Skipping over the cringe writing style, I really don't get the hate on Anthropic here. What would people want from them? Not disclose? Not name names? I'm confused how that would move the field forward.
At the very least, this whole incident is ironic in that a chinese threat actor used claude instead of the myriad of claude killers released in china every other week.
At another level this whole thing opens up a discussion about security, automated audits and so on. The entire industry lacks security experts. In eu we have a deficit, from bodies in SOCs to pen-testers. We definitely could use all the help we can get. If we go past the first wave of "people submit bullshit AI generated reports" (which, for anyone that has ever handled a project on h1 or equivalent, is absolutely nothing new - it's just that in the past the reports were both bullshit and badly written), then we get to the point where automated security audits become feasible. Don't value "reports", value "ctf-like" exercises, where agents "hunt" for stuff in your network. The results are easily verified.
I'll end on this idea that I haven't seen mentioned on the other thread that got popular yesterday: for all the doomerism that's out there regarding vibe coding and how insecure it is, and how humans will earn a pay check for years fixing vibe coded projects, here we have a bunch of companies with presumably human devs, that just got pwned by an AI script kiddie. Womp womp.
They probably used Claude because that way they don’t get blocked as fast. Websites trust Claude more. And why not use the foreign tools against themselves at presumably discounted rates (see AI losses) rather than burn your own GPU’s and IP’s.
1000’s of calls per second? That’s a lot of traffic. Hide it in Claude which is already doing that kind of thing 24/7. Wait until someone uses all models at the same time to hide the overall traffic patterns and security implications. Or have AI’s driving botnets. Or steal a few hundred enterprise logins and hide the traffic that is presumably not being logged because privacy and compliance.
Disagree. I think you mean "cheap experts", in which case I withdraw.
The most talented security professionals I've seen so far are from Europe. But they get paid dirt by comparison to the US.
Here in the US as well, for over a decade now there is this cry about "skills shortage". Plenty of skilled people. But companies want to pay them dirt, have them show up to in person offices, and pass drug tests. I'm sure they'll add degrees to that list as well soon. It's a game as old as time.
The reality is that infosec is flooded with entry level people right now, and many of them are talented. Pay is decreasing, even in the US. EU, EMEA, Latin America will hurt even more as a result in the long term.
Security isn't revenue generating unless you're a security company, so companies in general want security but they want it cheap. They want cheap tools and cheap people. That's what they mean by skills shortage, there isn't an actual skill shortage. They think infosec professionals should get paid a little bit higher than help desk. Of course, there are many exceptions, places that are flexible and pay well (heck, just flexible only even!) are being flooded with resumes from actual humans.
Infosec certification costs are soaring because of the spike in demand. next to compsci, "cyber security" is the easy way to make a fortune (or so the rumor goes), and fresh grads looking for a good job are in for a shock.
> here we have a bunch of companies with presumably human devs, that just got pwned by an AI script kiddie. Womp womp.
What's your point? You don't need AI, companies get pwned by script kiddies buying $30 malware on telegram all the time. despite paying millions for security tools/agents and people.
Huh, been offering VP level security roles for months with a pretty good package (certainly not dirt) and all we get are junior applicants with 4 years or less experience of work.
So yeah, maybe we need to offer even more - but it's not far off what I make after 30+ years in the industry. Expectations for pay seem to be very high even for people only just out of college.
> Expectations for pay seem to be very high even for people only just out of college.
Darn kids get off my lawn!
But yes, you're right. Salary expectations are surprisingly high considering how little fresh grads bring to the table!
We're talking huge amounts of training just to get to a basic level of competency, especially since most CS degrees are focused on things that were cool five years ago (or much, much longer).
This is the age-old tale, though, but now time is compressed and we need people to hit the ground running much, much faster.
I won't ask you the salary, but for example, $100k was for experienced security professionals not too many years ago. Now it's almost laughable for entry level.
The cost of living, mortgage rates, house prices, rent has all gone up. But not only that, COVID inflated the currency really badly. Even at normal inflation rates, $100k would be the low-end for entry-level by now, you can imagine what inflation has done to it now.
The title you mentioned doesn't tell much so I can't speculate. For Fortune 1000's or well funded startups, I wouldn't expect any less than $250k/yr at the low end for a VP level security role. But if you're in finance, everyone is a VP of something, so it's more like a mid-level experienced person's role (closer to $200k). If you're requiring they show up to the office, add 30%, if it isn't hybrid but full on RTO, 50%.
Also, most skilled security professionals spent lots of time and energy into their tradecraft. They wouldn't want to be a manager that just attends meetings. You're better off with someone that has strong leadership experience and knows enough infosec to discern b.s..
Again, if they start calling the hacking groups something really embarrassing, like xXxDragonPimp6969xXx, then maybe we'd just have a bit more something when discussing their actions.
> What would people want from them? Not disclose? Not name names?
I'd say AI fear-mongering and gatekeeping your best models and NEVER giving back anything to the open source community is a pretty asshole behavior. Is it who Dario really is, or does the industry "push" AI company CEOs to behave like this?
At the very least, this whole incident is ironic in that a chinese threat actor used claude instead of the myriad of claude killers released in china every other week.
At another level this whole thing opens up a discussion about security, automated audits and so on. The entire industry lacks security experts. In eu we have a deficit, from bodies in SOCs to pen-testers. We definitely could use all the help we can get. If we go past the first wave of "people submit bullshit AI generated reports" (which, for anyone that has ever handled a project on h1 or equivalent, is absolutely nothing new - it's just that in the past the reports were both bullshit and badly written), then we get to the point where automated security audits become feasible. Don't value "reports", value "ctf-like" exercises, where agents "hunt" for stuff in your network. The results are easily verified.
I'll end on this idea that I haven't seen mentioned on the other thread that got popular yesterday: for all the doomerism that's out there regarding vibe coding and how insecure it is, and how humans will earn a pay check for years fixing vibe coded projects, here we have a bunch of companies with presumably human devs, that just got pwned by an AI script kiddie. Womp womp.