Robert M
๐ค SpeakerAppearances Over Time
Podcast Appearances
This post is meant to be two things.
1.
A PSA about LessWrong's current security posture from a LessWrong admin.
2.
An attempt to establish common knowledge of the security situation it looks like the world, and, by extension, you will shortly be in.
Claude Mythos was announced yesterday.
That announcement came with a blog post from Anthropic's Frontier Red team, detailing the large number of zero days and other security vulnerabilities discovered by Mythos.
This should not be a surprise if you were paying attention, LLMs, being trained on coding first was a big hint, the labs putting cybersecurity as a top-level item in their threat models and evals was another, and frankly this blog post maybe could have been written a couple months ago, either this or this might have been sufficient.
But it seems quite overdetermined now.
Heading Less wrong security posture
In the past, I have tried to communicate that Lesrong should not be treated as a platform with a hardened security posture.
Lesrong is run by a small team.
Our operational philosophy is similar to that of many early-stage startups.
We treat some less wrong data as private in a social sense, but do not consider ourselves to be in the business of securely storing sensitive information.
We make many choices and trade-offs in the direction that marginally favor speed over security, which many large organizations would make differently.
I think this is reasonable and roughly endorse the kinds of trade-offs we're making.
I think it is important for you to understand the above when making decisions about how to use LessWrong.
Please do not store highly sensitive information in LessWrong drafts or send it to other users via LessWrong messages with the expectation that LessWrong will be robust to the maybe upcoming wave of scaled cyber attacks.
LessWrong is not a high-value target.
While LessWrong may end up in the affected blast radius simply due to its nature as an online platform, we do not store the kind of user data that cybercriminals in the business of conducting scaled cyberattacks are after.