12:19:39 re: Claude Mythos preview https://blog.mozilla.org/en/firefox/ai-security-zero-day-vulnerabilities/ 12:32:42 @monero.arbo:matrix.org: tl;dr corporate mozilla bullshit about how they really care about security. 12:32:42 There is nothing in this that permit someone to distinguish between groundbreaking AI vulnerability assessement or Firefox codebase being utter garbage 12:34:34 nothing about the severity of the vulnerabilities have been disclosed 12:34:44 nothing about when these vulnerabilities will be disclosed 12:35:01 so much for a company that market on transparency 12:51:17 Come on. It's 100% transparent. You're looking at it and not even seeing it. 13:15:26 moneromooo: https://mrelay.p2pool.observer/m/monero.social/ugcVvmaFcUcDvZZHmQAwxxws.png (image.png) 13:48:29 honestly find this take dangerously dismissive and if anything it reinforces my fear that people here are writing off AI security concerns with undue confidence > <@syntheticbird> tl;dr corporate mozilla bullshit about how they really care about security. 13:49:54 Nothing you said is wrong per se but I don't think any of it amounts to a good reason to dismiss out of hand what an open source project the size of Mozilla is saying about its effectiveness 13:53:53 @syntheticbird: It found 1 high severity and 2 medium severity vulnerabilities. https://www.mozilla.org/en-US/security/advisories/mfsa2026-30/ 13:54:23 Nothing significant 13:54:29 If anything a security critical project must show skepticism about and seriousness when it comes to security related matters. I know that what I am saying right now is in the great legacy of others here who have expressed hatred against AI generated reports. None of what I am saying here is meant to dismiss the possibility for [... too long, see https://mrelay.p2pool.observer/e/_Lff9_sKZVA4TG1O ] 13:54:29 1. I'm awaiting for serious evidence of what has been claimed because so far we just have big meaningless numbers. Most of the AI reports the H1 team gets and other projects are bogus and slop. That's mythos claims soudns extraordinary and therefore requires extraordinary proofs. 13:54:29 2. This one is purely opinionated, I have zero trust in mozilla corporation. They have for a very long time been subject to financial dependence and have shown lot of tomfuckery when it comes to how they handle their own employees. 13:56:15 @ixr3:matrix.org: Thank you. That indeed make more sense 13:56:41 In 271 vulnerabilities, only 3 were of significance. 13:57:02 That is makes the claim fell from extraordinary to within the expectation of AI tools 13:57:22 @syntheticbird: Yes. While others humans found many more 13:57:31 that only reinforce my hatred towards the way this article has been wrote to suggest an epic grounbreaking discovery in software security 13:58:23 saying zero-days, is just appealing to the public because people imagine an RCE or LPE upon hearing it 13:58:24 well this is a bit of a tangent but I am aware mozilla has generated a lot of ill will, still I have a soft spot for them because they seem like the only thing standing between us everything being chromium based 13:59:13 on topic, I gotta say that while most individual vulnerabilities might not be that big, a bunch of smaller ones can potentially be chained together into something bigger 14:00:20 anyway, I just don't want us to find out that these tools are effective by being exploited by a group using one. not ideal. 14:00:27 @monero.arbo:matrix.org: Servo and ladybird are very far from to be on par with Gecko or Chromium. I indeed share that frustration 14:01:50 @monero.arbo:matrix.org: If we talk about browser in particular. You will never find someone selling a single vulnerability. They always an exploit chain, which is extremely rare to pull off and so far, in browser again, are limited to a few versions most of the time 14:01:52 @monero.arbo:matrix.org: In that case, some should have been marked as higher severity. 14:02:27 just to say that even if people discover single vulnerabilities in browser they aren't particularly gonna communicate or trade them unless they pull up an entire chain. 14:02:30 for sure 14:02:43 people = malicious actor 14:03:09 @ixr3:matrix.org: nah. CVSS scoring is broken for this 14:03:25 Either you follow the criteria or you don't 14:03:46 but you can perfectly get a sandbox escape and code execution with medium severity vulnerabilities only 14:03:58 this is critical in practice, but not in cvss criteria 14:04:23 the scope is playing a lot in the score 14:04:45 Mozilla does increase the severity if it's chainable if I'm right > <@syntheticbird> nah. CVSS scoring is broken for this 14:05:10 @ixr3:matrix.org: I'll take your word for it. Didn't know they were a CVE authority 14:05:19 They mention it in that case 14:05:26 I follow each CVE of mozilla 14:07:16 > <@monero.arbo:matrix.org> well this is a bit of a tangent but I am aware mozilla has generated a lot of ill will, still I have a soft spot for them because they seem like the only thing standing between us everything being chromium based 14:07:16 there is a pattern of relatively much smaller orgs that defacto uphold certain values being easy scapegoats by the very communities that benefit from them, almost as if all industry problems are pinned on them 14:08:19 i hate tribalism 14:08:47 @hinto: i agree with that statement but is it a pattern you have observed on your own, does it have a name ? 14:09:27 if this is studied in a field then that's a topic i would like to know more about 14:11:55 I don't understand why Mozilla is promoting Mythos at the expense of their own brand. Calling 271 vulnerabilities when only three are significant. > <@monero.arbo:matrix.org> re: Claude Mythos preview https://blog.mozilla.org/en/firefox/ai-security-zero-day-vulnerabilities/ 14:12:40 Even by Mozilla's own admission, the exploits were nothing that couldn't have been found by a human researcher > <@monero.arbo:matrix.org> Nothing you said is wrong per se but I don't think any of it amounts to a good reason to dismiss out of hand what an open source project the size of Mozilla is saying about its effectiveness 14:12:58 @ixr3:matrix.org: Listing 271 sounds alarming. It doesn't make users feel any safer. 14:13:12 @ixr3:matrix.org: you would be surprised 14:13:25 most people are updooter 14:13:34 the more zero days patched the safer they feel 14:13:37 while this should actually be the opposite 14:14:03 @syntheticbird: Yes hahahaha 14:14:05 they don't have the concept of attack surface and they don't intuitively understand that each new version brings its lot of new vulnerabilities 14:14:53 Ladybird has improved a lot recently... two weeks ago it had a bunch of rendering issues with SVG graphics on the beta site, but it's seemingly all fixed now > <@syntheticbird> Servo and ladybird are very far from to be on par with Gecko or Chromium. I indeed share that frustration 14:15:12 *the beta Monero site 14:15:30 nice. I should try it out then 14:17:04 You have to build it from source still (including vendored ffmpeg and Skia, lol) 14:17:15 It takes like an hour 14:18:15 I'm not dismissing AI security concerns. I'd like Mythos to scan the Monero code, but I dislike the marketing around it. Humans are still far better > <@monero.arbo:matrix.org> honestly find this take dangerously dismissive and if anything it reinforces my fear that people here are writing off AI security concerns with undue confidence 15:01:04 @ixr3:matrix.org: fair take for sure 15:03:00 yeah that's very notable, it's just that the available man-hours to hunt for them didn't really exist. hence why they hadn't been found before > <@jpk68:matrix.org> Even by Mozilla's own admission, the exploits were nothing that couldn't have been found by a human researcher 15:24:46 @vtnerd:monero.social: do you know if it is normal for stem txs to group up in a single message, AFAIK they should be sent as soon as you receive one so they shouldn't bunch up. 15:27:29 I have nodes sending me 10s or 100s of stem txs in a single message and my node knows them all already 15:53:04 independent, exponential delays to its neighbors on the P2P graph." 15:54:22 I interpreted this to mean there should be bulk transmits, to confuse receive order (the txes should be sorted), but realistically this could be interpreted to mean each connection AND each tx has an independent timer 15:55:08 I recall Bitcoin implementing it the way monero does now, but it's possible I botched this somehow 15:56:34 Unfortunately diffusion was basically defined as "whatever Bitcoin happens to be doing right now" 15:58:13 That's for fluff though right, these are txs sent in stem state 16:01:40 Oh stem, sorry, it should be immediate, let me double check 16:04:16 The only time this should occur is when a node receives multiple from a stem. I.e. a node received 2 in one shot via stem, then the current algorithm will forward both in one shot via stem 16:05:04 But it otherwise wouldn't occur naturally. A spy node could be interfering with this process, which you would notice indirectly or directly 16:05:06 So someone has custom code crafting these messages, that's worrying. 16:05:16 Yes, that's my guess 16:05:19 There is a new node impl in town ? 16:05:31 Awesome 16:05:43 Technically the spies were just that ...? 16:05:50 I think we should add a check that ignores stem messages which have more than 1 tx. 16:05:59 we don't know 16:06:01 it's modified monerod for sure 16:06:08 and proxies written in java 16:06:13 They probably are abusing this somehow to work out the stem graph 16:06:18 but not a full reimpl on a node 16:06:43 Yeah it might leak data somehow, have to think about it 16:07:31 Multiple IPS are doing this fwiw but it doesn't happen all the time 16:07:55 IPS ? 16:08:01 ip subnet? 16:08:16 IPs 16:08:27 Nah just singles 16:08:27 Plural form of IP 16:08:42 thanks ofrn 16:12:53 Possible, but we'd probably need to update rpc to forward one at a time just in case > <@boog900> I think we should add a check that ignores stem messages which have more than 1 tx. 16:13:23 Http rpc used by wallet 16:13:25 by updating rpc, you mean the endpoint ? 16:13:43 you can't just buffer them and sending them sequentially ? 16:14:33 Yes, it's just that if it allows 2+ now (I'd have to check to verify), we could temporarily block some legit cases as the nodes roll out 16:14:50 It'd be rare to the point of being practically irrelevant though 16:15:03 Oh I just thought of one case! 16:15:25 Relay fails and it re-attemots after n minutes? 16:15:27 If the TX is received over tor/i2p is randomly delayed, so these might be grouped because of that 16:16:14 txs coming from anonymous-inbound? 16:20:22 Yup, it's either custom nodes or tor/i2p 16:22:10 I decided to add a randomized delay to txes received over tor/i2p, and that delay is only to the seconds granularity, checked once a second 16:22:49 If its 100s, and boog already has them, i think custom 16:23:25 100s of txs, not 100 seconds* 16:46:49 @vtnerd: hmm yeah, I wonder if that itself is a data leak 16:47:49 like we know these txs were all sent over Tor 16:48:15 and the nodes txs it creates itself will be sent as singles 16:49:22 and yeah I would be surprised at so many txs going over a single Tor node at pretty much the same time 16:55:52 if you already have the txs, for them to arrive on an anonymous-inbound, theyd have to come from a tx-proxy, which means youd have to have a hundred txs sent to rpc -> relayed to a single node over tx-proxy -> delayed AND somehow already had seen them on your own node 16:55:58 Sounds like it must be a custom node 17:17:35 You’ve made important discoveries in the past and now. I'm glad BinaryFate chose to fund you through the GF > <@boog900> I have nodes sending me 10s or 100s of stem txs in a single message and my node knows them all already 23:44:56 How are zcash shielded txs around 3k while fcmp will be 10k+ ? 23:54:02 Where did you get 3k from ? 23:54:56 Try 9k 23:55:21 https://mainnet.zcashexplorer.app/transactions/59b9dbac637e34068200ad503bdc7e57a227433a3286fb5d81058f5a1cbf3cff 23:56:16 This is a 2 "action" tx, which is the size for a 1-in/2-out tx. It's 9165 bytes 23:59:13 Granted, ~1000 of those bytes are for encrypted memos IIRC