Mythos is good for cybersecurity simply because now executives can’t just tell people that only superhackers can break their stuff, as people wouldn’t believe them now anyways.
Infosec for decades has been 99% “hey I found some low-hanging fruit” only to get treated like a liability by the company you report it to, if you got acknowledgment at all. Because of Mythos though, now Artificial Superhumans can find these same vulns, and anyone could be running such an intelligence! Even better, the rich untouchable people operating this particular Artificial Superhuman can’t just be suppressed or ignored by the other set of rich untouchable people that have routinely not cared in the past. So long as it makes anthropic money, maybe we’ll actually see actual improvements in security!
I don't see that it makes much difference until we know the distribution of issues that Mythos finds and how reliably it discovers them? Vulns from inspection are discovered via a stochastic process of someone looking at the code, knowing about bug classes and paying sufficient attention to notice them. That's still the case.
IMHO the main thing thats interesting about AI assisted bug hunting is that it changes the balance of power from people who had a lot of free time & attention to the state and big business, who have money and frontier model access. It's a broadly "conservative" development in the sense that it distributes more power to groups who've already got it.
Waiting for the cyber "proxy wars" where state A equips deniable groups x, y with frontier access to undermine state B.
My point is less about Mythos specifically, more what it represents to the general public. “Mythos” has broken through and started gaining popular mindshare like “ChatGPT” did a few years ago. It now becomes hard to (falsely) claim that fixing basic flaws isn’t a priority, because now that everyone knows that it’s probably easier to hack stuff than it was in the past.
Did you just assume every hacker has all the source code in the world?
If you only rely only on stecurity through obscurity (eg attackers not having the source code) you gonna have a bad time. And even if your source code is not available, you can make a good guess about their dependencies. Find a vulnerability there and chances are your software is also vulnerable.
Hi, security professional here! A lot of the time, we don't need it.
The "open source movement" has proven reasonably effective over the past few decades.
It’s good enough to find one known function from libc in programs memory to mount the attack. Moreover, there are automated methods how to leak pointers to functions, etc., without having access to the binary itself.
LLMs are very good at reverse engineering binaries. You just have to convince them you're doing defensive security not offensive so they comply.
And state actor LLMs probably don't need convincing
Most software in the world has little novelty. You don't really need the source code.