Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
chasil 3 days ago

'Mythos “broke into almost all of our classified systems, not in weeks, but in hours.”'

Is Mythos a significant danger?

The curl experience does not suggest that hysteria is warranted, but this gives me pause.

maxall4 3 days ago | parent | next [-]

Or, alternatively, it may suggest that the NSA’s classified systems are not very secure, which seems at least as possible: they may rely on requiring physical access to these systems to even attempt to penetrate them.

nl 3 days ago | parent | prev | next [-]

Curl is such a small utility, and the effect of any single problem is limited.

Mythos's great strength was finding multiple vulnerabilities and chaining them together to break a whole system.

Look at it like this: It found one confirmed, minor vulnerability in Curl (but I don't think they have said what it was?). In another system that used Curl it's possible it could have exploited that vulnerability to chain to another, bigger vulnerability that was normally inaccessible.

That's how systems get broken.

prirun 2 days ago | parent | prev | next [-]

'Mythos “broke into almost all of our classified systems, not in weeks, but in hours.”'

And the government's response was to limit access to US citizens? I don't believe this for a minute. If Mythos could actually break into all these systems, the government would declare it a national security risk and it would never see the light of day for anyone outside government staff with security clearance.

mos_basik 2 days ago | parent | prev | next [-]

additional context from the article regarding that particular statement:

"[the statement] was oversimplified... In reality, the tests involved “red teams” of N.S.A. analysts who were using Mythos in a highly tailored environment that would be extremely unlikely for an adversary to replicate, officials said. The red teams began their tests within classified N.S.A. systems designed to be accessible only from certain computers and completely cut off from the broader internet.

The tests found that Mythos was able to identify cybersecurity flaws within that classified network quickly, but it did not actually break into those systems, the officials said."

enraged_camel 3 days ago | parent | prev | next [-]

>> The curl experience does not suggest that hysteria is warranted, but this gives me pause.

What about the Firefox experience?

Or are we conveniently ignoring things that don't confirm conclusions we've already reached?

chasil 3 days ago | parent | next [-]

I'm not as familiar with that. I do agree that it sounded substantial.

I just think that a coreutils flaw is not as substantial as a rendering engine exploit.

readthenotes1 3 days ago | parent [-]

Hadn't they spent a year hardening curl with various AI before they tried Mythos?

fc417fc802 3 days ago | parent | next [-]

Yes. The original curl post didn't say anything like "mythos sucks" but rather "it's only a minor improvement in comparison to already widely used models".

Chu4eeno 3 days ago | parent | prev [-]

Yes, and Firefox had not.

Which I think points at Mythos not being some big jump in capability finding things earlier LLMs didn't, it seems to mostly come down to massively increased compute budget and they finally catching up in context sizes.

ai_fry_ur_brain 3 days ago | parent | prev [-]

Aren't you trying to do the same thing. Llm people, you're cooked.

JKCalhoun 2 days ago | parent | prev [-]

Why are these things online at all? Is that a requirement for them to be useful?