We’ve led the industry in building and adopting Rust
Yeah, then you fired the team to pay the CEO a few million more.
How many vulnerabilities would’ve been found if we had spent several million dollars on human security researchers though?
That doesn’t make sense. Don’t the attackers have the same tools?
Mythos Preview is better at finding real vulnerabilities than existing public models and, for now, only a few have access to it.
for now
bro 3 hours wtf
Defenders finally have a chance to win, decisively
I’m curious how it will turn out to be in a long term. Are we going to have safer software? Because not only defenders will have a powerful tool, but attackers too. But at the same time, number of bugs is finite… Can we in theory one day achieve literally zero bugs in codebase?
You can achieve zero bugs through liberal use of rm.
deleted by creator
Cyber security in general is going to get interesting. Breaking into protected systems often requires more patience than expertise. Attackers often get detected when they take short cuts because of laziness and overconfidence. AI agents have unfathomable patience and attention to detail.l
AI will be good at scaning for known vulnerabilities, but patience and attention to detail? Not in my experience. I use agentic coding agents for work and they are getting better, but they still will regularly get stuck in a loop of running into a bug when running tests, attempting to fix the bug in a stupid way, still erroring, trying another stupid fix, trying the first stupid fix, and so on until a human intervenes. They may be patient (as long as you pay for more tokens), but they aren’t using their time wisely.
AI tends to use the “throw shit at the wall and see what sticks” approach. It’s getting better at writing maintainable code, but it still will generate more-or-less spaghetti code with random unused or deprecated variables, crazy unnecessary functions, poor organization, etc… and requires lots of testing before producing something functional. Which is fine in an environment where you can iterate and clean things up. But as an attack vector, if you need 58 attempts to fully realize a vulnerability, in most secure environments you’re going to get detected and blocked before you finish.
This fluff piece has quite the pie-in-the-sky attitude toward the blue-teaming applications of AI.
Some commentators predict that future AI models will unearth entirely new forms of vulnerabilities that defy our current comprehension, but we don’t think so.
How reassuring.
The defects are finite, and we are entering a world where we can finally find them all.
Could’ve said the same thing when enterprise anti-malware came onto the scene decades ago, but the reality was it was just another vector for the arms race between the red team and the blue team. The author seems to put a lot of stock in the whole “the blue team has access to these AI tools that the red team doesn’t currently have access to” argument, which kinda ignores the fact that that reality is simply not going to last.
I could be wrong, but any article suggesting “zero-days are numbered” doesn’t pass the smell test.
I could be wrong, but any article suggesting “zero-days are numbered” doesn’t pass the smell test.
Yeah, you’re right.
The real story is that it is a bit better at finding bugs. Calling them zero-days and implying there’s some major security implications is just to build hype.
It was able to chain a few of the bugs together to create a RCE exploit in a weakened browser, it’s interesting but don’t go to your fallout shelter just yet.
Meanwhile on GitHub Claude Code has over 5k bug reports, currently open.
LLMs generate the 0-days, then LLMs remove the 0-days. They will never run out of work!
Makes sense. Trained on software engineers working that pattern for decades.
Slopzilla Slopfox 🙄
This isn’t going to end well.
Look, I’m all for fuck AI, but this isn’t that.
It will be. You’ll see.
There’s a difference between using AI to apply fixes for problems, and using AI to find problems that you didn’t know about.
Mythos does the latter, not the former.
It’s only a matter of time until they decide it should do both and it makes a mess. Calling it now.
Yes, the sky is falling, AI is ending the world, slopslopslop, etc
We know the bit.
If it’s finding valid vulnerabilities then it’s just another tool like static analysis, fuzzers and sanitizers. There definitely seems to be a difference in quality compared to earlier generations that were behind the sloppy avalanch of reports.
Instead of 271 vulns, it was more like 2 vulns, found 271 different times.
Here’s a o good article about it https://www.flyingpenguin.com/the-boy-that-cried-mythos-verification-is-collapsing-trust-in-anthropic/
I don’t think these are all Mythos, but it’s more than 2 fixes: https://infosec.exchange/@tomrittervg/116443139069130293
Some good debunking here: https://www.flyingpenguin.com/the-boy-that-cried-mythos-verification-is-collapsing-trust-in-anthropic/
