I’ve had a bunch of people ask my thoughts on Anthropic’s Mythos.
-
@GossiTheDog to be fair, the current time to poc is in many cases already down ≤ 1 day or so, but this could take some of the skill out of it and make it more broadly available
@GossiTheDog but other than that... yeah hype-marketing playbook 101.
Didn't OpenAI pull the:"oh no it's too powerful, humanity couldn't take it yet so we're not releasing it to the public", stunt with one of their earlier models as well?^^
-
@agowa338 Cyber security is an insanely complex beast with some parts being technical, some being human, some being regulatory, etc., and well, finding bugs is one small component.
Emphasis on small.
We have not really been great at cyber security in the past, and improvements are needed all across the board. We won't be great at it tomorrow because magic.
Having one component potentially improve is, especially given how speculative the current situation is, is nothing to really worry about. Rather the contrary.
Time will tell, some processes might change, and that is likely all that will happen for a long time.
Most humans in cyber security will very likely notice very little impact for now. Can this all go sideways? Yes, of course. Is it time to say that cyber security is over? I don't think so. At all.
I know. I've been done that. I was the only technician that talked to the compliance people so I "earned" all of the work involved in communicating and bridging both worlds.
And since then it just got worse. Nobody cares about it security. The compliance people are just writing some shit and at this point in many companies they don't even expect their technicians to actually implement it anymore either (if it is even possible at all).
It's just a work creation measure at this point…
-
@GossiTheDog Haven't we already been there with fuzzing?
Anyway, even if Mythos is as good as they claim, that's not really a problem as long as it is available only to a few. It's when every script kiddie gets access to it that we should start worrying.
@bontchev @GossiTheDog Agreed. Current recommendation from our end:
Keep calm, find and fix bugs, make the world a bit safer one bug at a time...
And ignore the hype train, but keep an open eye on how real and measurable things develop. Just what we did before.
-
I don't think anybody actually watches videos any more, so here's MWT's core point -
The flagship and lead vuln in the research is a BSD vuln, it cost $20k to discover with Mythos. Anthropic only reached a crash, and the vuln class in 99%+ cases never reaches RCE, just crashes.
So.. cool.. you spent $20k of VC money to find a crash as the flagship vuln. But... uhm... that isn't the end of the world.
The proof is going to be if any of the open source vulns turn out to be important. So far:
@GossiTheDog he makes a good point about the subsidized cost. It's like in the early days when Uber was cheap AF to put the taxis out of business. Once they had market share, they cost as much as taxis.
-
Anthropic set the project across open source projects and provided access and reported the vulns. Typically, you'd expect to see NCSCs spinning up advisories to patch high impact vulns, CISA telling orgs to patch etc etc etc.
What's actually happening is... uhm... a whole heap of nothing but people copy and pasting marketing about how cybersecurity is over.
It's not though, is it?
@GossiTheDog They aren't claiming it's over, that's a strawman. But interestingly they are providing commit hashes of things they've found. Some of these are seriously scary. I've saved a copy of the webpage and will be waiting to see if the promised commits turn up. If they do check out my opinion of Anthropic will rise. If not...
-
I don't think anybody actually watches videos any more, so here's MWT's core point -
The flagship and lead vuln in the research is a BSD vuln, it cost $20k to discover with Mythos. Anthropic only reached a crash, and the vuln class in 99%+ cases never reaches RCE, just crashes.
So.. cool.. you spent $20k of VC money to find a crash as the flagship vuln. But... uhm... that isn't the end of the world.
The proof is going to be if any of the open source vulns turn out to be important. So far:
Yes, we do watch videos!
-
I don't think anybody actually watches videos any more, so here's MWT's core point -
The flagship and lead vuln in the research is a BSD vuln, it cost $20k to discover with Mythos. Anthropic only reached a crash, and the vuln class in 99%+ cases never reaches RCE, just crashes.
So.. cool.. you spent $20k of VC money to find a crash as the flagship vuln. But... uhm... that isn't the end of the world.
The proof is going to be if any of the open source vulns turn out to be important. So far:
I asked the FreeBSD security officer to compare the (not yet public) one to Coverity reports. Apparently it found something that Coverity didn't, which means at least it isn't just regurgitating static analyser reports.
That said, last time I read the Coverity reports, they found tens of thousands of possible issues (over 90% of the ones I triaged were false positives). You could probably get a higher RoI from paying someone $20K to triage Coverity scan reports.
-
I’ve had a bunch of people ask my thoughts on Anthropic’s Mythos. I’ve read the research paper they released and the numbers, and basically I agree with @malwaretech’s take. It’s marketing. The cybersecurity industry is historically very good at marketing cyber pearl harbour and the need to buy magic boxes.
@GossiTheDog @malwaretech Agree, and I will only add one thing: Misanthropic is an amoral cult.
-
I’ve had a bunch of people ask my thoughts on Anthropic’s Mythos. I’ve read the research paper they released and the numbers, and basically I agree with @malwaretech’s take. It’s marketing. The cybersecurity industry is historically very good at marketing cyber pearl harbour and the need to buy magic boxes.
Yeah and solutions like this dont put servers in datacenters or work with threat analysis on transit traffic.
If all its doing is improving point software solutions, then thats a good thing. Its not going to finish off SAAS solutions - its going to improve them.
-
I don't think anybody actually watches videos any more, so here's MWT's core point -
The flagship and lead vuln in the research is a BSD vuln, it cost $20k to discover with Mythos. Anthropic only reached a crash, and the vuln class in 99%+ cases never reaches RCE, just crashes.
So.. cool.. you spent $20k of VC money to find a crash as the flagship vuln. But... uhm... that isn't the end of the world.
The proof is going to be if any of the open source vulns turn out to be important. So far:
@GossiTheDog Thanks for the summary, ain't got time for viewing videos.
-
I’ve had a bunch of people ask my thoughts on Anthropic’s Mythos. I’ve read the research paper they released and the numbers, and basically I agree with @malwaretech’s take. It’s marketing. The cybersecurity industry is historically very good at marketing cyber pearl harbour and the need to buy magic boxes.
@GossiTheDog @malwaretech Be wary of projecting special interests, couched in pure Capitalist profiting, too far among a valuable sector like CyberSec. It's a common pattern for a narrowing margin of the masses, to control more vital infrastructure, and heap residual abuses (thanks Capitalism) upon the far more innocent.
-
I don't think anybody actually watches videos any more, so here's MWT's core point -
The flagship and lead vuln in the research is a BSD vuln, it cost $20k to discover with Mythos. Anthropic only reached a crash, and the vuln class in 99%+ cases never reaches RCE, just crashes.
So.. cool.. you spent $20k of VC money to find a crash as the flagship vuln. But... uhm... that isn't the end of the world.
The proof is going to be if any of the open source vulns turn out to be important. So far:
@GossiTheDog I still do XD
-
I’ve had a bunch of people ask my thoughts on Anthropic’s Mythos. I’ve read the research paper they released and the numbers, and basically I agree with @malwaretech’s take. It’s marketing. The cybersecurity industry is historically very good at marketing cyber pearl harbour and the need to buy magic boxes.
@GossiTheDog @malwaretech Other researchers have replicated their try at finding security bugs with publicly available models and got same results. Is it better than earlier models? I suppose it is, it would be a big failure if a new bigger model wasn't. Is it the big leap they state. Doubtful.
-
I’ve had a bunch of people ask my thoughts on Anthropic’s Mythos. I’ve read the research paper they released and the numbers, and basically I agree with @malwaretech’s take. It’s marketing. The cybersecurity industry is historically very good at marketing cyber pearl harbour and the need to buy magic boxes.
@GossiTheDog @malwaretech i found this post very relevant
https://mastodon.social/@CuratedHackerNews/116387186190988598 -
I’ve had a bunch of people ask my thoughts on Anthropic’s Mythos. I’ve read the research paper they released and the numbers, and basically I agree with @malwaretech’s take. It’s marketing. The cybersecurity industry is historically very good at marketing cyber pearl harbour and the need to buy magic boxes.
Marcus Hutchins
Malware, Threat Intelligence, Ex-Hacker
Since multiple people have asked me to comment on Claude Mythos / Glasswing, here it is: I can't possibly comment on something I haven't even seen, let alone used.
I, like everyone issuing hot takes, have absolutely no information to go off. We're all looking at the same marketing post with scant falsifiable data or testable hypotheses.
People need to stop clapping like a herd of trained seals every time a corporation drops a new press release. Why not wait for actual impartial data and empirical evidence, then evaluate accordingly?
Press Releases are designed to make a product look as good as possible (and in many cases much better than it actually is, see: Devin, GPT-5, Humane Al, Sora, etc). These are marketing publications not peer-reviewed articles in scientific journals.
We really, as an industry, need to start being more objective. I get that everyone is excited for Al, but we don't need 200,000 hot takes about how "cybersecurity is over" or "the world is ending" every time a new press release drops.
Marketing teams get paid lots of money to hype up new products. Why are you doing their work for free? -
I don't think anybody actually watches videos any more, so here's MWT's core point -
The flagship and lead vuln in the research is a BSD vuln, it cost $20k to discover with Mythos. Anthropic only reached a crash, and the vuln class in 99%+ cases never reaches RCE, just crashes.
So.. cool.. you spent $20k of VC money to find a crash as the flagship vuln. But... uhm... that isn't the end of the world.
The proof is going to be if any of the open source vulns turn out to be important. So far:
@GossiTheDog IMO it's not nothing but not apocalypse. Enough for forward thinking groups to start taking it seriously and considering risks.
-
Anthropic set the project across open source projects and provided access and reported the vulns. Typically, you'd expect to see NCSCs spinning up advisories to patch high impact vulns, CISA telling orgs to patch etc etc etc.
What's actually happening is... uhm... a whole heap of nothing but people copy and pasting marketing about how cybersecurity is over.
It's not though, is it?
@GossiTheDog Even *if* the word prediction box is now capable of findings vulns by throwing massive compute at the problem (leaving all the problems with this aside), you still need to get people to fix their shit. Like have they ever looked at what it takes to get a company to just patch their god damn network edge devices?
-
I’ve had a bunch of people ask my thoughts on Anthropic’s Mythos. I’ve read the research paper they released and the numbers, and basically I agree with @malwaretech’s take. It’s marketing. The cybersecurity industry is historically very good at marketing cyber pearl harbour and the need to buy magic boxes.
@GossiTheDog @malwaretech I, too, had my a-technical and very pro-A"I" colleague singing Mythos' praises. When I pointed out that we don't know how many false positives it also produced, it did dawn on him that it might not all that it seems
The thing is, is that he is in marketing, so he should know he's being fed a crafted story. But when it comes to this LLM-craze all critical thinking goed overboard, it seems.
I'm so worried about the future.
-
I’ve had a bunch of people ask my thoughts on Anthropic’s Mythos. I’ve read the research paper they released and the numbers, and basically I agree with @malwaretech’s take. It’s marketing. The cybersecurity industry is historically very good at marketing cyber pearl harbour and the need to buy magic boxes.
i keep thinking of the pet rock
and beanie babies
create buzz, create demand, get out early, everyone else is left with useless stuff cluttering their homes
-
I’ve had a bunch of people ask my thoughts on Anthropic’s Mythos. I’ve read the research paper they released and the numbers, and basically I agree with @malwaretech’s take. It’s marketing. The cybersecurity industry is historically very good at marketing cyber pearl harbour and the need to buy magic boxes.
@GossiTheDog @malwaretech Someday we will have a TV show called "Mythos Busters" where real cyber security experts debunk stuff like this ...
