Should we be concerned about Mythos?

Mythos hit the IT headlines three weeks ago, but not the mainstream media. Everyone in government knows about it, NCSC has provided a warning, and it even got a mention in the Kings Speech. What is it, and what should we do, if anything? This article briefly explains how to problem arose, how it is being controlled, and what precautions organisations can take.

Mythos: Technology getting ahead of itself? Should we be worried?

Mythos ia a good example of "unintended consequences". It’s a great example of cutting-edge technology that got ahead of itself... technology that (nearly) went to market before all aspects of its functionality had been thoroughly tested.

Software is never perfect. It is written by humans, and can contain millions of lines of code. Errors are certain to occur. If the software is thoroughly tested, and does what it says "on the tin", it is usually fit to be released. The errors will become apparent in time, and some good people spend their professional lives looking for errors that could cause vulnerabilities.

Ok, that’s the background. One of the most prolific AI companies is Anthropic. To be prolific in AI development you need to push the boundaries. With Mythos, they probably pushed to boundaries too far, too fast!

Why? It was developed to detect errors in software, which was very good for software developers, and keeping software secure. Great!

BUT… Internet infrastructure is full of software with errors, and so are web applications. So, if Mythos was set free onto the Internet it would pick up errors, and sometimes vulnerabilities, in whatever software it found on systems. The world would be full of software bug that needed fixing asap, with a rush for who would get there first developers or hackers. See the problem?

It was tested and withdrawn from use very quickly in early April, and the problem could have become much worse! However, lot of software errors had already been identified. That means a lot more hackers will have been finding new vulnerabilities to exploit. That means patching software promptly is even more urgent.

The future strategy is for Anthropic to work with major software manufacturers and governments to roll it out in a very controlled way. Phew!

In the long run, MythOS and products like it, will be excellent. We can look forward to a world where software has fewer errors that could crash systems, and fewer vulnerabilities for hackers to exploit.

However, in the short term, hackers must be rubbing their hands together because they thrive on unpatched vulnerabilities in software and use them to exploit systems.

Advice

It’s all now under control. However, organisations therefore need to be particularly vigilant with their updating, and sign up to the NCSC's free early warning system:

https://www.ncsc.gov.uk/section/active-cyber-defence/early-warning

Lack of updates within 14 days will now result in a Cyber Essentials fail. This rule was due to be introduced anyway before the Mythos problem emerged, but the discipline of always updating within 14 days is a good habit anyway. Please do so!