Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
3kahg 2 hours ago

It is the opposite. Security people focus on curl, sudo because they are code bases that contained a lot of features and unused code from the 1990s.

They don't focus on projects where they find nothing. They certainly don't advertise when they find nothing.

Getting a lot of scrutiny is not the recommendation that it appears to be. What is the new standard? Projects that never have bugs are deemed to be suspect because they "have not been scrutinized" (they have, but null results never go public)?

So Mythos only finding one issue after other tools have found 300 this year is embarrassing. Mythos was supposed to be better and novel.

tptacek 2 hours ago | parent [-]

It is definitely not the case that curl has been or is now a marquee vulnerability research target. It's a CLI HTTP fetcher. It's the same with sudo. It's a big deal if a sudo vulnerability gets found, because it's an extremely load-bearing piece of software, but sudo is itself not a prime target, because it doesn't do much.

43ahg 2 hours ago | parent [-]

There is no claim that it is a "vulnerability research target". It is a bug finding magnet, and bugs can be found by anything from gcc warnings to AI tools.

No, it didn't attract a bluepill exploit research.

The fact that 300 bugs found in a year is not a recommendation as the pro-AI mafia suddenly claims ("because it has been analyzed!") still stands. Maybe the AI-mafia should sell "analyzed by Mythos" labels to impress people who don't write public software or find bugs for that matter.

tptacek 2 hours ago | parent [-]

What’s a “bluepill exploit”?

aSJH1 an hour ago | parent [-]

An exploit of the magnitude or impact of this one:

https://en.wikipedia.org/wiki/Blue_Pill_(software)

Now, since you are a literalist, you'll come up with some other nitpick and gain another 1000 Internet points from the AI people. Perhaps a comma is missing somewhere.

enraged_camel an hour ago | parent [-]

Did you... create a new account just to be able to respond to Thomas?

Btw, he's a security researcher. You should be more respectful.

1248wu 29 minutes ago | parent [-]

And enraged_camel is an AI booster. Feel free to point me to his research from the last 30 years.