cURL developer Daniel Stenberg has seen Anthropic’s Mythos, a model the AI biz has suggested is too capable at finding security holes to release publicly, scan his popular open source project. But after the system turned up just a single vulnerability, he concluded the hype around Mythos was “primarily marketing” rather than a major AI security breakthrough.
Stenberg explained in a Monday blog post that he was promised access to Anthropic’s Mythos model - sort of - through the AI biz’s Project Glasswing program. Part of Glasswing involves giving high-profile open source projects access via the Linux Foundation, but while Stenberg signed up to try Mythos, he said he never actually received direct access to the model. Instead, someone else with access ran Mythos against curl’s codebase and later sent him a report.
“It’s not that I would have a lot of time to explore lots of different prompts and doing deep dive adventures anyway,” Stenberg explained. “Getting the tool to generate a first proper scan and analysis would be great, whoever did it.”
Really though… how hard might it be to specialize a model in the process of systems analysis, auditing, documentation, testing, … and also ensure it is biased toward exploitative behaviors? I imagine training a model on all the CVEs, and other such texts, along with systems documentation and some kind of training for tool use (cli and cli tools) and tuning by making the model actually reproduce each CVE result within a virtual environment. Then see what happens when you put it in the ring with modern software.
I might be playing devils advocate. I really don’t believe Anthropic has anything special. Anthropic did get me thinking though, and should this really be so difficult? It seems possibly plausible, to me at least, if you really wanted to do this. It would make a shit general use LLM, though.