Anthropic Mythos shaping up as nothingburger (www.theregister.com)
from HaraldvonBlauzahn@feddit.org to programming@programming.dev on 23 Apr 17:32
https://feddit.org/post/28915273

[…]

That marketing may have outstripped reality. Early reports from Mythos preview users including AWS and Mozilla indicate that while the model is very good and very fast at finding vulnerabilities, and requires less hands-on guidance from security engineers - making it a welcome time-saver for the human teams - it has yet to eclipse human security researchers.

“So far we’ve found no category or complexity of vulnerability that humans can find that this model can’t,” Mozilla CTO Bobby Holley said, after revealing that Mythos found 271 vulnerabilities in Firefox 150. Then he added: “We also haven’t seen any bugs that couldn’t have been found by an elite human researcher.” In other words, it’s like adding an automated security researcher to your team. Not a zero-day machine that’s too dangerous for the world.

#programming

threaded - newest

supersquirrel@sopuli.xyz on 23 Apr 17:38 next collapse

no!

<img alt="" src="https://sopuli.xyz/pictrs/image/7c062edb-092e-4992-a5a1-bf9b58e3e082.webp">

Imgonnatrythis@sh.itjust.works on 23 Apr 17:40 next collapse

Marketing outstripping reality? Is that even allowed to happen? I hope nothing like that happens with the dick pills I just ordered.

Quetzalcutlass@lemmy.world on 23 Apr 17:51 next collapse

As much as I hate everything about the rise of LLMs, saying this isn’t impressive because it can be matched by “an elite security researcher” isn’t very reassuring to me. It’s still an agent being pointed at a codebase and finding hundreds of vulnerabilities. Even if only a twentieth turn out to be exploitable in practice, that’s still a terrifying tool to imagine in the hands of hackers who might otherwise lack the skills to find these vulnerabilities.

Most hacking groups buy exploits off of dark markets and indiscriminately target servers until they find one that’s vulnerable. The number that can actually develop those hacks is far smaller, but if you can simply ask an LLM to find a vulnerability then that bar is lifted. Hell, you could probably coerce it into writing the actual exploit too by claiming you need a proof-of-concept for a CVE writeup.

theunknownmuncher@lemmy.world on 23 Apr 18:10 next collapse

Most all of the reporting about this is purely misinformation. If you actually read the papers that Anthropic published instead of the marketing material, you’ll find that:

  • it was actually claude opus that discovered many of the vulnerabilities, not mythos, which undermines the “MyThOs Is ToO dAnGeRoUs” narrative. All of these capabilities are already out there for anyone to use
  • the researchers guided mythos to the vulnerabilities, not the other way around
Quicky@piefed.social on 23 Apr 18:35 collapse

That’s actually mentioned in this article tbf.

Additionally, the “’thousands of severe vulnerabilities’ extrapolates from 198 manually reviewed reports. The Linux kernel bug was found by Opus 4.6, the public model, not Mythos,” Devansh said.

Grandwolf319@sh.itjust.works on 23 Apr 19:20 next collapse

I’m so proud of lemmy for fully calling our nuance cases and not letting our bias get the best of us.

CultLeader4Hire@lemmy.world on 23 Apr 19:55 collapse

I agree, and is it even true if “elite security researchers” didn’t actually find these problems? They didn’t find them because they weren’t looking for them is the obvious answer but it’s still a glaring inconsistency

rovingnothing29@lemmy.world on 23 Apr 17:59 next collapse

<img alt="" src="https://lemmy.world/pictrs/image/6de59603-710b-43cb-9f87-fa5ef3482972.mp4">

MissesAutumnRains@lemmy.blahaj.zone on 23 Apr 18:00 next collapse

I’m a bit confused because the quotes do seem to do Mythos quite a bit of justice here. Saying it is essentially the equivalent of an elite security researcher seems… good, right?

Isn’t the threat that’s being discussed “what if anyone could point this at anything and then actively exploit the things it finds”?

higgsboson@piefed.social on 23 Apr 18:33 next collapse

Much of Lemmy is ideologically against AI, so it is difficult to have rational conversation about the topic here.

Yes, for many enterprises, an “automated security researcher” is likely to be quite useful… and by the same measure, likely to be dangerous in the wrong hands. People attempting to pounce on this as some sort of gotcha mostly havent engaged beyond the headline.

justOnePersistentKbinPlease@fedia.io on 23 Apr 19:04 collapse

The article does not.

It states that logs indicate that the LLM was pointed at known bugs and reproduced known bug reports.

For FreeBSD, they state that the logs indicate that it was hand-guided to known issues.

For firefox, they ran it in a sandbox with most of Firefox's security disabled/stripped out.

It states that Mythos found no zero days.

entwine@programming.dev on 23 Apr 18:22 next collapse

It’s funny to think that Whiskey Pete may have cost the US military access to the most powerful cyber warfare tool in history all because he’s an incompetent drunkard and immature man-child. But I also don’t want to be giving these AI companies the benefit of the doubt, especially when it comes to marketing claims.

IanTwenty@piefed.social on 23 Apr 18:55 next collapse

This is the meat of the headline:

For example, the Anthropic-claimed 181 Firefox exploits ran with the browser sandbox turned off and the FreeBSD exploit transcript “shows substantial human guidance, not autonomy.” 

Additionally, the “’thousands of severe vulnerabilities’ extrapolates from 198 manually reviewed reports. The Linux kernel bug was found by Opus 4.6, the public model, not Mythos,” Devansh said.

Another researcher, Davi Ottenheimer, pointed out that the security section (Section 3, pages 47-53) of Anthropic’s 244-page documentation “contains no count of zero-days at all. With no CVE list, no CVSS distribution, no severity bucket, no disclosure timeline, no vendor-confirmed-novel table, no false-positive rate.”

Ottenheimer likens it to “the ending of the Wizard of Oz, a sorry disappointment about a model weaponizing two bugs that a different model found, in software the vendor had already patched, in a test environment with the browser sandbox and defense-in-depth mitigations stripped out.”

absGeekNZ@lemmy.nz on 23 Apr 19:13 next collapse

This soccer playing robot isn’t much of a threat, it can be equalled by an elite player with years of experience.

kibiz0r@midwest.social on 23 Apr 20:39 collapse

Consistently under-reported: If you spend a few hundred million on security research, you’re gonna find a lot of vulnerabilities.

The real revelation is not how much more skilled Mythos is, but how much better funded.