Closed source also has similar problems [LWN.net]

Closed source also has similar problems

Posted May 1, 2026 21:07 UTC (Fri) by Lennie (subscriber, #49641)
Parent article: Eden: NHS goes to war against open source

It's silly for people to think open source code is the problem here.

If you have a binary or source, you can have an AI search for flaws.

Point an AI agent at a disassembler and it will happily go find flaws and write an exploit.

to post comments

Closed source also has similar problems

Posted May 1, 2026 23:16 UTC (Fri) by k8to (guest, #15413) [Link] (2 responses)

We've had tools that work with binaries for at least thirty years. Closed code hasn't been safe for a generation. Doesn't stop the fools.

Closed source also has similar problems

Posted May 2, 2026 12:24 UTC (Sat) by zeekec (subscriber, #2414) [Link]

It does mean that they don't have to worry about handling fixes from the open-source community.

Closed source also has similar problems

Posted May 6, 2026 12:48 UTC (Wed) by Lennie (subscriber, #49641) [Link]

Hut we now have tools (LLMs) which can read much more and faster than a human and have lots of knowledge of previous bug types.

Closed source also has similar problems

Posted May 3, 2026 9:29 UTC (Sun) by bof (subscriber, #110741) [Link]

So we need processors that decrypt binaries into caches using locked per machine secrets, and installers that generate "pesonalized" binaries from secure vendor app stores on the fly.

(not!)

Closed source also has similar problems

Posted May 3, 2026 16:09 UTC (Sun) by jd (guest, #26381) [Link]

It's presumably about fears by those managers who don't understand such things and possibly politicians who are seeking to get rich quick via contracts to private companies for closed-source versions (that might well actually end up being pre-compiled copies of the open source software). I hope I'm being overly cynical here.

Closed source also has similar problems

Posted May 6, 2026 14:46 UTC (Wed) by nim-nim (subscriber, #34454) [Link] (1 responses)

Some points
1. it’s not as simple as “point an AI agent at a disassembler”
2. all the companies trying to woe 3-letter-agencies with their AI are definitely working on it
3. it’s a lot less dangerous legal-wise to claim an exploit against some FLOSS software, than to do the same with some proprietary binary-only software protected by expensive lawyers
4. you need to publish an exploit against some binary-only proprietary software to prove the tech works, because otherwise people will say the agent had access to the source code via training or something else
5. therefore don’t expect public proof the tech works as soon as it starts working

However some people are definitely in damage control mode and “this can’t work (yet)” mode today :
https://www.penligent.ai/hackinglabs/anthropic-mythos-str...

Closed source also has similar problems

Posted May 10, 2026 10:20 UTC (Sun) by lyda (subscriber, #7429) [Link]

So based on those points we can determine that state actors will very soon have exploits for NHS software that no one will know about.

Solid plan.