Schneier on Security

Clive Robinson • June 8, 2026 10:45 AM

@ Bruce, ALL,

With regards,

“… it’s now common wisdom that Mythos is better at finding software vulnerabilities than other models. Which is just not true.”

From day one it was known that Mythos was,

“Quantity over quality”

All but a very tiny fraction of what Mythos found were not already known to the developers and in effect of inconsequence. Which is why nothing had been done about them… this is quite common not just in FOSS but all software development in the ICT industry that is not of trivial size.

And when seen against the cost not of fixing but of actually testing, why we have a veritable tsunami of “technical debt”. It is what triage essentially does.

Which is why, we’ve seen your following notes,

“1, It’s finding a lot of vulnerabilities in software—yay!

2, Some of them are even dangerous.

3, But almost none of them has been patched.

4, It’s weird.

5, There’s something fishy about the data that I don’t understand.”

With regards the first point, I’ve discussed prior to Mythos/Glasswing getting trumpeted, why this would be so.

That is Current AI LLM and ML Systems can only find “Known, Knowns” of instance and class of vulnerability that the ML found in the training set by statistical means.

Further the “stochastic” aspect of an LLM just adds what is in effect “a little fuzzing” so that “Unknown, Knowns” of instance and class can be found. Whilst some AI LLMs can chain these together, into what looks like a serious attack they mostly are not.

Think of an LLM working on a “Vector distance” basis. By simple logic it can be seen that in effect all the vulnerabilities found should already been “found, fixed, and finished”. But they are not because of management deciding during triage that the resources required would be better deployed addressing “new problematic” rather than “old nonproblematic” issues.

Similar was seen and said with regards your other points before the MythOS “big wonder” hype came to journalists attention.

Clive Robinson • June 9, 2026 1:02 AM

@ KC,

With regards,

“To add, in the context of open-source software, are there risks to “fast patching“?”

Newton observed that,

“For every action there is an equal and opposite reaction.”

It’s something that “Tangible Physical Object” engineers are usually made well aware of in their training.

Those same engineers are also often introduced to “statistical mechanics” that underlies not individual object behaviour but the behaviour of large collections of objects in a bound environment that has external stimuli. An extract from an introduction to the subject indicates the issue,

“A large part of this course will be devoted to figuring out the interesting things that happen when you throw
1023 particles together. One of the recurring themes will be that 1023 ≠1. More is different: there are key concepts that are not visible in the underlying laws of physics but emerge only when we consider a large collection of particles. One very simple example is temperature. This is not a fundamental concept: it doesn’t make sense to talk about the temperature of a single electron. But it would be impossible to talk about physics of the everyday world around us without mention of temperature. This illustrates the fact that the language needed to describe physics on one scale is very different from that needed on other scales. We’ll see several similar emergent quantities in this course, including the phenomenon of phase transitions where the smooth continuous laws of physics conspire to give abrupt, discontinuous changes in the structure of matter.“

https://www.damtp.cam.ac.uk/user/tong/statphys/statmechhtml/S1.html

Intangible Information objects within the environment of a system behave somewhat similarly, but it’s not something that is much talked about, especially the last part about “conspire to give abrupt, discontinuous changes”.

In part this is because we as of yet have no fundamental system of measures by which such things can be objectively reasoned about, and the systems are now just getting large enough to be in the transition zone from micro to macro so the properties are at best observed as emergent.

A modern APT attacker is looking to chain micro instances of vulnerabilities into macro effects.

A modern defender is thus stuck with a problem, in that any –even minor– change may have unpredictable macro consequences very different from predictable expected micro behaviours.

Such a situation requires “caution” as “simplified modelling” will most likely not provide the required macro effects.