Apparently this Mythos model can discover zero days and exploit them. Pentagon & Large companies have been given early access (hopefully to plug the zero days)
From my understanding, they were using the, well, I guess you could say, ‘lite’ version of this to help Mozilla discover some exploits and fix those up in Firefox. I know I was mentioning this earlier, but some of the folks I know that work in tech who are not really big on hyperbole, one of whom I know for a fact has firsthand knowledge on this, is saying that it legitimately is a major big deal and could have shockwave if they don’t prepare like they appear to be doing here.
1 Like
Are you sure? They had a big rift.
From a layman’s (* my uninformed) perspective, this appears quite spooky in terms of security. Is that an appropriate takeaway from these news?
Video on Mythos capabilities, highly recommend you to watch it.
I initially glazed over this new model. Since ChatGPT released, we were told that AI models , and in particular open AI models were going to unleash a cybersecurity disaster (a narrative pushed by closed-source AI labs when they were pro-regulation). This never happened, so I didn’t see how a model specially made for cybersecurity would change this.
But, this isn’t a cybersecurity model. It’s just a very intelligent model that happens to be so smart it can find previously unfound vulnerabilities.
It is also a model that seems to be OK to find vulnerabilities.
The issue, as said in the video, is that even non-hackers can use it to find vulns..Previously LLMs were a productivity enhancer for hackers, not a replacement for hacking knowledge.
(Note ; hacker do not refer only to malicious hackers, I also include white-hat and grey-hat)
My take on the consequences: it appears to be a real game-change.It can find vulnerabilities in decade-old software. Essentially, this model is a cybersecurity researcher, and a very advanced one. Time is often the Achilles heel of CS, and so LLMs that can think for days without interruption are a very big capability.
If you are an open-source developer, you can join the ’Anthropic for OpenSource’ program and get access to Mythos to find vulnerabilities. Do it.
We need every dev to scan their program with this. Anthropic could provide an automated tool where you give your Github repo and if it meets certain conditions (to avoid prompt injection attacks by malicious actors) they send you the vulnerabilities.
I think this model is both a huge gift and a huge threat. It could be a net positive as it can potentially reduce your program vulnerabilities by a huge amount. That mean your program is less likely to be hacked in the future.
On the opposite, if anyone has access to this program, they can exploit those programs. Since most programs have a lot of dependencies, there are thousands, if not hundred of thousands of software pieces to secure. A huge task.