> We know how to write software with very few bugs (although we often choose not to)

Do we, really? Because a week doesn’t go by when I don’t run into bugs of some sort.

Be it in PrimeVue (even now the components occasionally have bugs, seems like they’re putting out new major versions but none are truly stable and bug free) or Vue (their SFC did not play nicely with complex TS types), or the greater npm ecosystem, or Spring Boot or Java in general, or Oracle drivers, or whatever unlucky thread pooling solution has to manage those Oracle connections, or kswapd acting up in RHEL compatible distros and eating CPU to a degree to freeze the whole system instead of just doing OOM kills, or Ansible failing to make systed service definitions be reloaded, or llama.cpp speculative decoding not working for no good reason, or Nvidia driver updates bringing the whole VM down after a restart, or Django having issues with MariaDB or just general weirdness around Celery and task management and a million different things.

No matter where I look, up and down the stack, across different OSes and tech stacks, there are bugs. If there is truly bug free code (or as close to that as possible) then it must be in planes or spacecraft, cause when it comes to the kind of development that I do, bug free code might as well be a myth. I don't think everyone made a choice like that - most are straight up unable to write code without bugs, often due to factors outside of their control.

These are vastly different scales though. “If North Korea wanted to, they could spend a lot of money and get into your system” is wildly different to “anyone with a few bucks who can ask ‘please find an exploit for Y’ can get in”

> And with this much at stake, they can afford to simply buy your software dependencies, or to offer one of your employees some retirement money in exchange for making a "mistake".

LAPSUS$ was prolific by just bribing employees with admin access. This is far from theoretical. Just imagine the kind of money your average nation state has laying around to bribe someone with internal access.

> but they don't need FreeBSD exploit-writing capabilities for that.

That's a solid point. There was a piece the other day in the Register [1] that studying supply chains for cost-benefit-risk analysis is how some of them increasingly operate. And, well, why wouldn't they if they're rational (an assumption that is debatable, of course)?

[1] https://www.theregister.com/2026/04/11/trivy_axios_supply_ch...

"It resolved its C2 domain through an Ethereum smart contract, querying public blockchain RPC endpoints. Traditional domain takedowns would not work because the attacker could update the smart contract to point to a new domain at any time."

Does this mean firewalls now have to block all Ethereum endpoints?

Yeah I tend to agree. For me Mythos' principal risk in my mind is saturation through being able to do bad things faster. Vulnerabilities are found and fixed - that's life. What is a problem is identifying and prioritising vulnerabilities. A miscategorisation or misidentification may lead to an extended attack window of a vulnerability. If a cloud provider, or multiple cloud providers are open to something there then everyone is in trouble. That's a pretty big nightmare scenario for me where I currently am.

That there is a preexisting way for people to get hacked doesn't seem to be a reason to dismiss other, new ways for people to get hacked.

> This is a perfect illustration of what cracks me up about the hyperbolic reactions to Mythos.

The hyperbole was press released and consciously engineered. It consists entirely of the company who made Mythos, the usual captured media outlets who follow the leader, and the usual suspects from social media.

The reaction to it as if it is meaningful just fluffs it up more.

These are unprofitable companies trying to suck up maximum possible investment until they become something that the government can justify bailing out with tax money when they fail. Once you've crossed that line, you've won.

Some model that is super good at finding vulnerabilities will be run against software by the people trying to close those vulnerabilities far more often than by anyone trying to exploit them.

Well, Cryptocurrencies are part of said new era. They aren't strictly a problem that made things worse: they're a technology that comes with tradeoffs. The cat is out of the bag and we have to design around technologies that are here to stay in whatever capacity. Distributed, cryptography-based currencies/tokens are one of those technologies.