← Back to context

Comment by AlBugdy

11 hours ago

> This is a perfect illustration of what cracks me up about the hyperbolic reactions to Mythos. Yes, increased automation of cutting-edge vulnerability discovery will shake things up a bit. No, it's nowhere near the top of what should be keeping you awake at night if you're working in infosec.

Mythos will most likely not be the main thing that changes the infosec world, but AI in general will. Maybe in a few years or even decades, but I doubt it will just be another tool to have in our tool belt or another type of threat to consider.

> We've built our existing tech stacks and corporate governance structures for a different era. If you want to credit one specific development for making things dramatically worse, it's cryptocurrencies, not AI. [...]

One could argue it just accelerated everything. Without crypto it would still be possible to hack things and take the money out. It would require more manpower but it would be doable. Cash, wire transfers - nothing is perfectly secure. How are you going to prosecute someone in a foreign country like Russia or NK or even most Asian or African countries the West doesn't have strong relationships with? Even if you could, what's to stop the threat actors from bribing some poor person to take the fault if and when they're caught? If I'm a struggling farmer in Whateverstan, I'll happily take $50000 to give to my family in order to move millions to you.

And that acceleration of crime has positive aspects, too. Now a lot more people care about security. More care is given to making our infra and software in general more secure. Of course it's still insecure as shit, but I think it would be even more insecure if we didn't have cryptocurrency and the issues it brought with it.

Cryptocurrency has a few positives, too. Being able to drugs online (small, current positive) or to know that if shit hits the fan politically, we at least have the technological foundation to escape oppressive, corrupt and dysfunctional governments financially (big, potential positive), even for a while, until we get out shit together financially. It hasn't happened yet, but since even a lot of laypeople know about cryptocurrency, it's possible it could help some people somewhere in the future.

It's similar with privacy - if no one abused the data we gave them, we wouldn't have as many laws about data privacy and we wouldn't have as many people who care about their privacy. You can argue that we're at the point of no return because there are trackers and cameras everywhere, both public and private. That's similar, but a bit different since it's an already established infrastructure. It's harder to fight against something like that but if we do, we could still change it. Perhaps another acceleration in that direction is what we need - mass invasion of privacy so we can collectively wake up and dismantle the current status quo.

3 comments

AlBugdy

Reply
psychoslave  4 hours ago

>we at least have the technological foundation to escape oppressive, corrupt and dysfunctional governments financially

Who is we? How many transactions of any cryptocurrency was either done to buy bread and butter?

btown  11 hours ago

IMO the thing that AI will change is the type of target. It's reasonable to assume that if you launch a website for a small business nowadays - sure, you'll get phishing attempts, port scans, attempts to submit SQL injections into your signup forms, etc.

But you won't get the equivalent of a sophisticated actor's spear-phishing efforts, highly customized supply chain attacks on likely vendor data, the individualized attention to not just blindly propagate when a developer downloads a hacked NPM package or otherwise gets a local virus... but to log into the company's SaaS systems overnight, pivot to senior colleagues, do crazy things like update PRs to simultaneously fix bugs while subtly adding injection surface areas, log into configuration systems whose changes aren't tracked in Git, identify how one might sign up as a vendor and trigger automatic payments to themselves with a Slack DM as cross-channel confirmation, etc.

The only thing holding this back from hitting every company is risk vs. reward. And when the likelihood of success, multiplied by the payout, exceeds the token cost - which might not happen with Mythos, but might happen with open source coding models distilled from it, running on crypto mining servers during times that minting is unprofitable, or by state actors for whom mere chaos is the goal - that threshold is rapidly approaching.