Shubham Arora
Marcus Hutchins 
Listening to cybersecurity people freak out over Mythos is so tiring. Like, bro, your local water treatment plant runs Windows XP, your mobile provider's hardware is older than you are, and the protocol that routes internet traffic is secured by everyone just agreeing that hijacking it would be uncool.
SanCla 🤘
Elias Probst@sancla but instead of investing in the maintainers of OpenSource projects, so they can work on security, instead of focusing on building more resilient infrastructure, the capital made available to improve security will be put into deploying AI-driven endpoint security and DLP tools and to hire "security experts" whose sole skill is tokenmaxxing and role-playing as cyberdefense-pro!
@eliasp @malwaretech
Most like yes, but either way focus is getting stronger on supply chains.
Hopefully, it’ll get companies depending on open source scratching their heads abut this and get them more involved into open source.
Then again, corporate involvement may not always be the best influence for open source, time will tell and fingers crossed…
Markus Holtermann@sancla @eliasp @malwaretech it will get lots of companies drop some of their open source tools/libraries for proprietary ones, where they can then shift the blame onto some other company when things go south.
Helge Heß
Misuse Case@sancla @malwaretech This is like the dozen or so times before it when dudes in the C-suite have gone all-in on some hype technology, product, or cyberattack instead of doing basic things like vulnerability and patch management. This kind of “agenda” we don’t need.
Ben Stewart@sancla this is it, this is the bad take that keeps this shit going.
Adrian Egger@malwaretech Not to mention that this isn't new...LLMs have been able to do this since day one. And small models found the same vulnerabilities in FreeBSD ¯\_(ツ)_/¯
Also, from what I understand Mythos couldn't actually make an exploit for that bug, sooooooo big marketing stink imho.
Donald Clark@malwaretech ;) (although bgp isn't as bad as it was in practice the days, but point made!)
Jagermo@malwaretech
You don't need mythos if your employees (or politicians) click shady links in their messaging apps
Dave 🐶@malwaretech I liked the days when we were panicking about China listening in on all our telephone calls / scooping up our mobile data.
Now we just talk directly to some American company's AI and ask them to diagnose our medical problems that we're too embarrassed to see a real doctor for.
Graham Sutherland / Polynomial@malwaretech now now, don't be raggin' on my local water treatment plant, they're much more up to date than that. they run Windows Vista.
@malwaretech (don't ask about the Windows NT4 machine in the PLC cabinet. nobody knows what it does but we're all too scared to turn it off in case the 5GB Maxtor hard drive in there dies during spinup)
Florian 'floe' Echtler@gsuberland @malwaretech it's scary 'cause it's true 🫣
@floe @malwaretech it's based on real events :D
@floe @malwaretech you know it's great when you walk into the place and someone immediately hands you a piece of paper with both the IP address and MAC address of this thing and says "do not send ANYTHING to this machine, we are terrified of breaking it"
ErikBussink 
@gsuberland @floe @malwaretech And two days later the hired tiger team launched a full vulnerability scan against it … because … tiger team manager did not communicate. Banking system down for a few days…
Danny Boling ☮️@ErikBussink @gsuberland @floe @malwaretech
"We're being scanned, Captain."
"Shut it down. Shut it all down."
🫡 🖖
小津 Ozu@malwaretech I truly don't understand it. CISOs and managers are jizzing themselves from snake oil is not new but form technical people I'd expect more.
Nav@malwaretech I think you underestimate how ancient some of us are. I'm definitely older than anything my mobile provider owns, cos I'm older than the industry.
Darwin WoodkaIndeed, all us fossils live here on Mastodon, it's the only social media we can still stand.
@darwinwoodka @nav @malwaretech
Indeed, 'tis true.
JakobT@IAmDannyBoling @darwinwoodka @nav @malwaretech
One of my classmates in high school borrowed his dad's "portable" phone now and then. It looked like this one:
One of my classmates in high school borrowed his dad's "portable" phone now and then. It looked like this one:
@jakobtougaard @darwinwoodka @nav @malwaretech
High tech!
And it was actually "portable" unlike those that they installed in cars. I wonder what these gizmos cost back then and also wonder how much the monthly bills were.
@IAmDannyBoling @jakobtougaard @darwinwoodka @malwaretech Oh those could be fitted in cars - the main unit clamped into a bracket in the boot, and there was a handset with keypad inside for the driver.
So retro!
chx@nav @IAmDannyBoling @jakobtougaard @darwinwoodka @malwaretech even older ones, since the 1940s were only fit for cars https://www.wb6nvh.com/MTSfiles/Carphone1.htm
lachlan slowly taming rust@darwinwoodka @nav @malwaretech With the only algorithm that matter: chronological, with its slight implicit bias towards your own waking hours.
It's bliss.
Flounder@malwaretech my rule of thumb is AI is applied to those things that the powers that be don't actually give a shit about, and have only pretended to up until this point.
If the powers that be actually gave a shit about security models wouldn't have any low hanging fruit to exploit for the headlines
If the powers that be actually gave a shit about security models wouldn't have any low hanging fruit to exploit for the headlines
lemgandi"Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench"
(Gene Spafford)
@malwaretech My current workplace has Windows 9x machines still in active use. And they're on a network with Internet access. Same with the XP ones. And by the looks of it, there will be HUNDREDS of W10 machines that will be in use well after October this year (in the EU, so we're still covered).
snowyfox
Reid 
@malwaretech can we also talk about how card payments are basically handing your wallet to the store and trusting them to only take what they're owed?
Dave Mc@malwaretech I work in a large company that was hacked last year. Many modern systems were compromised. The RS6000 box and several of our ancient mainframes were untouched and weren't even turned off during the lockdown or recovery. Gave them a quick once over and they kept ticking like it was 1999.
Nate Allen@malwaretech until recently, all ATMs ran a crazy version of Windows XP and now they run a crazy "IoT" version of Windows 11. Instead, of, say, something like SELinux. Something halfway sane.
Cesar@mossyfoot @malwaretech As recently as this week, I used an ATM which had that "please activate Windows" watermark visible in the corner of the screen. (At least the other bank AFAIK uses Linux for its ATMs, replacing the OS/2 they used previously.)
@cesarb @malwaretech oh wow. I haven't seen an OS/2 warp machine in a long time.
hex@malwaretech not to mention that thousands of vulnerable fuel pumps directly connected to the internet.
https://www.darkreading.com/ics-ot-security/fuel-tank-monitoring-systems-vulnerable-disruption
RRB@malwaretech I think it would be kinda cool.
Simon ZerafaWell only hijack / hack mobile connection when it's really necessary like when your princess has escaped and you want to kidnap her back.
Steffie 🏳️⚧️ :rubber_pride-heart-600: :triple-moon-transfem: @malwaretech It’s awesome everyone focuses on new exploits and zero-day attacks while their company’s leaders will just blithely follow any link in an e-mail sent to them.
WorikDo not blame people clicking on links! That is what links are for.
Blame people like me, computer programmers, who built insecure systems
@worik @malwaretech I blame W3C and rfc.9112. If we were stiff using gopher things would be more secure /s
Я⊛ḶḶ model ‽‽‽cybersecurity is a kobayashi maru simulation.
i threw in the towel six months ago.
now i drive a bus.
@malwaretech excellent point.
A lot of infrastructure runs outdated software.
But thankfully, most of these systems are not connected to the internet.
Varx@malwaretech That's the new meta strategy man. When the execs ask "What are you doing to protect against mythos?!" Just pull out the OWASP top ten.
T2R@malwaretech The Internet being held together by string and bubble gum is not far from the truth.
A long long way from the truth.
A fault tolerant packet switching network that can survive a lot of disruption.
We have the early engineers of the IETF to thank.
@worik @malwaretech DNS, AWS, Google, Cloudflare, Crowdstrike. All massive single points of failure for huge systems. And I mean it metaphorically and not just about the physical links.
@T2R @malwaretech The Internet requires none of those things to function.
It may seem pedantic, but the IP protocol, and the TCP protocol on top of that are below the level of DNS etcetera.
The Web and the Internet are different. The Web runs on the Internet, and is less reliable (though not crippled by) those things you mention
Fair to say most people, now, see the Internet through phone apps that introduce new classes of risk and failure
Nine Stones Close
NewkFuck Mythos and marketing bullshit, but AI that immensely reduces time-to-exploit is real. Companies are not prepared for it.
Bredroll@Newk @malwaretech AI is very good at quickly making stuff that only has to work for a couple of weeks before bit rotting ;)
Mythic Beasts@malwaretech be fair! We secured BGP with lots of crypto, but then left an XSS exploit in the crypto control panel allowing your entire network to get de-routed with one mis-click. https://mxsasha.eu/posts/ripe-ncc-rpki-exploit-chain/
Acesabe
v1rulenc3@malwaretech hey man, it would be really cringe if you misused the protocols that allow us to route internet traffic. Seriously, it would be great if one of these companies would come out with a comic book villain product that was meant to help users and corps efficiently remediate their vulnerabilities instead of exploiting them. Not to mention the hype. Mythos seems to only mark a tangible improvement over previous models in its testing, not the end of security as we know it. The initial article about Mythos sounds like one of the marketing team just played *Hacknet* and really likes the idea of the super hacker tool that can hack all the things when you type "./hack" into a terminal.
chrismckee@malwaretech ah just like SS7, vulnerable since 1975, still in use, still vulnerable 😂
CONFIG.SYS: LOADHIGH@malwaretech Is Mythos any good though? I can't find any actual results through all the hype.