A quick look at Mythos run on Firefox: too much hype?(xark.es)

62 pointsby leonidasv4 hours ago10 comments

goalieca2 hours ago
There was a double fronted marketing push by both organizations. That much is true and this makes me more skeptical of the message and how exactly it was framed.
If we just stick with c/c++ systems, pretty much every big enough project has a backlog of thousands of these things. Either simple like compiler warnings for uninitialized values or fancier tool verified off-by-one write errors that aren’t exploitable in practice. There are many real bad things in there, but they’re hidden in the backlog waiting for someone to triage them all.
Most orgs just look at that backlog and just accept it. It takes a pretty big $$$ investment to solve.
I would like to see someone do a big deep dive in the coming weeks.
- bestouffan hour ago
  Globally agreed excepted for the "harmless" bit. Hackers are good these days, and these apparently innocuous bugs can be exploited in creative ways
Eufrat2 hours ago
Probably worth noting that the new-ish Mozilla CEO, Anthony Enzor-DeMeo, is clearly an AI booster having talked about wanting to make Firefox into a “modern AI browser”. So, I don’t doubt that Anthropic and Mozilla saw an opportunity to make a good bit of copy.
I think this has been pushed too hard, along with general exhaustion at people insisting that AI is eating everything and the moon these claims are getting kind of farcical.
Are LLMs useful to find bugs, maybe? Reading the system card, I guess if you run the source code through the model a 10,000 times, some useful stuff falls out. Is this worth it? I have no idea anymore.
- SkiFire1310 minutes ago
  > I guess if you run the source code through the model a 10,000 times, some useful stuff falls out.
  But you might also get a lot of non-useful stuff which you'll need to sort out.
- MyFirstSass2 hours ago
  Hackernews has also been completely co-opted by boosters.
  So much that i don't really visit anymore after 15 years of use.
  It's a bizarre situation with billions in marketing and PR, astroturfing and torrents of fake news with streams of comments beneath them with zero skepticism and an almost horrifying worship of these billion dollar companies.
  Something completely flipped here at some point, i don't know if it's because YC is also heavily pro these companies, and embedded with them, requiring YC applicants to slop code their way in, then cheering about it.
  Either way it's incredibly sad and remind me of the worst casino economy, nft's, crypto, web3 while there's actually an interesting core, regex on steroids with planning aspects, but it's constantly oversold.
  I say that as a daily user of Claude Max for over a year.
  - HeWhoLurksLatean hour ago
    I haven't been able to find any communities with as high of a signal-to-noise ratio and breadth of experiences as HN, especially not public ones that one can stumble their way into without knowing a guy / joining a clique
dwedgean hour ago
This article felt really informative at first but sone point it was like reading an LLM getting stuck in a circle
csmantle31 minutes ago
IIRC Mozilla usually categorize internally-found bugs into a few large CVE IDs, grouped by severity, with around ten or so bugs in each. Every advisory gets several CVEs of this kind, for example, <https://www.mozilla.org/en-US/security/advisories/mfsa2026-2...>, <https://www.mozilla.org/en-US/security/advisories/mfsa2026-1...>, <https://www.mozilla.org/en-US/security/advisories/mfsa2026-0...>, etc.
nazgu12 hours ago
Why people publish AI written articles? If I would like to read AI I can just prompt it myself, and when I read something on someone blog I expect that I will read thoughts of this particular human being...
- Bishonen882 hours ago
  While the text seems to be at least AI-supported, I think the research is still interesting. Whether that was done mostly by the author or an AI still, does not change much to me at least.
  I'd appreciate some sort of disclaimer at the start of each article whether it's AI written/assisted or not. But I guess authors understand that it will diminish the perceived value of their work/part.
  - invalidSyntaxan hour ago
    I agree. Even if it is a little pain to read, it's still an information worth knowing and an actual humans opinion(at least I hope). There's no reason to be skeptical if it isn't a famous news site or something.
schnitzelstoat2 hours ago
It’s just marketing. Remember when OpenAI said GPT-2 was too dangerous to release?
bblban hour ago
Can IDE's be configured so that it won't allow to save the file changes if it contains the usual suspects; buffer overflows and what not. LLM would scan it and deny write operation.
Like the Black formatter for Python code on VSCode, that runs before hitting CTRL+S.
helsinkiandrew2 hours ago
Whatever the capabilities, there’s always a little hype, or at least the risk won’t be as great as thought:
> Due to our concerns about malicious applications of the technology, we are not releasing the trained model.
That was for GPT-2 https://openai.com/index/better-language-models/
- 1unaan hour ago
  In the same article you linked:
  > Due to concerns about large language models being used to generate deceptive, biased, or abusive language at scale, we are only releasing a much smaller version of GPT‑2 along with sampling code .
  7 years later, these concerns seem pretty legit.
- imInGoodCompanyan hour ago
  I think a certain level of hype is warranted for a model that can autonomously discover complex 27-year-old 0-days in OpenBSD for $20K[0]. We don't yet know what this does to the balance of attack/defense in OSS security, and we cannot know until the capability is widespread. My most hopeful guess is that it looks heavily in favor of attackers in the first 6-12 months while the oldest 0-days are still waiting to be discovered, before tipping in favor of defenders as the price goes down for Mythos-level models and the practice of using them for vulnerability review becomes widespread.
  The absolute best case is at we end up with similar situation to modern cryptography, which is clearly in favor of defenders. One can imagine a world where a defender can run a codebase review for $X compute and patch all the low-hanging fruit, to the point where anything that remains for an attacker would cost $X*100000 (or some other large multiplier) to discover.
  [0] https://red.anthropic.com/2026/mythos-preview/
bawolff2 hours ago
One think to keep in mind is that firefix is probably a pretty hard target. Everyone wants to try and hack a web browser. One assumes the low hanging fruit is mostly gone.
I think the fact this is even a conversation is pretty impressive.
- Bishonen882 hours ago
  Probably you're right, but given the browser usage-distribution, I reckon most hackers wouldn't care about firefox at this point and solely concentrate on chrome. I reckon firefox users are on average, more tech savvy and given a hack, would be able to help themselves/find out about the hack quicker than the average chrome user.
imirican hour ago
For crying out loud, why are we discussing and paying attention to articles and claims about a product that doesn't even exist yet?!
If this isn't a sign of a bubble, where marketing is more important than the actual product, I don't know what is. This industry has completely lost the plot.