@codinghorror I've honestly not heard of any unpredictable risks generated by AI systems so I sincerely welcome examples.
Discussion
Loading...
@cR0w hmm. I dunno. It's kinda like fuzz testing, it's a pretty hardcore mode to switch into and likely to uncover a lot of semi-unpredictable stuff.
@codinghorror AI systems might uncover new vulns but they should not uncover new vuln types or attack vectors, at least not until we see AI actually do something new and novel.
@cR0w the "mashup" style of fuzz can really surprise you in my experience. Just combinatorial stuff not "new and novel" magic.
@codinghorror I've honestly not heard of any unpredictable risks generated by AI systems so I sincerely welcome examples.
@cR0w well, actually, I have a reference! It's from @paul and here it is "Just today, January 27, 2026, OpenSSL announced a new security patch release, publishing 12 new zero-day vulnerabilities, including a very rare high-severity one. Of the 12 announced, we at AISLE discovered every single one of them using our AI system." https://www.lesswrong.com/posts/7aJwgbMEiKq5egQbd/ai-found-12-of-12-openssl-zero-days-while-curl-cancelled-its
@codinghorror @paul While it's a good write-up, and certainly some good finds, I'm not seeing much novelty in there.
Stack buffer overflow, NULL pointer dereference, heap overflows, type confusions, UAF, double-free, missing parameters, improper key permissions, and a cryptographic bug leaving trailing bytes unencrypted and unauthenticated.
So while the vulns are new, the attack vectors are not. I expect / hope that those vuln types were at least all included in the risk model(s) used by OpenSSL devs and maintainers.
I do appreciate the link though. It's nice to see something productive being done with AI systems.
1 more replies (not shown)