Passa ai contenuti principali

Anthropic Mythos - from the inside

 An excerpt from a blog post by one of the maintainers of curl. A person with a lot of "real world experience" on one of the most widely used software tools in the planet.

Everything in the bulleted list below has been just copied-and-pasted (bold is mine, it was not in the original post). I have not added any comment, it is not necessary. This analysis goes in exactly the same direction that I hypothesized in my previous posts (here and here).

  • Before this first Mythos report, we had already scanned curl with several different very capable AI powered tools (I mean in addition to running a number of “normal” static code analyzers all the time, using the pickiest compiler options and doing fuzzing on it for years etc)... These tools and the analyses they have done have triggered somewhere between two and three hundred bugfixes merged in curl through-out the recent 8-10 months or so. A bunch of the findings these AI tools reported were confirmed vulnerabilities and have been published as CVEs. Probably a dozen or more.
  • The report concluded it found five “Confirmed security vulnerabilities”. I think using the term confirmed is a little amusing when the AI says it confidently by itself. Yes, the AI thinks they are confirmed, but the curl security team has a slightly different take.

    Five issues felt like nothing as we had expected an extensive list. Once my curl security team fellows and I had poked on the this short list for a number of hours and dug into the details, we had trimmed the list down and were left with one confirmed vulnerability. The other four were three false positives (they highlighted shortcomings that are documented in API documentation) and the fourth we deemed “just a bug”.

    The single confirmed vulnerability is going to end up a severity low.
  • The Mythos report on curl also contained a number of spotted bugs that it concluded were not vulnerabilities, much like any new code analyzer does when you run it on hundreds of thousands of lines of code. All the bugs in the report are being investigated and one by one we are fixing those that we agree with.

    All in all about twenty bugs that are described and explained very nicely.
  • My personal conclusion can however not end up with anything else than that the big hype around this model so far was primarily marketing. I see no evidence that this setup finds issues to any particular higher or more advanced degree than the other tools have done before Mythos. Maybe this model is a little bit better, but even if it is, it is not better to a degree that seems to make a significant dent in code analyzing.
  • AI powered code analyzers are significantly better at finding security flaws and mistakes in source code than any traditional code analyzers did in the past. All modern AI models are good at this now. Anyone with time and some experimental spirits can find security problems now. The high quality chaos is real.
  • Any project that has not scanned their source code with AI powered tooling will likely find huge number of flaws, bugs and possible vulnerabilities with this new generation of tools. Mythos will, and so will many of the others.
  • It should be noted that the AI tools find the usual and established kind of errors we already know about. It just finds new instances of them.
  • We have not seen any AI so far report a vulnerability that would somehow be of a novel kind or something totally new. They do not reinvent the field in that way, but they do dig up more issues than any other tools did before.

Commenti

Posta un commento

Popular Posts

"Ingegneria deve essere difficile"

Il ritaglio di giornale qui sotto ricorda uno degli eventi più non-trovo-un-aggettivo-appropriato del mio periodo di studente di Ingegneria a Pisa. Ricordo che una mattina iniziò a spargersi la voce "hanno murato la porta del dipartimento!".  Andammo subito a vedere ed arrivammo un pò prima dei giornalisti che scattarono questa foto. La porta era murata, intonacata, pitturata di bianco e sovrastata da una scritta "INGEGNERIA DEVE ESSERE DIFFICILE". Le "E" di "INGEGNERIA" erano scritte al contrario perché era una sorta di "marchio di fabbrica" della facoltà di Ingegneria di Pisa. L'aula più grande, quella in cui pressoché tutti gli studenti seguivano i corsi dei primi anni, aveva infatti alcuni bellissimi "affreschi scherzosi" che furono fatti nel corso delle proteste studentesche di qualche anno prima ed in cui la parola "Ingegneria" era appuntoi scritta in quel modo. Si era anche già sparsa la voce di cosa era ...
Posta un commento
Continua a leggere

Perché studiare Analisi Matematica???

Un mio caro amico mi ha scritto: ...sono con mia figlia che studia Analisi 1...A cosa serve, al giorno d'oggi, studiare Analisi (a parte sfoltire i ranghi degli aspiranti ingegneri)? Riporto la mia risposta di seguito, forse può "motivare" qualche altro studente. ... Per un ingegnere la matematica è fondamentale perché è un linguaggio ; ed è il linguaggio essenziale per trattare gli argomenti che dovrà affrontare come ingegnere; non sono importanti i contenuti specifici; è importante, anzi fondamentale, che riesca a capirli, ricostruirli etc. ad esempio, chi deve usare l'inglese, lo usa perché in un modo o nell'altro lo conosce; nessuno di noi ha usato esattamente le frasi o i dialoghi o le regole che ha incontrato negli esercizi di inglese o di tedesco; nella matematica è lo stesso; non sono importanti i limiti, le serie, i teoremi di cauchy o che so io; ma se uno non è in grado di capire quel linguaggio allora non sarà in grado di capire davvero quas...
Posta un commento
Continua a leggere

One must write correctly. One must explain oneself clearly.

The title of this blog says it all. It is a deep truth of fundamental importance in every profession . I have always tried hard to convince students of this fact. Explaining things clearly and correctly, whether in written or in spoken form, is hard .  It takes a lot of time and experience. Most importantly, some people may have more innate talent. Others may have fewer. However, the first step is to convince oneself of the importance of this fact. Otherwise, the battle is lost before it has begun. I have come to believe that many students have a problem in this respect, as they do not realize how important it is to be clear and correct in our own language. They either believe that technical skills are all that is needed, or that they will magically become perfectly understandable to everyone at some unspecified point in the future. This is definitely not the case. Consequently, they will encounter many unexpected and challenging obstacles in their professional careers. Writing...
Posta un commento
Continua a leggere

Cose che racconto nei corsi (e che poi si verificano) - UPDATED

Reti di Calcolatori e Principi di Cybersecurity , intorno alla fine di settembre: " Il DNS è una infrastruttura critica per il funzionamento della società. Pensiamo a cosa accadrebbe se si bloccasse completamente la risoluzione di alcuni nomi. " Il 20 ottobre 2025 molti servizi Internet usati da molti milioni di utenti in tutto il mondo si sono bloccati o sono diventati lentissimi. Tra questi Apple Music, Airbnb, Spotify, Reddit, Perplexity AI, Duolingo, Goodreads, Fortnite, Apple TV, Mc Donald's App, Signal e molti altri (compresi alcuni servizi della pubblica amministrazione UK). Tutti questi servizi dipendono in tutto o in parte da funzionalità software in Amazon Web Services (AWS), uno dei principali fornitori di servizi cloud al mondo. AWS è composto internamente da molti servizi software. Il motivo scatenante del blocco globale è stato un problema nella risoluzione DNS del nome di un particolare servizio usato internamente in AWS. Cybersecurity , corso aziendale i...
Posta un commento
Continua a leggere

On the Anthropic Mythos Preview - "too dangerous to release"

(updated twice after first posting, see below) On April 7-th 2026, Anthropic issued a technical report titled  Assessing Claude Mythos Preview’s cybersecurity capabilities . This report has quickly sparked the all-too-common (and deeply misleading) narrative of an imminent cybersecurity apocalypse due to the (supposedly) immense and groundbreaking capabilities of AI. For example, The New York Times :  I’m really not being hyperbolic when I say that kids could deploy this by accident. Mom and Dad, get ready for: "Honey, what did you do after school today?” “Well, Mom, my friends and I took down the power grid. What’s for dinner?” That is why Anthropic is giving carefully controlled versions to key software providers so they can find and fix the vulnerabilities before the bad guys do — or your kids. What does Anthropic say? The following paragraphs contain a slightly edited AI-generated summary of the Anthropic report Anthropic has introduced Claude Mythos Preview, a langu...
Posta un commento
Continua a leggere