this post was submitted on 23 Apr 2026
176 points (94.9% liked)

Technology

84143 readers
2674 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
176
Anthropic Mythos shaping up as nothingburger (www.theregister.com)
submitted 3 days ago by HaraldvonBlauzahn@feddit.org to c/technology@lemmy.world
38 comments fedilink hide all child comments
 

cross-posted from: https://feddit.org/post/28915273

[...]

That marketing may have outstripped reality. Early reports from Mythos preview users including AWS and Mozilla indicate that while the model is very good and very fast at finding vulnerabilities, and requires less hands-on guidance from security engineers - making it a welcome time-saver for the human teams - it has yet to eclipse human security researchers.

"So far we've found no category or complexity of vulnerability that humans can find that this model can't," Mozilla CTO Bobby Holley said, after revealing that Mythos found 271 vulnerabilities in Firefox 150. Then he added: "We also haven't seen any bugs that couldn't have been found by an elite human researcher." In other words, it's like adding an automated security researcher to your team. Not a zero-day machine that's too dangerous for the world.

you are viewing a single comment's thread
view the rest of the comments
[–] pageflight@piefed.social 33 points 3 days ago (2 children)

And if it's like a lot of security scans, most of the results are technically correct, but, within the context of the project, not something anyone's going to take the time to fix.

[–] jj4211@lemmy.world 4 points 2 days ago* (last edited 2 days ago)

Note that in this case, very specifically, they had to yank Firefox's javascript engine out of Firefox "but without the browser’s process sandbox and other defense-in-depth mitigations.” They had to remove the mechanisms designed to quash vulnerabilities.

And they had to test explicitly against Firefox 147 vintage because Firefox 148 had already fixed the two issues that Mythos exploited to get an impressive number. Before Mythos even ran the key problems had been found and patched...

[–] MangoCats@feddit.it 11 points 3 days ago (2 children)

most of the results are technically correct, but, within the context of the project, not something anyone’s going to take the time to fix.

I don't mind leaving "technically correct" vulnerabilities in place while there's no known way to create an exploit. If you've got a vuln with a known exploit and are relying on "but nobody is ever going to actually try that on us" - then you're part of the problem, a big part.

[–] frongt@lemmy.zip 6 points 3 days ago (1 children)

This is why CVE scoring is used for severity. A vuln that doesn't really give you anything, that you can only exploit locally, when already having elevated privileges? That's going to be low priority for a fix.

[–] MangoCats@feddit.it 1 points 3 days ago (1 children)

A vuln that doesn’t really give you anything, that you can only exploit locally, when already having elevated privileges? That’s going to be low priority for a fix.

And, yet, here I am - rebuilding a new interim image for our security team to scan so they can generate a spreadsheet with hundreds of lines of "items of concern" which are above our "threshold of concern" and most of them are being dismissed because of those justifications you just gave: local exploit only, etc. but I have to read every one, tease out the "local exploit only" language, quote it for the justification, over and over and over every few months.

Corporate anxiety is limitless.

[–] frongt@lemmy.zip 2 points 3 days ago (1 children)

You're allowed to do that? Must be nice. We recently got told that you get one six-month justification, after that it must be remediated.

[–] MangoCats@feddit.it 1 points 2 days ago

These are vulnerabilities for local access on a console which is operated in kiosk mode - users never have command line access, and the consoles themselves are rarely if ever network connected.

[–] Whelks_chance@lemmy.world 3 points 2 days ago (1 children)

It might be a config thing, but pretty often these scans will find issues which are only relevant on e.g. windows, when building a Linux container. Or the issue is in some XML parsing library in the base OS but the service never receives XML and isn't public facing anyway. Context matters.

[–] MangoCats@feddit.it 2 points 2 days ago

One that I have to copy-paste over and over are vulnerabilities in the CUPS printer driver chain that don't apply because we don't print arbitrary things, we only print things that we create. Yeah, there's a vulnerability here in image-magick if you throw it such and such maliciously crafted... well, we only allow it to process our internally generated reports and there's no pathway for maliciously crafted input to reach it, so...