Aardvark Daily

Please visit the sponsor!

Vibe hacking, the next big worry?

Depending on who you listen to, vibe coding is revolutionising the creation of software applications.

Using simple plain-English prompts and by way of itterative refinement, even a total non-programmer can knock up some impressive looking programs in just a few hours. Prior to vibe coding, the creation of a similar level of software may have taken a team of people weeks or months to produce.

Having dabbled in vibe coding I can say that my own experiences are somewhat different to the ideal scenario so often painted in advertisements for AI code generators such Cursor or Claude. Things often go well to start with but unless you're very careful, things can also collapse into a state of disarray very quickly -- leaving you scratching your head as to why the project is now a total mess.

However, the vibe coding concept proves the potential of AI as a way of achieving very difficult tasks with minimal human effort and resource.

Unfortunately, the universal rule of technology (that which can be used for good can also be used for evil) still applies to AI and the concept of "vibing" and that is something which threatens the entire future of the internet.

One of the newest AI systems is called Mythos and it's the brainchild of Anthropic.

It seems that Mythos's big strength is its ability to analyse software and software-based systems in a way that identifies vulnerabilities. It does this in a way that seems to completely surpass every other software testing/probing solution currently in existance.

Anthropic hasn't released Mythos to the public yet and is still conducting closed tests with trusted partners -- because obviously if this thing fell into the hands of hackers and bad actors, the entire integrity of the internet would be under challenge.

Sounds overly dramatic?

Well no, not really, if you consider what it's already achieved in a very short space of time:

This AI agent has already uncovered long-standing and previously undetected zero-day bugs in such mature and critical software as OpenBSD, FFmpeg, FreeBSD, Firefox and the Linux Kernel. Some of those bugs have been around for over a decade, one an incredible 27 years.

The timeframes and effect of these vulnerabilities become even more impactful when you factor in that we're talking open-source software here that has been regularly reviewed by manual and automated systems over many years without these bugs being detected.

Now imagine what happens when this sort of capability falls into the hands of bad actors.

Nothing will be safe.

Security, as we've known it, could well pretty much disappear in the face of legions of evil little sods or state-sponsored bad actors, all seeking to exploit such vulnerabilities for political, maybe financial gain -- or perhaps just shites and giggles.

As we are pushed increasingly towards doing everything from banking to filing tax returns and interacting with medical services online; and as so many of the systems critical to modern-day life are reliant on keeping hackers out, this sort of vibe-hacking could be an insurmountable threat to our progress.

With governments around the world pushing ever harder towards the mandating of online digital ID, the failure of any such system could produce massive ripples throughout financial, medical and social circles. The fallout could be immense, when it happens.

Note that I said "when" and not "if" it happens.

Although Mythos is currently a "closed shop" without public access, we've already reached a point where very complex AI systems can be run locally on hardware as lightweight as a Raspberry Pi. You can be 100 percent sure that the capabilities of Mythos will fall into the wrong hands, probably sooner rather than later. In fact, it may already have done so.

Deep down inside, I wonder if this will be used as an excuse by paranoid and power-hungry politicians to perhaps suggest that "personal computers" (ie: computers not owned/operated by approved entities) may eventually be made illegal. After all, we can't possibly take the risk that someone tinkering with a Chinese-authored AI system on their Raspberry Pi (or worse) won't launch a full-blown attack against critical infrastructure based on a previously unknown vulnerability detected by that AI, can we?

Won't someone think of the children?

In a world where no door can be locked, how do you keep your valuable data safe?

I'm sure there's more to be written on this topic.

Carpe Diem folks!

Please visit the sponsor!

Here is a PERMANENT link to this column

Rank This Aardvark Page

Change Font