I don't think anybody actually watches videos any more, so here's MWT's core point -

The flagship and lead vuln in the research is a BSD vuln, it cost $20k to discover with Mythos. Anthropic only reached a crash, and the vuln class in 99%+ cases never reaches RCE, just crashes.

So.. cool.. you spent $20k of VC money to find a crash as the flagship vuln. But... uhm... that isn't the end of the world.

The proof is going to be if any of the open source vulns turn out to be important. So far:

Anthropic set the project across open source projects and provided access and reported the vulns. Typically, you'd expect to see NCSCs spinning up advisories to patch high impact vulns, CISA telling orgs to patch etc etc etc.

What's actually happening is... uhm... a whole heap of nothing but people copy and pasting marketing about how cybersecurity is over.

It's not though, is it?

@trademark @azonenberg @GossiTheDog I love how they hype what's a vuln in the in-kernel NFS server (FFS we've been doing this shit at least 2/3 of my lifetime, stop doing NFS/sunrpc shit already) as "FreeBSD RCE".

I knew when I was like 15 that you don't run NFS unless you want to get popped.

@trademark @azonenberg @GossiTheDog Huh? Did your LLM just vomit that? Because it's completely unrelated to what I said.

What I said is that they're hyping a vuln in one small thing, an NFS server, that FreeBSD happens to have a version of that runs in kernelspace, that nobody security-conscious would be using to begin with, and calling it "vuln in FreeBSD!" to make it sound important and impressive.

Absolutely nothing to do with disclosure timeines or whether their findings are real.