Kevin Beaumont17h ago
I’ve had a bunch of people ask my thoughts on Anthropic’s Mythos. I’ve read the research paper they released and the numbers, and basically I agree with @malwaretech’s take. It’s marketing. The cybersecurity industry is historically very good at marketing cyber pearl harbour and the need to buy magic boxes.
Show threadKevin Beaumont17h ago
Companion video https://youtu.be/fM7GIIylXqI
Is Cybersecurity Over?

YouTube
Show threadKevin Beaumont16h ago

I don't think anybody actually watches videos any more, so here's MWT's core point -

The flagship and lead vuln in the research is a BSD vuln, it cost $20k to discover with Mythos. Anthropic only reached a crash, and the vuln class in 99%+ cases never reaches RCE, just crashes.

So.. cool.. you spent $20k of VC money to find a crash as the flagship vuln. But... uhm... that isn't the end of the world.

The proof is going to be if any of the open source vulns turn out to be important. So far:

Show threadKevin Beaumont16h ago

Anthropic set the project across open source projects and provided access and reported the vulns. Typically, you'd expect to see NCSCs spinning up advisories to patch high impact vulns, CISA telling orgs to patch etc etc etc.

What's actually happening is... uhm... a whole heap of nothing but people copy and pasting marketing about how cybersecurity is over.

It's not though, is it?

Show threadtrademark15h ago
@GossiTheDog They aren't claiming it's over, that's a strawman. But interestingly they are providing commit hashes of things they've found. Some of these are seriously scary. I've saved a copy of the webpage and will be waiting to see if the promised commits turn up. If they do check out my opinion of Anthropic will rise. If not...
Show thread⊥ᵒᵚ Cᵸᵎᶺᵋᶫ∸ᵒᵘ ☑️15h ago
@trademark @GossiTheDog why would it go up? They could have hired a security professional for the cost and they'd have found them too, or different ones. Proves nothing.
Show threadtrademark15h ago
@falken @GossiTheDog You're being incredibly rude to OpenBSD if you claim that "just give 20k to a professional" will make a meaningful difference to what they're already doing. https://www.openbsd.org/security.html
OpenBSD: Security

Show thread⊥ᵒᵚ Cᵸᵎᶺᵋᶫ∸ᵒᵘ ☑️
@trademark @GossiTheDog not my intent. Shade on LLM slop peddler's only!
11:54amWeb
Show threadtrademark14h ago
@falken @GossiTheDog both of them actually look very good after this. Anthropic because the bug is very hard to spot, I can imagine reading that code a thousand times without seeing it. OpenBSD looks good because the AI did not find a single stupid/careless mistake.