Kevin Beaumont17h ago
I’ve had a bunch of people ask my thoughts on Anthropic’s Mythos. I’ve read the research paper they released and the numbers, and basically I agree with @malwaretech’s take. It’s marketing. The cybersecurity industry is historically very good at marketing cyber pearl harbour and the need to buy magic boxes.
Show threadKevin Beaumont17h ago
Companion video https://youtu.be/fM7GIIylXqI
Is Cybersecurity Over?

YouTube
Show threadKevin Beaumont16h ago

I don't think anybody actually watches videos any more, so here's MWT's core point -

The flagship and lead vuln in the research is a BSD vuln, it cost $20k to discover with Mythos. Anthropic only reached a crash, and the vuln class in 99%+ cases never reaches RCE, just crashes.

So.. cool.. you spent $20k of VC money to find a crash as the flagship vuln. But... uhm... that isn't the end of the world.

The proof is going to be if any of the open source vulns turn out to be important. So far:

Show threadKevin Beaumont16h ago

Anthropic set the project across open source projects and provided access and reported the vulns. Typically, you'd expect to see NCSCs spinning up advisories to patch high impact vulns, CISA telling orgs to patch etc etc etc.

What's actually happening is... uhm... a whole heap of nothing but people copy and pasting marketing about how cybersecurity is over.

It's not though, is it?

Show threadtrademark15h ago
@GossiTheDog They aren't claiming it's over, that's a strawman. But interestingly they are providing commit hashes of things they've found. Some of these are seriously scary. I've saved a copy of the webpage and will be waiting to see if the promised commits turn up. If they do check out my opinion of Anthropic will rise. If not...
Show threadCassandrich9h ago
@trademark @GossiTheDog What does "commit hashes of things they've found" even mean? No non-slop project is going to merge the same commits they used in their fixes, because they're LLM slop without provenance to license. If any of these are real, the upstream will fix the bug properly in a way the actual people working on the project understand and can document.
Show threadAndrew Zonenberg9h ago
@dalias @trademark @GossiTheDog the hashes are of advisories they claim they will publish in the future afaik, not patches.
Show threadAndrew Zonenberg9h ago
@dalias @trademark @GossiTheDog so easily verifiable if they actually turn up but the hype cycle will have moved on by then and they already got the PR benefit of claiming a huge number of bugs
Show threadtrademark9h ago
@azonenberg @dalias @GossiTheDog I think it will be a big deal if they don't keep their promises. It's the sort of thing journalists will use for attack pieces. We do already know that some of the bugs are real, for instance Anthropic is keeping the exploit for CVE-2026-4747 secret, but somebody else used public version of Claude to create their own working exploit: https://blog.calif.io/p/mad-bugs-claude-wrote-a-full-freebsd
MAD Bugs: Claude Wrote a Full FreeBSD Remote Kernel RCE with Root Shell (CVE-2026-4747)

To our knowledge, this is the first remote kernel exploit both discovered and exploited by an AI.

Calif
Show threadCassandrich9h ago

@trademark @azonenberg @GossiTheDog I love how they hype what's a vuln in the in-kernel NFS server (FFS we've been doing this shit at least 2/3 of my lifetime, stop doing NFS/sunrpc shit already) as "FreeBSD RCE".

I knew when I was like 15 that you don't run NFS unless you want to get popped.

Show threadtrademark8h ago
@dalias @azonenberg @GossiTheDog To summarize your position: "If Anthropic witholds something to give defenders time to fix it, it means they're lying and have nothing. When they do release a real bug it means that it was for some stupid thing you shouldn't be running anyway." Got it.
Show threadCassandrich8h ago

@trademark @azonenberg @GossiTheDog Huh? Did your LLM just vomit that? Because it's completely unrelated to what I said.

What I said is that they're hyping a vuln in one small thing, an NFS server, that FreeBSD happens to have a version of that runs in kernelspace, that nobody security-conscious would be using to begin with, and calling it "vuln in FreeBSD!" to make it sound important and impressive.

Absolutely nothing to do with disclosure timeines or whether their findings are real.

Show threadtrademark8h ago
@dalias @azonenberg @GossiTheDog Let me try explaining more clearly: Anthropic does this to demonstrate the technical capabilities of their new model. Your denigration of the utility of the FreeBSD NFS-server does not detract from that in the slightest, so Anthropic and their customers are not going to care in the slightest. You're being rather insulting to FreeBSD though, is that intentional?
Show threadCassandrich8h ago

@trademark @azonenberg @GossiTheDog They do this to impress investors/C-suites and to keep the grift train going.

I'm not going to address any claims about whether the "technical capabilities of their new model" are a thing.

And to be impressive, yes, they need the thing they attack to be highly regarded in terms of its reputation for security and quality. "Vuln in NFS server module that runs on FreeBSD" does not impress. "Vuln in FreeBSD" does. And it's a lie.

I have no idea how you think this is "insulting to FreeBSD".

Show threadtrademark7h ago
@dalias @azonenberg @GossiTheDog You're saying nobody should run the NFS-server they are making. How is that not insulting? Why don't you go to their mailing lists and tell them to stop? For extra effect repeat the phrase you used: "I knew when I was like 15 that you don't run NFS unless you want to get popped."
Show threadCassandrich7h ago
@trademark @azonenberg @GossiTheDog I don't know the project dynamics of this NFS server module, but I doubt it's something core folks are proud of. NFS is basically a domain of meeting very old legacy requirements, and for old die-hard Sun fans who run it by choice. Back in the day it had utterly zero access control. You just told the server "hey, I'm root" and it said "ok, cool". AIUI the vuln here is in part of an authentication layer bolted on.
Show threadtrademark
@dalias @azonenberg @GossiTheDog You are being incredibly rude and even more ignorant. FreeBSD support latest NFSv4 including Kerberos encryption and authentication. if you don't believe me ask on the relevant mailing list. Though if you do I recommend you tone down your rudeness.
7:23pmWeb