Mythos and its impact on security

Mythos and its impact on security

I’m sure by now you’ve all read the news about Anthropic’s new “Mythos” model and its apparently “dangerous” capabilities in finding security vulnerabilities. I’m sure everyone reading this also has opinions about that. Well, here are a few of mine.

Mythos and its impact on security

I’m sure by now you’ve all read the news about Anthropic’s new “Mythos” model and its apparently “dangerous” capabilities in finding security vulnerabilities. I’m sure everyone reading this also has opinions about that. Well, here are a few of mine. Is it all just hype? Firstly, it’s tempting to dismiss the announcement as pure marketing…

Neil Madden (neilmadden.blog)

I’m all for the idea that putting open source software out there shouldn’t land you with endless responsibility for free support. On the other hand, publishing releases to PyPI/Maven Central/wherever does IMO send a signal that you think something is fit for purpose, and then you should own that.

There is a possible world in which LLMs are good for security: where people vibe-code the 5% of a bloated product/library they actually need and avoid a lot of CVEs in the other 95%. Obviously, that won’t happen. (My guess is that products will bloat even more to tip the buy/build scales back to buy).

@hacksilon I’m also super interested in how well it generalises to non-memory-safety vulns. How load-bearing is ASan as a quality gate here, and what other classes of vulns have similar oracles?

@ulldma sure, but lots of other tools find vulnerabilities. There are lots to find. Is Mythos better than those? Who knows. Probably better at finding some, worse at others. Given the high costs involved, I can see it being added onto a yearly pentest engagement, but I doubt it’s going to really change much. It’s another tool in the arsenal, not a game-changer IMO. Finding an obscure crash-DoS in a niche OS TCP stack is not earth-shattering. Nice to find, sure, but the sky is not falling. It’s an evolutionary advance, not revolutionary.

I was relieved this podcast correctly views Mythos as unverifiable marketing. (Also some interesting stuff about Artemis II and how actually going back to the moon is bottlenecked on Elon Musk…)

Should we be scared of Mythos, Anthropic’s new AI? | The Observer

The Observer (observer.co.uk)

@hacksilon yeah, for the OpenBSD bug they mention a “few dozen” other findings. But if they were good findings I think they would have said something about them. The fact they just say it as an aside with no elaboration suggests to me these other findings are probably a bit “meh”, but we’ll wait and see. Hopefully we’ll see the full list eventually, once disclosure has run its course.

To be honest though, with quoted figures of $10-20,000 to find each of these vulns, I don’t think they’re going after the defender market...

I’m willing to believe that Anthropic built a better SAST. But that’s a total market of about $5B tops according to Google (some estimates seem to be just $0.5B) – it’s going to take a while to pay off their $30B Series G if they keep targeting these relatively tiny markets.

The same as with targeting developer productivity (another famously quite small market), they are focused on these markets because there are existing automated “bullshit-corrector” tools. In the case of software development, type checkers, linters, testing frameworks etc. In the case of memory corruption bugs, apparently they leant heavily on ASan to weed out the false positives.

Anyone who’s ever used a SAST on a mature code base knows that reducing false positives is the number 1 priority.

Also, in a parallel to recent articles about coding agents, finding vulnerabilities is not the bottleneck.

Mistook the full stop for a comma in this caption: thought this guy looked pretty relaxed given the massive role he just had in international diplomacy!

@bertrand looks incredible to me!

@fooflington “there’s a problem with the site” for a 4xx error is really galling!

@fanf do you think fixing that is more of a challenge than HS2?

An idea that occurs to me every time I see discussions of HS2: might it perhaps be more environmentally-friendly and pragmatic to turn over our railways entirely to freight, moving countless lorries off the roads? Or is our rail network so sparse that you’d still need lots of lorries doing the “last mile” (or 50 miles) hops? Is there a good source to read on the relative costs/benefits of passenger vs freight rail?

#uk #transport #rail

Someone should really start an Organic Software movement - made by humans, for humans.

Petition to add "agreeing what constitutes a breaking change" to the Hard Problems of Computer Science.