Mastodawn

I’ve had a bunch of people ask my thoughts on Anthropic’s Mythos. I’ve read the research paper they released and the numbers, and basically I agree with @malwaretech’s take. It’s marketing. The cybersecurity industry is historically very good at marketing cyber pearl harbour and the need to buy magic boxes.

Show thread

Kevin Beaumont 22h ago

Companion video https://youtu.be/fM7GIIylXqI

Is Cybersecurity Over?

YouTube

Show thread

Kevin Beaumont 21h ago

I don't think anybody actually watches videos any more, so here's MWT's core point -

The flagship and lead vuln in the research is a BSD vuln, it cost $20k to discover with Mythos. Anthropic only reached a crash, and the vuln class in 99%+ cases never reaches RCE, just crashes.

So.. cool.. you spent $20k of VC money to find a crash as the flagship vuln. But... uhm... that isn't the end of the world.

The proof is going to be if any of the open source vulns turn out to be important. So far:

Show thread

Kevin Beaumont 21h ago

Anthropic set the project across open source projects and provided access and reported the vulns. Typically, you'd expect to see NCSCs spinning up advisories to patch high impact vulns, CISA telling orgs to patch etc etc etc.

What's actually happening is... uhm... a whole heap of nothing but people copy and pasting marketing about how cybersecurity is over.

It's not though, is it?

Show thread

Mark Koek

@GossiTheDog They’re doing the right thing with responsible disclosure, but omg they’re full of themselves. Zero days are not part of the daily cybersecurity churn to begin with, at all, but even so what they’ve found is unimpressive. Yet they literally take it as a given that they’ve turned the industry upside-down. Quod effing none.