Robert McMillan

“So OpenBSD is an operating system... it's been around for a long time. It's kind of on the front of the Internet for many corporations. It's used in firewalls. So it's facing the hackers all the time. A guy named Niels Provos had written some code in 1998 and he made a mistake. Nobody noticed that mistake for over 27 years until Mythos took a shot at it.”

“Twenty-five years ago, there were a million bugs being found in the Windows operating system, and for that to happen, people had to really dig into the ins and outs of how the Internet interacted with Windows. But it required hours and hours of work for humans to achieve the level of mastery required to even be playing in the bug hunting game. AI changes all that, right? Like, AI can just look at all these bugs and kind of get to that level of mastery very quickly.”

“Eight years ago, the average time between a bug being found and a hacker using that bug in a cyber attack was 847 days. Now it's like within a day. It's not rocket science, but it takes time for a human to do it. You have to have a certain level of expertise. AI has absorbed all of that.”

“Anthropic was talking about it as very dangerous, you know, like we're not sure what to do with this, like who should get it? They picked about 50 corporations and organizations and said, take a look at this, see what you can do with it. The idea is that access to mythos could give those companies a head start against bugmageddon, allowing them to find the holes in their systems and patch them before hackers get their hands on mythos.”

“However you slice it, it's the Y2K problem for AI. In cybersecurity, we always talk about the awful things, the ransomware outbreaks and hacks and things like that. But occasionally, we do something right collectively. And Y2K was an example of when the world knew about a problem and worked really hard to fix it.”

“They said, find us some bugs, and it found this bug. A guy named Niels Provos had written some code in 1998 and he made a mistake. Nobody noticed that mistake for over 27 years until Mythos took a shot at it. The bug Mythos found could have caused a serious problem, and it had sat there undetected by humans for nearly 30 years.”

“AI models are getting very good at finding security vulnerabilities. The amount of bugs that are being found right now is skyrocketing, and people are freaking out because of that. Mythos has become the poster child for a phenomenon that people in the cybersecurity industry have been talking about for months... the geeks call it the vulnerability Armageddon, but here at The Journal, we call it the bugmageddon.”

“Eight years ago, the average time between a bug being found and a hacker using that bug in a cyber attack was 847 days. So a bug would be disclosed, two years would go by, and then it would start getting exploited on average. Now it's like within a day. It's not rocket science, but it takes time for a human to do it. You have to have a certain level of expertise. AI has absorbed all of that.”

“We only want to release it to a select group of entities. So they picked about 50 corporations and organizations and said, take a look at this, see what you can do with it. The idea is that access to mythos could give those companies a head start against bugmageddon, allowing them to find the holes in their systems and patch them before hackers get their hands on mythos.”

“Hacking is very asymmetrical. If you are the hacker, you just have to find one way in to your target. You do something and it doesn't work, like no big deal, you know, you can try again. If you're a defender and you try to defend something and it doesn't work, you're hacked.”

“In cybersecurity, we always talk about the awful things, the ransomware outbreaks and hacks and things like that. But occasionally, we do something right collectively. And Y2K was an example of when the world knew about a problem and worked really hard and averted disaster. The Y2K lesson is to take threats seriously as early as possible.”

“We're rolling out all kinds of AI-created software and AI systems and agentic systems and things like that, and people are going to start hacking all of that. So that actually might be a bigger worry than all these bugs in existing software that AI is finding. That's really the thing that I would kind of worry about is like, what is the unexpected consequence of all of these systems rolling out?”

“They said, find us some bugs, and it found this bug. A guy named Niels Provos had written some code in 1998 and he made a mistake. Nobody noticed that mistake for over 27 years until Mythos took a shot at it. The bug Mythos found could have caused a serious problem, and it had sat there undetected by humans for nearly 30 years.”

“AI models are getting very good at finding security vulnerabilities. The amount of bugs that are being found right now is skyrocketing, and people are freaking out because of that. Mythos has become the poster child for a phenomenon that people in the cybersecurity industry have been talking about for months... the geeks call it the vulnerability Armageddon, but here at The Journal, we call it the bugmageddon.”

“Eight years ago, the average time between a bug being found and a hacker using that bug in a cyber attack was 847 days. So a bug would be disclosed, two years would go by, and then it would start getting exploited on average. Now it's like within a day. It's not rocket science, but it takes time for a human to do it. You have to have a certain level of expertise. AI has absorbed all of that.”