Mozilla Uses Anthropic's Mythos To Fix 271 Bugs In Firefox (nerds.xyz) 166
BrianFagioli writes: Mozilla says it used an early version of Anthropic's Claude Mythos Preview to comb through Firefox's code, and the results were hard to ignore. In Firefox 150, the team fixed 271 vulnerabilities identified during this effort, a number that would have been unthinkable not long ago. Instead of relying only on fuzzing tools or human review, the AI was able to reason through code and surface issues that typically require highly specialized expertise.
The bigger implication is less about one release and more about where this is heading. Security has long favored attackers, since they only need to find a single flaw while defenders have to protect everything. If AI can scale vulnerability discovery for defenders, that dynamic could start to shift. It does not mean zero days disappear overnight, but it suggests a future where bugs are found and fixed faster than attackers can weaponize them. "Computers were completely incapable of doing this a few months ago, and now they excel at it," says Mozilla in a blog post. "We have many years of experience picking apart the work of the world's best security researchers, and Mythos Preview is every bit as capable. So far we've found no category or complexity of vulnerability that humans can find that this model can't."
The company concluded: "The defects are finite, and we are entering a world where we can finally find them all."
The bigger implication is less about one release and more about where this is heading. Security has long favored attackers, since they only need to find a single flaw while defenders have to protect everything. If AI can scale vulnerability discovery for defenders, that dynamic could start to shift. It does not mean zero days disappear overnight, but it suggests a future where bugs are found and fixed faster than attackers can weaponize them. "Computers were completely incapable of doing this a few months ago, and now they excel at it," says Mozilla in a blog post. "We have many years of experience picking apart the work of the world's best security researchers, and Mythos Preview is every bit as capable. So far we've found no category or complexity of vulnerability that humans can find that this model can't."
The company concluded: "The defects are finite, and we are entering a world where we can finally find them all."
How many? (Score:3, Insightful)
How many of these bugs are around VPN promotions?
I still prefer Firefox, but it'd be nice if it was more like Phoenix and less like a Windows upgrade notice.
Re: (Score:2)
Are these changes pushed to Firefox nightlies? Does that mean that, as of this very second, Firefox is 1000x more secure than Chrome??? :-O
Re:Reinstate Brendan Eich NOW!!! (Score:4, Funny)
Using a VPN is woke now?
Yes. A true patriot has nothing to hide, and uses Trump Mobile directly, no VPN.
Re: Reinstate Brendan Eich NOW!!! (Score:4, Informative)
True Patriots are still waiting for their Trump Mobiles...
Re: (Score:2)
Maybe they could turn it on optimizing performance and fixing compatibility issues next.
They seem to want AI in the browser, so here's an idea for free. Have an AI agent that launches when you click a "site is broken" button, and it figures out why it is broken and fixes it in the browser. Bonus points if it can handle privacy enhancing add-ons breaking sites too.
Re: (Score:2)
The site of the article seems slashdotted, but the precis above does not seem to imply that AI is being used to fix bugs, only find them. And who would trust AI to fix their browser on the fly?
Re: (Score:2)
I've been hoping to see an in-browser AI that does realtime ad-blocking, privacy protection, and readability adjustments.
Extensions like uBlock are amazing and I have all the respect for the people who build it and maintain the definition lists, but it's always an arms race. Something capable of doing it dynamically and on-the-fly could be pretty powerful.
Is an LLM capable of this? Probably not reliably or quickly (especially a self-hosted one like what's shipped with Firefox today), but maybe it can iter
Identify != Fix (Score:3, Interesting)
The headline and the summary don't seem to quite agree here. The AI analyzing code to identify vulnerabilities is not the same as fixing i.e. writing new code to patch those vulnerabilities.
Re:Identify != Fix (Score:5, Insightful)
>The headline and the summary don't seem to quite agree here
why not!?
The main pain of security issues is finding them!!
After claude found the issues, humans could check and fix them, that for many issues isn't that hard. Again the hard part is pinpoint that some check fails to catch a corner case or a buffer may have the wrong size
Re: (Score:2, Insightful)
I found my front door lock was not working.
I called a locksmith to come repair it.
Now it is working.
I didn't fix the front door. The locksmith did.
Re: Identify != Fix (Score:2)
Re: (Score:2)
critical failure in this comparation:
>I found my front door lock was not working.
you found it, great, it was not working!! Easy detection!
now lets put this in the same apples to apples:
the door is working fine, you lock and unlock the door without problems. you do not call the locksmith, everything seems fine!
Your next neighbor kid tried to use a screw drive ( or a finger nail if you want, it is not brute force) in to the lock and it unlocked without any issue. you learn about it and call the locksmith a
Re: (Score:2)
Re:Identify != Fix (Score:5, Insightful)
Saying, "I used a floodlight to fix my car" isn't inherently inaccurate. It's just ambiguous.
Identify would have been a much better word than fix, which includes identification in the process.
Re: (Score:3)
Indeed. And here is the thing: There is growing evidence that LLMs trying to fix vulnerabilities does tend to break functionality and to introduce new vulnerabilities. Maybe the reason the are always only boasting about "finding" them.
Re: Identify != Fix (Score:2)
If slashdot humans tried to fix the many bugs here (notifications button does not work, non-ascii characters are mangled, etc.), do you think they would break more than if AI did it for them?
Re: (Score:2)
If slashdot humans tried to fix the many bugs here (notifications button does not work, non-ascii characters are mangled, etc.), do you think they would break more than if AI did it for them?
Depends which humans. If it was you or I that did it then we'd definitely introduce more bugs. The ones that did the final fixes will be the internal firefox engineers that spend their entire working time trying to improve Firefox. What's impressive here is that the generic AI model is playing at the same level as the dedicated human engineers and really giving them a huge step forward in finding the bugs. Likely a future dedicated version of the model which has been taught (through training prompting or wh
Re: (Score:2)
There is growing evidence
Weasel words.
Cite your "evidence."
Re: (Score:2)
Like the other side did cite all its evidence? I have done that. (Well, no. But the did not either.)
Re: (Score:2)
Quit this? Why would I? Mocking deranged cultists is fun! Also, my investigations into human stupidity are still incomplete, because there is so much of it.
Re: (Score:2)
No. But it would be appropriate to call for people to start thinking instead of believing in miracles.
Re: (Score:2)
Sadly, that is entirwly possible.
Re: (Score:2)
> Is it appropriate to cite the old proverb, "Physician, heal thyself" here?
Years before the physician was a fentanyl addict living in a cardboard box on the street you would have been compassionate to do so.
At some point you just can't help people who don't want to be helped.
It's sad because the physician was once a happy baby who gave his mother delight. So much waste of care and resources.
Re: Identify != Fix (Score:2)
I mean, given how good clod clod is at writing code, it wouldnâ(TM)t surprise me if it also helped fix them.
What does this mean for old software? (Score:5, Insightful)
What does this mean for older software that's no longer being patched?
The next few patch Tuesdays could be interesting.
Re: (Score:3)
Same as it ever did, if a bug there's someone could find it and exploit it. There's already AI scanning tools besides all the traditional ones. Just they are getting better and reducing the effort needed to find it.
However browsers are in an entirely different class of problem because they connect willy-nilly to possibly bad servers, do all sorts of complex things, are used to connect to very sensitive data, can be scanned by any new tools as are they are mostly open source, and are expected to run untrust
Re: (Score:2)
I suspect AI has made the last few patch Tuesdays very, say, "fragile."
Re: (Score:2)
For the past half year every patch Tuesday is like cutting the red wire; you never know if it will cause the bomb to explode. The March patch Tuesday is the one that finally did me in. It wrecked the whole network stack. DISM couldn't repair its image, even with physical media. Every attempt I made at fixing things just made it worse. I finally had to completely reformat my whole PC and start from scratch (luckily, I had just completed a NAS so I was able to back stuff up).
Re: (Score:2)
This is why I migrated to Wayland. I'm not a fan of it, but running unmaintained software like X is going to be a very bad idea very soon.
We need humility, not arrogance (Score:4, Insightful)
"The defects are finite, and we are entering a world where we can finally find them all."
We may be entering a world where we can find 99.44% of bugs and we may find the "easy to find ones" a lot faster than we would find them today, but it's very arrogant to declare "we are entering a world where we can finally find them all" given how many unknowns are still out there.
Yes, the progress is good, but we need some humility and we need to be realistic with our expectations.
Re: (Score:2)
Finding them all is impossible with LLMs. Provably so. Anybody that claims differently is a liar. The only tool that is able to find all bugs in a piece of software is formal verification.
Correction: the only way to prove you have found all bugs is with formal verification. It's completely possible for other tools to find all of them. You just won't know for sure whether it found them all.
Speaking specifically about security bugs, a bug finder doesn't even need to be perfect. It just needs to be at least as good as the attackers. If it misses a bug, but the bug is so deeply buried that the attackers can't find it either, you're still safe.
Even if they do find it, it still may not matter.
Re: (Score:2)
Re: (Score:2)
It also won't catch vulnerabilities that exploit differences between the real physical computer and the verifier's idealized description (e.g. spectre, rowhammer). And it won't catch side channel attacks, like inferring information based on how long a computation takes to complete.
They're all tools. They catch the problems they catch and miss the ones they miss.
Re: (Score:2)
Re: (Score:2)
Deeper still; What's the definition of a bug?
For some important bugs the definition is "does a different thing from the user's expectation". For example, your expectation might be that your "account cleaner" software cleans your home directory. Your user's expectation might be that it also cleans up other parts of the system, including the user's email held in a separate mail directory.
Both behaviors are a potential security bug. One can delete email that needed to be preserved for legal reasons. The other
Re: (Score:2)
Re: (Score:2)
Correction: the only way to prove you have found all bugs is with formal verification. It's completely possible for other tools to find all of them. You just won't know for sure whether it found them all.
How can you claim that it is possible for some tool to find all the bugs if you cannot know that the tool found all the bugs?
You cannot claim a tool found all the bugs without a proof that the tool found all the bugs.
Re: (Score:2)
You can claim that if you are not above simply lying about it. It seems lying is quite acceptable to many people when tons of money ae involved. And from the stupid claims some people make here, you can tell that lying works, if you just cater to the hopes and dreams of people, not to reality.
As to your statement, the very term "all bugs" does not even make sense without that formal spec. With an informal spec, what actually is a bug is open to interpretation. With no real spec, it is pure guesswork. The LL
Re: (Score:2)
The LLM fans seem to believe in magic.
That's always been a characteristic of AI believers. That's where the idea of the AI singularity comes from, magical thinking.
Re: (Score:2)
True. That "singularity" idea is completely disconnected from reality. It is essentially a belief that a machine will become God, and it is a belief with absolutely no supporting evidence.
Re: (Score:3)
True. That "singularity" idea is completely disconnected from reality. It is essentially a belief that a machine will become God, and it is a belief with absolutely no supporting evidence.
When you just make stuff up and argue against a strawman, it becomes awfully easy to win arguments.
The term "singularity" used in a technological sense goes back to the early days of computing--Von Neumann (this was news to me!). Interestingly, in 1993 NASA held a conference on "cyberspace" and future issues. https://searchworks.stanford.edu/view/3001391 [stanford.edu]. Link to the paper https://ntrs.nasa.gov/api/citations/19940022855/downloads/19940022855.pdf [nasa.gov]
Vernor Vinge:
Within 30 years, we will have the technological means to create superhuman inteligence. Shortly after, the human era will be ended. Is such progress avoidable?"
Let's see..1993 + 30 = 2023. A few months after Ch
Re: (Score:2)
Within 30 years, we will have the technological means to create superhuman inteligence. Shortly after, the human era will be ended. Is such progress avoidable?"
Let's see..1993 + 30 = 2023. A few months after ChatGPT 3.5 was released! A funny coincidence (or not?), and nobody would claim that ChatGPT is superhuman, but Vinge was on point.
I enjoyed his books very much, but no he was not on point. He claimed we'd have the means to create superhuman intelligence before now, and you have just admitted that nobody would claim that has been achieved, 3 years after he claimed it could happen, and despite billions being spent to attempt it. So no, that was just another religious opinion unsupported by science, and you showed here that you have enough information to know that yet still somehow didn't get it.
You frequently accuse those you disagree with of magical thinking. IMHO, the real magical thinking is the belief that human-type intelligence is unique and can never be replicated, simulated, or surpassed.
That is also magical thinking, but no more
Re: (Score:2)
I enjoyed his books very much, but no he was not on point.
Really? I thought the article I linked to was an insightful discussion of the topic. e.g.: "For awhile yet, the general critics of machine sapience will have good press. After all, till we hgave hardware as powerful as a human brain it is probably foolish to think we'll be able to create human equivalent (or greater) intelligence. ... it's more likely that devising the software will be a tricky process, involving lots of false starts and experimentation. If so so, the arrival of self-aware machines will not
Re: (Score:2)
and transistors are not neurons which is also enough to prove it's a folly.
Prove?
Transistors aren't vacuum tubes- it's folly to think you could implement a computer on them. Ask drinky- he can prove it.
Seriously, and again, you're too fucking stupid to have this conversation.
Re: (Score:2)
Really? I thought the article I linked to was an insightful discussion of the topic. e.g.: "For awhile yet, the general critics of machine sapience will have good press
That the opposite of insightful discussion, because it's the proponents of machine sapience who have the good press now... and it is universally bullshit.
If billions of years of evolution can produce a human brain, why can't we simulate one?
Billions of years of evolution producing a human brain does not speak for or against our ability to simulate one. But so far, we can not do that, so the irrelevance of the question is overshadowed by the irrelevance of asking it. Maybe someday we can, but we can't yet. We don't know enough to even know whether or not we can. That's not an argument against
Re: (Score:2)
That the opposite of insightful discussion, because it's the proponents of machine sapience who have the good press now... and it is universally bullshit.
Hah! I guess that is a matter of your perspective. Sam Altman is (rightfully so, as a huge huckster) public enemy #1 with people trying to attack his home with molotov cocktails. Merriam Webster's 2025 word of the year was "slop" as in AI slop. You have large crowds protesting data centers and AI across the country. The entire state of Maine just banned building more. The county I live in just put a total moratorium on new construction. A few weeks ago a bunch of anti-AI pro-environment signs popped up all
Re: (Score:2)
If starting with your position -- that we don't know enough -- I still stand with the side that says "never" is the weaker position than "possibly."
My position is not never, and it never was. It's not now, and it's that assuming it is physically possible someday is as erroneous as assuming it isn't. We don't know if it is possible or not, we only know we cannot do it now.
Re: (Score:2)
Well geez drinkypoo, that was my entire entrance to this conversation!
IMHO, the real magical thinking is the belief that human-type intelligence is unique and can never be replicated, simulated, or surpassed.
I object to the never part! I do happen to believe that human-level AI is possible, and I think there's a _chance_ that it arises during my lifetime, but I'll straight up say that the timing is just a guess that I have no confidence in.
Re: (Score:2)
Exactly. There is no credible theory and there is no known mechanism. Hence we do not know we can do it. There is also no proof we cannot do it, but there is a lot of indicators that say we probably cannot. Obviously, stupid people do not understand indicators. But the fact of the matter is that we do not understand how general intelligence works physically, that we only observe it ins some humans and that we do not even know how life works.
So "never" is actually a real possibility. I do get that the Physic
Re: (Score:2)
Exactly. There is no credible theory and there is no known mechanism.
False. There is a known mechanism. The human brain.
but there is a lot of indicators that say we probably cannot. Obviously, stupid people do not understand indicators. But the fact of the matter is that we do not understand how general intelligence works physically, that we only observe it ins some humans and that we do not even know how life works
More magical thinking from you. The idea that human-level intelligence is somehow ineffable, undefinable, unknownable is the height of mysticism. This is like some gnostic pastiche of feelings that human-level intelligence is unique and special.
I'll stand with technical advancement every single time as opposed to those who say "impossible."
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Drinky, you are way too fucking stupid to be having this conversation.
Did your mommy let you hold her phone again? Tell her to call me.
Re: (Score:2)
Re: (Score:2)
Your "correction" is wrong. Try again. Unless you think guessing is a valid approach. Come to think of it, guessing is essentially what an LLM does, so maybe you really think it is valid.
As to security bugs, yes. You just need to find the same ones as an attacker does. But there is a problem: An attacker can _randomize_ the process and suddenly finds other exploitable bugs than the defender. And that is why the defender has to find all exploitable bugs, while the attacker just has to find one.
This is not a
Re: (Score:2)
Your "correction" is wrong.
No, it's not.
Unless you think guessing is a valid approach.
Inference, but yes.
Come to think of it, guessing is essentially what an LLM does
It's also what your brain does.
so maybe you really think it is valid.
The flaw is in your statement.
The only tool that is able to find all bugs in a piece of software is formal verification.
Is a provably false statement.
Humorously enough, because- as you mentioned elsewhere- of incompleteness.
You also then said,
Because, you know, it actually happens to be impossible to find all bugs without a formal specification either.
Which is also trivial to prove false.
You should probably step away. You have made yourself look incredibly ignorant.
Re:We need humility, not arrogance (Score:4, Insightful)
Isn't claiming that a magical computer program can find all bugs in another program effectively a variation on the halting problem?
Re: (Score:2)
However, let's say a program has 1 bug. That's it. How? magic. Doesn't matter. It has 1.
Say an LLM finds it. Does the universe now collapse?
The claim that an LLM can't find "all the bugs in a program" is equally wrong.
"All the bugs in a program" is an unknown- whether or not an LLM, or a human, can find all of the unknowns in a program is an unknown. Because as you said- it's the halting problem.
Re: (Score:3)
It's worse than the halting problem, because different cpus will have different errors and error handling.
Re: (Score:3)
Isn't claiming that a magical computer program can find all bugs in another program effectively a variation on the halting problem?
Not quite. There is an escape. With the halting problem (looked at from the outside) there are three classes of programs
* programs that I know stop (eg "echo hi; exit")
* programs that I know don't stop (e.g. "yes yes")
* programs that I don't know what they will do (e.g. MYRAND=100; while [ $MYRAND -ge 2 ]; do echo $MYRAND; MYRAND=$RANDOM; done)
If I treat class three as a bug and only accept programs where I understand when they stop then I can kind of avoid the halting problem.
Re: (Score:2)
The halting problem is not a problem for constrained sets of programs.
Re: (Score:2)
Formal verification mathematically proves code implements a specification. It does not catch bugs that are specified.
There are entire classes of bugs (logic bugs) that LLMs can find that formal verification literally doesn't even try to.
So you prompt the LLM to "find all the bugs".
Even if the LLM can find every last bug (which in turn assumes that this type of problem isn't NP-hard or has some issue that Godel would point out), just defining to the LLM exactly what a "bug" is seems to be pretty much the same thing as those formal specifications that you just convincingly dismissed as inadequate.
I don't think that there's anything magical about LLMs that would let them get around fundamental mathematical roadblocks.
Re: (Score:3)
An LLM as equally as adequate, and inadequate as formal verification.
Though frankly, an LLM has the potential to be less inequate, as it can solve specified bugs that formal verification not.
I did not say that "An LLM can find all bugs".
I said that the statement, "Finding them all with LLMs is impossible." is incorrect.
The difference is important in this case, logically speaking. Which is humorous, since capacity for logic is the magic Gweihir thinks that humans have that LLMs canno
Re: (Score:2)
Re: (Score:3)
Yes, that is what this idiot just claimed. No, there is no magic in LLMs and incompleteness not only applies, it is worse: LLMs cannot reliably find even obvious things. The thing is, a "bug" is exactly a deviation between specification and implementation, nothing else. And for that to even be well defined, the specification has to be formal. Since there was some inane claim about "all bugs", nothing besides a formal specification will even make sense here.
The moron you replied to seems to think that LLMs c
Re: (Score:3)
That's a valid opinion for previous LLM models but more recent ones (especially Anthropic's new model) have larger context windows and better parsing of code which lets them find issues that aren't "simple toy examples with obvious specifications."
You don't need a formal spec to determine that a webpage shouldn't crash the web browser. There are certain vulnerabilities which are "obvious" to determine the program shouldn't be doing that once found.
Now for logical bugs (e.g. the program does a valid action b
Re: (Score:2)
That's a valid opinion for previous LLM
No.
but more recent ones (especially Anthropic's new model) have larger context windows and better parsing of code which lets them find issues that aren't "simple toy examples with obvious specifications."
Improvements have been iterative. They haven't just now reached a magical threshold where that opinion is now wrong. It's been wrong for a while.
There are certain vulnerabilities which are "obvious" to determine the program shouldn't be doing that once found.
And vulnerabilities that no formal verification in the universe will find, but any LLM in the world will immediately.
that aren't vulnerabilities
Bold claim.
Bold, and potentially wrong.
Re: (Score:2)
No. It is a fundamental limit. Context window size has nothing to do with it. And incidentally, I can have cases where a web-page should very much crash a browser or at least a tab.
Re: (Score:2)
Yes, that is what this idiot just claimed.
No, it isn't.
No, there is no magic in LLMs
Correct.
and incompleteness not only applies
Wait- wasn't it you who said "The only tool that is able to find all bugs in a piece of software is formal verification.".
lol- you fucking idiot.
Re: (Score:2)
You are really going to post something not only this abysmally stupid, but, quite frankly, uneducated? Fascinating.
For your information, the very definition of "bug" is "implementation does not match specification". There is no other one that makes the least bit of sense. Yes, the specification can be informal. In that case the nature of "bug" becomes informal, fuzzy and up to interpretation as well. Which is why as soon as you talk about "all bugs", only a formal specification will cut it, nothing else. Th
Re: (Score:2)
For your information, the very definition of "bug" is "implementation does not match specification". There is no other one that makes the least bit of sense.
What hubris!
Knuth: "Beware of bugs in the above code; I have only proved it correct, not tried it."
Here's an ACM article on the epistemology of bugs: https://dl.acm.org/doi/full/10.1145/3662730 [acm.org]
What's your definition of "insight"?
Re: (Score:2)
educate [gatech.edu] yourself [raywang.tech], dumbass. [medium.com]
I have no idea what kind of yahoo granted you your CS degree, but apparently over at the good ol' University of Washington, they actually knew what the fuck they were talking about.
You can make this part of the release cycle (Score:2)
Before release, you add a phase of vulnerability discovery, to find as much as you can with the latest and greatest models and fix those before release.
It makes sense to defuse the threat before it becomes an issue, otherwise your attackers will do it for you and won't tell you what they find.
it probably makes it easier for the attacker (Score:2)
If there's a finite number of bugs and AI can find all of them, sure this can let the defenders win, just find and fix every bug. But the usual model is there's too many bugs to find and fix them all. The defender has to find and fix all the bugs the attacker is able to afford to find. That's the attacker's cost time the number of bugs at the price the attacker's willing to pay or less. Even if there's some economies of scale of finding and fixing bugs, the defender has to pay at least as much as the attack
Good (Score:2)
Re: (Score:2)
Probably a lot of hacking tools will break.
Other than that I think the Mozilla team is pretty competent and can implement fixes with proper testing
This is a danger to open source products (Score:2)
AI being able to find bugs/exploits is fine, as long as its the maintainer doing it and fixing them.
Only a matter of time before someone uses AI to find a vulnerability in an open source product and uses it as an attack vector.
Flamebait (Score:2)
Mythos can find these bugs ‘easily’ because it has access to the source code.
How many bugs will it find in the Linux kernel? And how many others won’t be found by Mythos but by other, foreign AIs?
Re: (Score:2)
I have not followed it very closely, but there seems to be some strong progress in getting LLMs involved in decompilation. Nothing may be safe!
The company is wrong (Score:2)
> The company concluded: "The defects are finite, and we are entering a world where we can finally find them all."
Wrong.
"There's always one more bug"
-- Elen Ullman
At what cost? (Score:2)
Ignorance does not help (Score:2)
Okay, so Mozilla finds and fixes obscure security bugs with the aid of AI tools. Then they just need to keep doing that for the new code.
This quickly makes code more robust and instead we think about slaying the messenger. If Mozilla would not uncover and fix the bugs an attacker could.
Re: (Score:2)
> Then they just need to keep doing that for the new code.
"You Insensitive Claude, why haven't you made Thunderbird multi-threaded yet?"
(there appears to be evidence of significant limitations in its understanding of complex code)
Increase in intelligence or training data? (Score:2)
I suspect most of this is because Anthropic paid top bug bounty hunters 7 figure salaries for creating better datasets and RLHF.
Great so where's the meat (Score:2)
This is great! Mythos = lots of eyeballs. Now tell us how many of each severity level were found, how many of those could be fixed automatically, and how many fixes both auto and manual then were found to introduce a vulnerability upon reanalysis. Though if there was even one critical severity bug found out of 271 that makes it worth it.
LadyBird (Score:2)
tradeoff (Score:2)
The number of bugs is proportional to the efficiency of the code. Once all the bugs are gone, all the fixes will make everything run ten times slower and take double the memory.
How many worse bugs were created? (Score:2)
Was the joke I was looking for...
Re: (Score:2, Informative)
No they don't. They're sitting on some bugs that are approaching 26+ years old. And yet they don't fix them.
Re: (Score:3)
And after you find them you have to fix them No they don't. They're sitting on some bugs that are approaching 26+ years old. And yet they don't fix them.
There's a difference between "a bug that is a security vulnerability" and "a bug that isn't a security vulnerability", so unless the 26+ year old belongs to the former, you don't have a point.
Re: (Score:2)
Indeed. On top of that, the claim that all can be found with this tech is a direct lie.
Re: (Score:2)
Indeed. On top of that, the claim that all can be found with this tech is a direct lie.
Almost certainly, but that's a scientific prediction. Now the code is lots and lots cleaner and there will be a much more limited set of classes of bugs that are getting past the AI. Presumably mostly types of bugs that humans have never found and published previously (so the AI has nothing to learn on). That pushes up the bar for human researchers and means they will concentrate on new things. When they do get found the AI will learn from them and be able to find those classes of bugs too.
Re:It's a 2-way street (Score:4, Insightful)
Finite means there's only so many bugs in the code, once you fix them all, there are no more bugs to exploit.
And if you have this scanning capability, you can test the code before it's exposed to the general public as a release, minimizing future potential mishaps.
Re: (Score:2)
Bugs arn't the only attack vector - logical programming errors can also allow access, eg a simple example is if a password or certificate isn't checked.
Re: (Score:2)
"Finite means there's only so many bugs in the code, once you fix them all, there are no more bugs to exploit."
The instantaneous count of bugs is finite, but the ability to "fix" bugs admits that the bug population can change over time. You are assuming that the count a) generally trends down b) non-asymptotically, but you cannot prove either of those assumptions. It is equally plausible that the bug count will asymptotically approach zero (easier bugs get fixed first, so the average difficulty of remaining
Re:So? (Score:4, Insightful)
Re: (Score:3)
"This many bugs"? And how many is that, exactly? A lot? A few? Does it maybe have a relation to what the bugs were and what their impact was?
271, and yes that's a lot. And yes, it does have a relation to what the bugs were and what their impact was. Mozilla, who has no incentive here to hype Mythos or any other AI software https://blog.mozilla.org/en/privacy-security/ai-security-zero-day-vulnerabilities/ [mozilla.org] said that any one bug would have been a "red-alert in 2025."
And that is why I call this infantile. It does impress weak minds (as you just nicely demonstrated), but as soon as you know a bit more it is just ridiculous and means nothing.
I don't know what a weak mind is. We don't live in the Star Wars universe with Sam Altman or Dario Amodei is able to just wave their hand and say "These are not the bugs you are look
Re: (Score:2)
You think Mozilla has no reason to hype AI? And you took that belief right out of your behind, I take it?
Incidentally, you just nicely demonstrated that you either cannot read or are quite dishonest.
Re: (Score:2)
You think Mozilla has no reason to hype AI? And you took that belief right out of your behind, I take it?
They have some of their own AI systems, but they are a small part of what they are doing. But if you prefer, consider then the just weaker statement that Mozilla has no incentive to hype Claude Mythos. Are we in agreement there?
Incidentally, you just nicely demonstrated that you either cannot read or are quite dishonest.
Do you want to explain why you think I've demonstrated that?
Re: (Score:2)
You clearly do not understand what a "hardened target" is. Details and context matter. Even if AI and people like you cannot do it.