FRESH

Hacker News

Home

NSA director: 'Mythos "broke into almost all of our classified systems in hours"

113 points by ricksunny

by mrandish

2 subcomments

This quote from TFA is highly likely to be a conflation, exaggeration or extrapolation of what actually happened:
> "On June 11th Mark Warner, the vice-chair of the Senate Intelligence Committee, said that General Joshua Rudd, who leads the National Security Agency and the Pentagon’s Cyber Command, had told him that Mythos “broke into almost all of our classified systems, not in weeks, but in hours”"
Why:
1. It's a paraphrase of a 2nd hand conversation and (at least) the last two 'telephone game' recipients are a U.S. Senator and a general, not security domain or IT experts. 2. Motivated communication: The Senator claimed this to justify the necessity of unprecedented restrictions that he agrees with. 3. The original testimony to the Intelligence Committee was almost certainly detailed, nuanced and highly classified, making this an extreme paraphrase.
In saying this, I'm not claiming Mythos may not be a security issue or that something directionally like this wasn't reported. But given the indirect, circuitous path, it's quite easy to imagine the original testimony was more like "Mythos identified a potential vulnerability we rated "Severe" in a critical system and we believe it could find similar vulnerabilities in any of our systems."

by mirekrusin

2 subcomments

If mythos can break into almost all of their classified systems in hours then other models including opus, gpt, gemini and large open weight models can do so as well, maybe you'll have to double hours or it may become days, but they also will, there is no "maybe" in here.
State sponsored, non-public penetration fine tunes (of possibly public ones) likely can do it even faster.
Unsupervised penetration RL loop is ideal setup similar to optimization one – it's relatively easy to gain function on it.

by mikewarot

2 subcomments

It's sad that they did the research[1] and solved computer security about 40 years ago[2], and then proceeded to lose that hard won knowledge over time.
[1] https://csrc.nist.rip/publications/history/index_1.html
[2] https://en.wikipedia.org/wiki/KeyKOS

by vsgherzi

3 subcomments

This is really making me raise an eyebrow. I’m sure mythos is an improvement for sure. I don’t think the framing of it hacked the entire NSA is fully truthful. I’d like a more in depth understanding of what actually happened. Excited to be proved wrong tho!

by AngryData

1 subcomments

Not surprised, our security systems are 95% security through obscurity these days. Mythos didn't find new ways to break security, it just went down the list of common security exploits and exposed them for being common even among government agencies.

by protocolture

1 subcomments

>On June 11th Mark Warner, the vice-chair of the Senate Intelligence Committee, said that General Joshua Rudd, who leads the National Security Agency and the Pentagon’s Cyber Command, had told him that Mythos “broke into almost all of our classified systems, not in weeks, but in hours”.
From outside? Or did you have a shit ton of unpatched systems that only internal users could access?

by scotty79

0 subcomment

If I were to guess, internally they have as sloppy security as any other corp/organization. And those were the things Mythos effortlessly poked holes in. Other models would probably as well, but Antropic hyping gave NSA the idea to try. The shell around those internal systems is probably as (im)penetrable as ever because it's just some flavor of hardened and bare bones linux.

by ggm

0 subcomment

I made a point about this in relation to anthropic last week: nobody inside the strategic information spaces is worried about AGI they're worried about core strategic information leaking out. Either it's in the model, or the model exposes pathways to finding it in the core strategic systems.
Those "tapes" DOGE took away? Nothing on them can be considered private any more. That's how brute force risk happens. Mythos' risks are showing doorways to exfiltration surely? Why bother when you can walk out the door with a data dump?
The NSA is just a highly specific subclass of the problem. Their traditional publicly stated approach to security is "nothing electronic which enters our domain leaves" and yet somehow they have assessed these systems as capable of breaching their walls? That's super bad.
I suspect they ran an analogue/instance inside their protection rings. I doubt they ran a test outside in the global internet. If they have actually lost control of their boundary, that's a bigger story (which I doubt) and contextually he could have been referring to information systems in NSAs duty of care, not things inside Ft Meade.

by CobaltFire

2 subcomments

Not a surprise. I got in a LOT of trouble for identifying and outlining a trivial privilege escalation attack that worked on both NIPR and SIPR.
In the end I got to help write up the issue but to my knowledge they never patched it as it would have caused major issues with maintenance by closing off access needed for some legacy software patches.

by chaitanyya

1 subcomments

How much of it is just exposing poor engineering practices people got away with because it was not economically viable earlier to spend human hours to exploit a system?
Not taking a dig at people, it was not a terrible choice earlier. Not like these models are inventing net new ways to exploit systems.

by infinite_spin

0 subcomment

It's important to point out that it's not necessarily the underlying model, but also the harness, which is the real wagon in this race

by ggm

1 subcomments

https://archive.is/aA1dB

by BobbyTables2

0 subcomment

And to think we’d used to mock the National Enquirer and other tabloids for ridiculous headlines.
I think we owe tabloids a small apology…

by Jamesbeam

1 subcomments

Have to give it to Cyber Command. This is cheap and effective propAIganda.
Of course, America is now the only nation on the planet with advanced weaponised AI models that are so good they beat billions of dollars and decades of IT security experience with some of the brightest minds in their fields within hours.
If this were true, you’d see the president yapping and bragging about it on Truth before the NSA director even gets a chance to publicly talk about it. Probably doing a live stream about how he personally prompts his way into an unconditional Iranian surrender. You know it, I know it.
Nice try, William, but unless I see the Senate Intelligence Committee freaking out with you sweating black goo like Giuliani, I ain’t believing it.
This is the same kind of bullshit that was showing a gun on TV that could apparently give people heart attacks with some frozen, untraceable darts.
If the US really was in possession of a technology that could hack into the most secure environments on the planet autonomously within hours, you would see all their partners pulling their access from shared IT systems and blocking all traffic coming from the US immediately.
Especially considering they have been caught spying on allies before:
https://www.spiegel.de/international/germany/cover-story-how...
You know what they say in intelligence circles.
Fool us once, shame on you. Fool us twice, it's open windows season.
None of the partners or adversaries seem to give a fuck about Mythos, so there is a good chance this is just another lying NSA director as usual.
Come on, people. You don’t run the NSA if you’re an honest man. It’s a spy agency.

by MaxPock

5 subcomments

What happens when open source models achieve Mythos level capabilities in six months' time?

by georgehotz

0 subcomment

lol so how long have the Chinese had access for? this doesn't make Mythos look good, it makes the NSA look bad

by michelb

0 subcomment

Is this a fabrication to justify the blocking after the fact?

by instagib

1 subcomments

https://archive.ph/dXddV
“Donald Trump’s blocking of Anthropic is capricious and chaotic” - current title
I don’t understand the posted title quote and assume it’s missing a lot of context or was misinterpreted as it’s a secondary attribution. “Mythos broke into almost all of our classified systems in hours”.
When you put it on those networks already and gave it compute?

by Ekaros

0 subcomment

I also question do they even need AI? If "almost all" refers to many systems in general. How many of those are human exploitable? Or known vulnerable... Depending on number and importance even say 10% would be very bad...

by harrouet

0 subcomment

IMHO it tells more about the "classified systems" than about Mythos.

by nacozarina

0 subcomment

This soundbite is pure narrative. Most of the security of hi-side systems was simply being air-gapped. It is otherwise full of COTS software, much of it quite dated. You don’t need a fancy widget to break into them, simple access for a competent pen-tester is adequate. Don’t treat the fear-mongering as a scientific revelation; it ain’t.

by Humorist2290

1 subcomments

It must be a wild time in the corporate espionage world these days. The annual operating budget of the CIA is like 20B. That's a rounding error compared to the burn rates of these labs.
Maybe it's conspiratorial, but it seems like the direction this is going is for the US to nationalize these companies. Somewhere between "too big to fail" and "national security."

by maxrev17

0 subcomment

So you could basically harm the US financially by using copilot, claude, ChatGPT to do the same thing as they’d have to ‘ban’ it. Hmmm xaomi, you’re up!!!

by throw1234567891

0 subcomment

Through VPNs and their private hardware? This speaks poorly of their systems.

by throawayonthe

1 subcomments

why would you... say this

by ForHackernews

1 subcomments

What are the chances this is a fun honeypot the NSA has set up to get adversaries pointing their best LLMs at NSA systems and suss out their capabilities?

by ionwake

2 subcomments

Not being funny but does most of HN subscribe to the economist? I dont think ive ever paid for an online newspaper ( and Im not trying to be edgy )

by Simulacra

1 subcomments

Actual title "Donald Trump’s blocking of Anthropic is capricious and chaotic"

0 subcomment

by bel8

1 subcomments

HN post title does not match link title
> NSA director: 'Mythos "broke into almost all of our classified systems in hours"
> Donald Trump’s blocking of Anthropic is capricious and chaotic

0 subcomment

by rajsuper123

0 subcomment

what is the use of Submitting this news/report here if it's behind a paywall/login

0 subcomment

by Trialog

0 subcomment

[dead]

by ricksunny

1 subcomments

flagged because reasons. @dang

by DiabloD3

0 subcomment

If the NSA director said this, literally and verbatim, then him, and maybe several of his predecessors, should be remembered as the worst directors the NSA has ever had.
LLMs cannot create anything new, they can only repeat their training data. Ergo, the NSA director just admitted that their systems a) can be accessed from the Internet, b) have known, already exploitable (and probably already fixed) bugs, and enough of them to do the job in mere hours.
This is shameful.
Edit: From what I can tell, the NSA director didn't literally and verbatim say this, and it is second hand and (possibly) vastly misconstrued.
Somebody lied, I'm not sure who, but any claim Mythos can suddenly work, when every LLM before it couldn't, needs to be taken with a gigantic supermassive grain of salt.