering with this process, which you would notice indirectly or directly

<boog900> So someone has custom code crafting these messages, that's worrying.

<vtnerd> Yes, that's my guess

<syntheticbird> There is a new node impl in town ?

<syntheticbird> Awesome

<vtnerd> Technically the spies were just that ...?

<boog900> I think we should add a check that ignores stem messages which have more than 1 tx.

<syntheticbird> we don't know

<syntheticbird> it's modified monerod for sure

<syntheticbird> and proxies written in java

<boog900> They probably are abusing this somehow to work out the stem graph

<syntheticbird> but not a full reimpl on a node

<vtnerd> Yeah it might leak data somehow, have to think about it

<boog900> Multiple IPS are doing this fwiw but it doesn't happen all the time

<syntheticbird> IPS ?

<syntheticbird> ip subnet?

<boog900> IPs

<boog900> Nah just singles

<ofrnxmr:xmr.mx> Plural form of IP

<syntheticbird> thanks ofrn

<vtnerd> Possible, but we'd probably need to update rpc to forward one at a time just in case > <@boog900> I think we should add a check that ignores stem messages which have more than 1 tx.

<vtnerd> Http rpc used by wallet

<syntheticbird> by updating rpc, you mean the endpoint ?

<syntheticbird> you can't just buffer them and sending them sequentially ?

<vtnerd> Yes, it's just that if it allows 2+ now (I'd have to check to verify), we could temporarily block some legit cases as the nodes roll out

<vtnerd> It'd be rare to the point of being practically irrelevant though

<vtnerd> Oh I just thought of one case!

<ofrnxmr:xmr.mx> Relay fails and it re-attemots after n minutes?

<vtnerd> If the TX is received over tor/i2p is randomly delayed, so these might be grouped because of that

<ofrnxmr:xmr.mx> txs coming from anonymous-inbound?

<vtnerd> Yup, it's either custom nodes or tor/i2p

<vtnerd> I decided to add a randomized delay to txes received over tor/i2p, and that delay is only to the seconds granularity, checked once a second

<ofrnxmr:xmr.mx> If its 100s, and boog already has them, i think custom

<ofrnxmr:xmr.mx> 100s of txs, not 100 seconds*

<boog900> @vtnerd: hmm yeah, I wonder if that itself is a data leak

<boog900> like we know these txs were all sent over Tor

<boog900> and the nodes txs it creates itself will be sent as singles

<boog900> and yeah I would be surprised at so many txs going over a single Tor node at pretty much the same time

<ofrnxmr:xmr.mx> if you already have the txs, for them to arrive on an anonymous-inbound, theyd have to come from a tx-proxy, which means youd have to have a hundred txs sent to rpc -> relayed to a single node over tx-proxy -> delayed AND somehow already had seen them on your own node

<ofrnxmr:xmr.mx> Sounds like it must be a custom node

<ixr3:matrix.org> You’ve made important discoveries in the past and now. I'm glad BinaryFate chose to fund you through the GF > <@boog900> I have nodes sending me 10s or 100s of stem txs in a single message and my node knows them all already

<elongated:matrix.org> How are zcash shielded txs around 3k while fcmp will be 10k+ ?

<jeffro256> Where did you get 3k from ?

<jeffro256> Try 9k

<jeffro256> mainnet.zcashexplorer.app/transacti…e57a227433a3286fb5d81058f5a1cbf3cff

<jeffro256> This is a 2 "action" tx, which is the size for a 1-in/2-out tx. It's 9165 bytes

<jeffro256> Granted, ~1000 of those bytes are for encrypted memos IIRC