Anthropic is committing up to $100M in usage credits for Mythos Preview across these efforts, as well as $4M in direct donations to open-source security organizations.
令人惊讶的是:Anthropic为Project Glasswing项目投入了高达1亿美元的模型使用积分和400万美元的直接捐款,用于支持开源安全组织。这种大规模的资金投入反映了AI安全威胁的严重性和解决这一问题的紧迫性。
Being open source is increasingly like giving attackers the blueprints to the vault. When the structure is fully visible, it becomes much easier to identify weaknesses and exploit them.
令人惊讶的是:作者将开源软件比作给攻击者提供保险库蓝图,这种比喻揭示了开源与安全之间的根本矛盾。在AI时代,完全可见的代码结构使弱点识别变得前所未有的容易,这挑战了传统上认为开源更安全的观念。
AI uncovered a 27-year-old vulnerability in the BSD kernel, one of the most widely used and security-focused open source projects, and generated working exploits in a matter of hours.
令人惊讶的是:AI能够在几小时内发现并利用一个存在了27年的BSD内核漏洞,这展示了AI在安全领域的惊人能力。这个事实揭示了传统安全审计方法在面对AI加速攻击时的脆弱性,即使是像BSD这样经过长期审查的开源项目也无法幸免。
In the past, security expertise has been a luxury reserved for organizations with large security teams. Open source maintainers—whose software underpins much of the world's critical infrastructure—have historically been left to figure out security on their own.
大多数人认为开源社区有足够的安全能力和资源来维护关键基础设施。但作者明确指出开源维护者一直被单独应对安全问题,暗示了开源安全状况比普遍认为的要脆弱得多。
What is Open source security?
Open Source Advantages and Risk Profile · 96% of applications include some form of OSS · 67% of applications contain open source vulnerabilities · 90% of software ...
Learn how to detect vulnerable open source components and keep your products secure.
The Dangers of Open-Source Vulnerabilities, and What You Can Do About It
here is my set of best practices.I review libraries before adding them to my project. This involves skimming the code or reading it in its entirety if short, skimming the list of its dependencies, and making some quality judgements on liveliness, reliability, and maintainability in case I need to fix things myself. Note that length isn't a factor on its own, but may figure into some of these other estimates. I have on occasion pasted short modules directly into my code because I didn't think their recursive dependencies were justified.I then pin the library version and all of its dependencies with npm-shrinkwrap.Periodically, or when I need specific changes, I use npm-check to review updates. Here, I actually do look at all the changes since my pinned version, through a combination of change and commit logs. I make the call on whether the fixes and improvements outweigh the risk of updating; usually the changes are trivial and the answer is yes, so I update, shrinkwrap, skim the diff, done.I prefer not to pull in dependencies at deploy time, since I don't need the headache of github or npm being down when I need to deploy, and production machines may not have external internet access, let alone toolchains for compiling binary modules. Npm-pack followed by npm-install of the tarball is your friend here, and gets you pretty close to 100% reproducible deploys and rollbacks.This list intentionally has lots of judgement calls and few absolute rules. I don't follow all of them for all of my projects, but it is what I would consider a reasonable process for things that matter.
Open Source prevents backdoors. You can have a look at its source code and compile it yourself.
The EFF offers non-cash rewards (public acknowledgement, EFF gear, or EFF memberships) for finding bugs or vulnerabilities in their software or server configurations.