- cross-posted to:
- technology@lemmy.world
- cross-posted to:
- technology@lemmy.world
[…]
That marketing may have outstripped reality. Early reports from Mythos preview users including AWS and Mozilla indicate that while the model is very good and very fast at finding vulnerabilities, and requires less hands-on guidance from security engineers - making it a welcome time-saver for the human teams - it has yet to eclipse human security researchers.
“So far we’ve found no category or complexity of vulnerability that humans can find that this model can’t,” Mozilla CTO Bobby Holley said, after revealing that Mythos found 271 vulnerabilities in Firefox 150. Then he added: “We also haven’t seen any bugs that couldn’t have been found by an elite human researcher.” In other words, it’s like adding an automated security researcher to your team. Not a zero-day machine that’s too dangerous for the world.
Better portrayal of Mozilla’s response from this ars technica article:
The key part there is fuzzing. These tools have existed for a while. (and many are free!!!) Mythos just does what most AI tools do: Take something that requires more understanding or effort, and condense it into a prompt. Instead of starting a fuzzing tool, configuring its scope and some parameters, then letting it go hog wild for a bit, you just tell the AI model with a prompt to perform similar functions. (while costing more money and taking more time due to inevitable overhead from running a whole LLM)
If anything, this points more towards Mozilla not using existing fuzzing tools to find flaws in their code because they were too lazy, not that Mythos is magic and superior to all else.
BTW, fuzzing was described in Kerninghans and Pikes book "The practice of programming, which appeared in 1999. They applied it to Linux command line tools then. So, it is not exactly new either.