> We know how to write software with very few bugs (although we often choose not to)

Do we, really? Because a week doesn’t go by when I don’t run into bugs of some sort.

Be it in PrimeVue (even now the components occasionally have bugs, seems like they’re putting out new major versions but none are truly stable and bug free) or Vue (their SFC did not play nicely with complex TS types), or the greater npm ecosystem, or Spring Boot or Java in general, or Oracle drivers, or whatever unlucky thread pooling solution has to manage those Oracle connections, or kswapd acting up in RHEL compatible distros and eating CPU to a degree to freeze the whole system instead of just doing OOM kills, or Ansible failing to make systed service definitions be reloaded, or llama.cpp speculative decoding not working for no good reason, or Nvidia driver updates bringing the whole VM down after a restart, or Django having issues with MariaDB or just general weirdness around Celery and task management and a million different things.

No matter where I look, up and down the stack, across different OSes and tech stacks, there are bugs. If there is truly bug free code (or as close to that as possible) then it must be in planes or spacecraft, cause when it comes to the kind of development that I do, bug free code might as well be a myth. I don't think everyone made a choice like that - most are straight up unable to write code without bugs, often due to factors outside of their control.

> And with this much at stake, they can afford to simply buy your software dependencies, or to offer one of your employees some retirement money in exchange for making a "mistake".

LAPSUS$ was prolific by just bribing employees with admin access. This is far from theoretical. Just imagine the kind of money your average nation state has laying around to bribe someone with internal access.

"It resolved its C2 domain through an Ethereum smart contract, querying public blockchain RPC endpoints. Traditional domain takedowns would not work because the attacker could update the smart contract to point to a new domain at any time."

Does this mean firewalls now have to block all Ethereum endpoints?

> but they don't need FreeBSD exploit-writing capabilities for that.

That's a solid point. There was a piece the other day in the Register [1] that studying supply chains for cost-benefit-risk analysis is how some of them increasingly operate. And, well, why wouldn't they if they're rational (an assumption that is debatable, of course)?

[1] https://www.theregister.com/2026/04/11/trivy_axios_supply_ch...

> They've turned the cottage industry of malicious hacking into a multi-billion-dollar enterprise

Thank you for this insight! Crypto truly is the financialization of crime.

Yeah I tend to agree. For me Mythos' principal risk in my mind is saturation through being able to do bad things faster. Vulnerabilities are found and fixed - that's life. What is a problem is identifying and prioritising vulnerabilities. A miscategorisation or misidentification may lead to an extended attack window of a vulnerability. If a cloud provider, or multiple cloud providers are open to something there then everyone is in trouble. That's a pretty big nightmare scenario for me where I currently am.

> This is a perfect illustration of what cracks me up about the hyperbolic reactions to Mythos.

The hyperbole was press released and consciously engineered. It consists entirely of the company who made Mythos, the usual captured media outlets who follow the leader, and the usual suspects from social media.

The reaction to it as if it is meaningful just fluffs it up more.

These are unprofitable companies trying to suck up maximum possible investment until they become something that the government can justify bailing out with tax money when they fail. Once you've crossed that line, you've won.

Some model that is super good at finding vulnerabilities will be run against software by the people trying to close those vulnerabilities far more often than by anyone trying to exploit them.

> it's cryptocurrencies

Its arguably the single worse thing to happen to infosec since the internet.

These are vastly different scales though. “If North Korea wanted to, they could spend a lot of money and get into your system” is wildly different to “anyone with a few bucks who can ask ‘please find an exploit for Y’ can get in”

>>> We know how to write software with very few bugs (although we often choose not to)

I see this as primarily a social issue - OSS projects are frequently free of the WTF bugs enterprise software can suffer from (things that one lone developer with access to their own OS would never do - call it “I can’t install X so no logging at all happens”) and frequently free of the bugs that a lone developer would slowly fix (call it “proof of concept got released because a rewrite would need approval” bugs). That alone removes entire classes of bugs before we it logic bugs and off by one errors.

The social cost of “is that honestly the best you can do” is enormous, and being part of a dysfunctional organisation allows human nature to stick on “in this place, in this culture - yes”

Chnaging that culture in a small team is possible - at scale it’s really costly

What if gov shook up tech regulation a bit. Right now App Store is a bit of a weird gold standard for security, except that it is rife with scams.

What if regulators _required_ an independent app store where apps go through such stringent reviews that reviewers provide actual guarantees with underwriting (read: government backstop) that the thing is secure.

Any tool that is that good at vulnerability research is bound to have some killer capabilities in attack surface mapping and exploitation…

Which is not to disagree with the thrust of your point, I think: it’s even more about the fundamentals than it was yesterday. The bar for “secure enough” is what is being raised.

> This is a perfect illustration of what cracks me up about the hyperbolic reactions to Mythos. Yes, increased automation of cutting-edge vulnerability discovery will shake things up a bit. No, it's nowhere near the top of what should be keeping you awake at night if you're working in infosec.

Mythos will most likely not be the main thing that changes the infosec world, but AI in general will. Maybe in a few years or even decades, but I doubt it will just be another tool to have in our tool belt or another type of threat to consider.

> We've built our existing tech stacks and corporate governance structures for a different era. If you want to credit one specific development for making things dramatically worse, it's cryptocurrencies, not AI. [...]

One could argue it just accelerated everything. Without crypto it would still be possible to hack things and take the money out. It would require more manpower but it would be doable. Cash, wire transfers - nothing is perfectly secure. How are you going to prosecute someone in a foreign country like Russia or NK or even most Asian or African countries the West doesn't have strong relationships with? Even if you could, what's to stop the threat actors from bribing some poor person to take the fault if and when they're caught? If I'm a struggling farmer in Whateverstan, I'll happily take $50000 to give to my family in order to move millions to you.

And that acceleration of crime has positive aspects, too. Now a lot more people care about security. More care is given to making our infra and software in general more secure. Of course it's still insecure as shit, but I think it would be even more insecure if we didn't have cryptocurrency and the issues it brought with it.

Cryptocurrency has a few positives, too. Being able to drugs online (small, current positive) or to know that if shit hits the fan politically, we at least have the technological foundation to escape oppressive, corrupt and dysfunctional governments financially (big, potential positive), even for a while, until we get out shit together financially. It hasn't happened yet, but since even a lot of laypeople know about cryptocurrency, it's possible it could help some people somewhere in the future.

It's similar with privacy - if no one abused the data we gave them, we wouldn't have as many laws about data privacy and we wouldn't have as many people who care about their privacy. You can argue that we're at the point of no return because there are trackers and cameras everywhere, both public and private. That's similar, but a bit different since it's an already established infrastructure. It's harder to fight against something like that but if we do, we could still change it. Perhaps another acceleration in that direction is what we need - mass invasion of privacy so we can collectively wake up and dismantle the current status quo.

crypto: incentives

ai: scaling finding opportunities

ai: improving exploit code engineering

ai: scaling automation of exploit execution

homogenization of infrastructures: simplifying target navigation

perfect storm

That there is a preexisting way for people to get hacked doesn't seem to be a reason to dismiss other, new ways for people to get hacked.

Mythos and AI infused make some sense, but the thing I keep wondering is that while attacks can be planned and executed by AI, because they inherently we have not yet solved the hallucination problem, any though that AI will help you defend against attacks completely is short sighted. Mythos can find things, but if you ask it if you are secure, can you trust it? It is asymmetric AI warfare because of hallucinations.

rogue nations such as North Korea

Is North Korea really a "rogue nation" anymore? What does that even mean when the US, which is currently led by a convicted felon, is literally and unapologetically stealing resources from places like Venezuela and Iran?

crypto is just money laundering by another name. It's actually easier to trace than the old school ways.

No... if you want to point to the one thing that transformed computer crime, it's the "cloud" and the programming paradigms that came with it.

Obligatory: https://xkcd.com/538/

Wealth odd distribution doesn't scale by definition. A malicious actor can possibly bribe some other actors, but they can't bribe them all. At large, the infosec nightmare should be society governed by corrupted plutocrats ruling pauperized populations through threat, lies and planned scarcity.

We know how to write software with very few bugs just as sure as we know how to structure societies with very few corrupted people. Although we just happen to often choose not to.

Rogue states can afford to bribe structurally weakened citizens, or to individually threaten them and their family to obtain the same kind of result with a probably cheaper and more scalable modus operandi.

They can also try to eliminate oligarchs of other nations, use all kinds of gouvernemental disruptions, threaten to or actually military attack other countries, or engage into straight genocides.

Evaluating what nations are not under a rogue state according to these criteria is left as an exercise.

wow, I remember a time when hacker news had at least seemingly intelligent people and valid arguments.

Well, Cryptocurrencies are part of said new era. They aren't strictly a problem that made things worse: they're a technology that comes with tradeoffs. The cat is out of the bag and we have to design around technologies that are here to stay in whatever capacity. Distributed, cryptography-based currencies/tokens are one of those technologies.