The more I live the more I believe people at the top operated in some sort of cult mentality. The level of gullibleness, temporary lack of critical thinking is only matched by their sociopathy and Machiavellianism.
I'm sure it's a great big model, but the level of hype and dishonesty is something out of Sam Altman's book.
Of course it's because of the upcoming IPO, but that's the end game, for now it's critical to get those private equity guys and bank institutions to believe the gospel and hold the bag, only then the suckers from the secondary markets will be allowed to be suckers too.
If it’s all marketing gimmick, then all companies that have collaborated to patch their bugs are collectively lying. If that’s the case, and they can get both OSS maintainers and the ones are on payrolls of Microsoft et al. to lie… hats off to them honestly, they deserve all the marketing exposure.
Maybe it's marketing, but I think it's regrettable that Anthropic paired project Glasswing with Mythos. It really makes it seem like Mythos is the threat, rather than the fact that tons of vulnerabilities have always been ignored throughout the software world.
If Glasswing has been started years ago with the goal of applying fixes to AI-found gaps, then this would just be another model to add to that effort. But doing so in the ominous shadow of some new super model boosts panic IMO.
You're making a hubris-laden assumption coders know the gaps their baking into their software — that any human has a decent enough grip on the multitudes of spinning logic duct taped together to make the internet run. Most vulnerabilities aren't "ignored"; they're in a neverending backlog or unknown.
If you closed all of the AI-discovered security vulnerabilities tomorrow - by the next day there'd be a host of new ones. That's software, baby.
The strongest model we've benchmarked on our comprehensive, little known, and difficult to game benchmark, is still Claude Opus 4.5 for agentic workflows. That's not a typo.
Interpret that how you will, but if Anthropic had to take cost/resource savings measures after the last major release, less than 6 months ago, it's unlikely they have the economics to offer what Mythos is promised to be, at any sort of product scale. But I agree, it would be great to get stronger models and start securing all the junk on the web. Of course, that requires maintainers to know how to use these tools.
This. I’ve been hearing panic from the non-security community about Mythos because “zomg z3r0 d4y5!!” Since the announcement but these are the same people running production servers 10 updates and 2 critical security fixes behind for years.
I don’t need cutting edge AI to take you down. I need MetaSploit with a CVE list that’s been updated in the last 6 months.
I'm particularly interested if someone with relevant expertise could comment on the types of bugs Mythos found, e.g. the 27 year old OpenBSD bug.
I ask because the media around Mythos is leaning into the "Mythos is a super intelligence that can find bugs that no human can" story. But in my mind it's pretty obvious that any software that is complex enough will have a lot of lurking zero days, and better tools will asymptomatically find more of them. So it seems to me something like Mythos would just be able to do more analysis/searching for bugs at a much faster rate than previously possible. But I'm skeptical that the bugs that were found required an insane amount of analytical abilities to locate, so would really appreciate if someone could comment on that (e.g. was it "yeah, with enough time we would have found it eventually" vs. "Wow, this was an insanely difficult bug to find in the first place")
I do agree that medium/long term that tools like Mythos will be a huge boon for cyber security, because it will inherently make it easier to write bug-free code in the first place. But yeah, we're now at a point where all these "pre-AI bugs" need to be fixed and patched before folks in the wild find all these zero days.
> A recent leak of Claude’s code prompted the startup to publish a blogpost at the beginning of the month saying that AI models had surpassed “all but the most skilled humans at finding and exploiting software vulnerabilities” [...]
I've seen a bunch of people conflate the Claude Code source-map leak with the Mythos story, though not quite as blatantly as here. I'm confident that they are totally unrelated.
I have a pet theory that the uptick in normal cybersecurity PRs you mention as a trend in your blog were done with Claude Code’s stealth mode and Mythos.
I wonder whether this kind of release of model could become the spark that ignites a new digital "cold war" between us, europe, india and china, in which they will try to outwit their rivals and compromise their critical infrastructure using artificial intelligence.
Also I’d like to believe that this really is such a huge step forward compared to Opus, but lately I’ve found it hard to believe when I look at the statements made by the CEOs of AI companies and their associates, who are fuelling the hype surrounding this topic even further. Of course, it is good that large companies and industries that are crucial to the country are the first to have access to this, but until the launch takes place, I will approach this with a degree of scepticism.
Already been going on for over a decade - export controls on dual use technology like Xeon processors already began being enforced back in the Obama admin.
> until the launch takes place
It's already launched. Some companies had access to Mythos for months.
> fuelling the hype
This is true. Commercially available models from a year ago are already good enough from an offensive security perspective. Their big issue was noise, but that could be managed.
Tangentially related, but how does one protect themselves against the bank account/brokerage being hacked? Can you print out a proof of funds/securities owned to take to court to be made whole?
Your screenshot/PDF is kind of worthless since it's trivially editable. Still a good idea to have it.
Banks are required by law to be able to produce account balances in a few days. In some countries the are required to submit them to account protection institution regularly so that if a bank fails they can quickly reimburse people to prevent panic spreading to other banks.
You can probably request some sort of notarized proof of accounts, but it will probably cost you $100.
I hope these banks are complaining how Anthropic is preventing them from accessing their latest model and giving preferential treatment to other businesses.
I'm wondering whether the NSA will be granted access. It's already the largest collection of mathematicians on the planet and now they'd be given tools that could automate a lot of discovery. Or they're panicking that their "old faithful" back door will be patched soon.
28 comments
[ 166 ms ] story [ 1275 ms ] threadI'm sure it's a great big model, but the level of hype and dishonesty is something out of Sam Altman's book.
Of course it's because of the upcoming IPO, but that's the end game, for now it's critical to get those private equity guys and bank institutions to believe the gospel and hold the bag, only then the suckers from the secondary markets will be allowed to be suckers too.
There's no legal mechanism for the president or the government at all to do that.
If Glasswing has been started years ago with the goal of applying fixes to AI-found gaps, then this would just be another model to add to that effort. But doing so in the ominous shadow of some new super model boosts panic IMO.
If you closed all of the AI-discovered security vulnerabilities tomorrow - by the next day there'd be a host of new ones. That's software, baby.
Interpret that how you will, but if Anthropic had to take cost/resource savings measures after the last major release, less than 6 months ago, it's unlikely they have the economics to offer what Mythos is promised to be, at any sort of product scale. But I agree, it would be great to get stronger models and start securing all the junk on the web. Of course, that requires maintainers to know how to use these tools.
Benchmarks at https://gertlabs.com/?agentic=all
I don’t need cutting edge AI to take you down. I need MetaSploit with a CVE list that’s been updated in the last 6 months.
I ask because the media around Mythos is leaning into the "Mythos is a super intelligence that can find bugs that no human can" story. But in my mind it's pretty obvious that any software that is complex enough will have a lot of lurking zero days, and better tools will asymptomatically find more of them. So it seems to me something like Mythos would just be able to do more analysis/searching for bugs at a much faster rate than previously possible. But I'm skeptical that the bugs that were found required an insane amount of analytical abilities to locate, so would really appreciate if someone could comment on that (e.g. was it "yeah, with enough time we would have found it eventually" vs. "Wow, this was an insanely difficult bug to find in the first place")
I do agree that medium/long term that tools like Mythos will be a huge boon for cyber security, because it will inherently make it easier to write bug-free code in the first place. But yeah, we're now at a point where all these "pre-AI bugs" need to be fixed and patched before folks in the wild find all these zero days.
I've seen a bunch of people conflate the Claude Code source-map leak with the Mythos story, though not quite as blatantly as here. I'm confident that they are totally unrelated.
Also I’d like to believe that this really is such a huge step forward compared to Opus, but lately I’ve found it hard to believe when I look at the statements made by the CEOs of AI companies and their associates, who are fuelling the hype surrounding this topic even further. Of course, it is good that large companies and industries that are crucial to the country are the first to have access to this, but until the launch takes place, I will approach this with a degree of scepticism.
Already been going on for over a decade - export controls on dual use technology like Xeon processors already began being enforced back in the Obama admin.
> until the launch takes place
It's already launched. Some companies had access to Mythos for months.
> fuelling the hype
This is true. Commercially available models from a year ago are already good enough from an offensive security perspective. Their big issue was noise, but that could be managed.
I doubt we'll see a shift away from "everything's on the network!" because it's so incredibly beneficial to the surveillance state, but one can hope.
Banks are required by law to be able to produce account balances in a few days. In some countries the are required to submit them to account protection institution regularly so that if a bank fails they can quickly reimburse people to prevent panic spreading to other banks.
You can probably request some sort of notarized proof of accounts, but it will probably cost you $100.
And if banks get hacked and money gets wired out - maybe we’ll come up with ways to roll back the damage.
Who knows - this is new territory.
Its definitely NOT, in any way, a meeting to discuss potential systemic risk due to insolvency/bankruptcy at some key AI-related company.