Kevin Beaumont1d ago
I’ve had a bunch of people ask my thoughts on Anthropic’s Mythos. I’ve read the research paper they released and the numbers, and basically I agree with @malwaretech’s take. It’s marketing. The cybersecurity industry is historically very good at marketing cyber pearl harbour and the need to buy magic boxes.
Show threadKevin Beaumont1d ago
Companion video https://youtu.be/fM7GIIylXqI
Is Cybersecurity Over?

YouTube
Show threadKevin Beaumont1d ago

I don't think anybody actually watches videos any more, so here's MWT's core point -

The flagship and lead vuln in the research is a BSD vuln, it cost $20k to discover with Mythos. Anthropic only reached a crash, and the vuln class in 99%+ cases never reaches RCE, just crashes.

So.. cool.. you spent $20k of VC money to find a crash as the flagship vuln. But... uhm... that isn't the end of the world.

The proof is going to be if any of the open source vulns turn out to be important. So far:

Show threadKevin Beaumont1d ago

Anthropic set the project across open source projects and provided access and reported the vulns. Typically, you'd expect to see NCSCs spinning up advisories to patch high impact vulns, CISA telling orgs to patch etc etc etc.

What's actually happening is... uhm... a whole heap of nothing but people copy and pasting marketing about how cybersecurity is over.

It's not though, is it?

Show threadKlaus Frank

@GossiTheDog

Well cybersecurity is over but not because of this but because of everyone and their mother deploying openclaw in production...

Apr 12 at 10:22amWeb
Show threadCure53 🇭🇺 🇪🇺1d ago

@agowa338 Cyber security is an insanely complex beast with some parts being technical, some being human, some being regulatory, etc., and well, finding bugs is one small component.

Emphasis on small.

We have not really been great at cyber security in the past, and improvements are needed all across the board. We won't be great at it tomorrow because magic.

Having one component potentially improve is, especially given how speculative the current situation is, is nothing to really worry about. Rather the contrary.

Time will tell, some processes might change, and that is likely all that will happen for a long time.

Most humans in cyber security will very likely notice very little impact for now. Can this all go sideways? Yes, of course. Is it time to say that cyber security is over? I don't think so. At all.

Show threadKlaus Frank1d ago

@cure53

I know. I've been done that. I was the only technician that talked to the compliance people so I "earned" all of the work involved in communicating and bridging both worlds.

And since then it just got worse. Nobody cares about it security. The compliance people are just writing some shit and at this point in many companies they don't even expect their technicians to actually implement it anymore either (if it is even possible at all).

It's just a work creation measure at this point…

Show threadThe Doctor1d ago
@agowa338 @GossiTheDog And anybody with a lick of knowledge about security getting laid off.