about https://www.flyingpenguin.com/the-boy-that-cried-mythos-verification-is-collapsing-trust-in-anthropic/

Here's a one-page version of the above article for an IT person:

**The gist: Anthropic hyped a new AI model called "Claude Mythos Preview" as an unprecedented cybersecurity threat — and the author argues the technical evidence simply doesn't back up the headlines.**

**What Anthropic claimed:**
- Mythos discovered *thousands* of critical zero-day vulnerabilities across every major OS and browser
- It's so dangerous they won't release it publicly
- They launched a $100M defensive consortium (called "Glasswing") with Apple, Google, Microsoft, etc.

**What the author actually found in Anthropic's own 244-page document:**

1. **The "thousands" figure appears nowhere in the technical document.** It only shows up in the marketing blog and press releases — not in the actual system card that would need to survive peer review.

2. **The headline Firefox demo collapses on page 52.** The much-touted 72% exploit success rate drops to 4.4% when the top two bugs are removed. Anthropic's own document admits almost all wins came from the same two already-patched bugs. Worse, the predecessor model (Claude Sonnet 4.6) showed essentially equivalent triage ability.

3. **The bugs weren't even found by Mythos.** They were pre-discovered by an earlier Anthropic model and handed to Mythos as test material. Mozilla had already patched them.

4. **Independent researchers (AISLE) reproduced the showcase bugs using a 3.6 billion parameter open-weights model costing $0.11 per million tokens** — versus Mythos at $25/million. 8 out of 8 models tested found the same vulnerabilities.

5. **The $100M consortium is mostly fake money.** Only $4M is real cash. The other $96M is free API credits to use the product being evaluated — Anthropic paying partners to validate Anthropic.

6. **Mythos failed against properly defended targets.** The system card quietly admits the model couldn't compromise a properly patched sandbox, and failed against OT (operational technology) environments. It only won against networks with no active defenses.

7. **No standard security documentation exists:** no CVE list, no CVSS scores, no independent reproduction, no comparison to existing tools like fuzzers (AFL, OSS-Fuzz), no vendor confirmation of novel findings.

**The bigger concern the author raises:** Anthropic has, without any democratic oversight, set itself up as a private gatekeeper deciding which security capabilities are "too dangerous" — granting access only to the largest incumbents who benefit from being inside that exclusive club. He calls this regulatory capture dressed as safety.

**Practical takeaway for IT/security teams:** Don't change your budget or threat model based on this. Your patching cadence, EDR coverage, MFA enforcement, and asset inventory still determine your actual risk posture — not this announcement.

---

The author's core charge: the gap between the marketing claims and what the technical document actually says is so wide that it constitutes a significant breach of trust, following a well-worn pattern of tech FUD used to create market advantage.

#Anthropic #AI #Claude_Mythos_Preview
#Claude_Mythos #Claude_Sonnet #IT_security

Most secure #captcha ever

#TheThing #IT_Security

Zu der ganzen ePA Thematik:

Gelöst werden soll die Problematik nach meinem Verständnis ja dadurch, dass statt der Versichertennummer eine auf der Karte gespeicherte, signierte Versichertennummer verwendet wird. Aber öffnet das nicht replay Attacken Tür und Tor? Müsste nicht eigentlich eine Kombination aus Nummer und Datum Signiert werden? Und wenn ja: kann die Karte das?

#ePA #epa_datenschatz #38c3 #it_security

Plattforme, wo eim nachem Erstelle vom Account s sälber gwählte Passwort im Klartext nomol per Mail zuestelled: Weis me da meh? 🤔

#it_security #passwörter #uncool

Два подхода к анализу ПО на уязвимости: какой выбрать?

Думаю, каждый айти-специалист знает, насколько важно учитывать требования информационной безопасности при разработке и обеспечить защищенность ПО. А как именно обрабатываются уязвимости, и кто несет ответственность за их устранение? Сегодня хочу уделить внимание именно этой теме. Всем привет, меня зовут Денис, я заместитель начальника отдела безопасной разработки (ОБР) в ИТ-компании «СИГМА».

https://habr.com/ru/companies/sigma/articles/861482/

#анализ_уязвимостей #application_security #Security_Champion #appsec #устранение_уязвимостей #безопасная_разработка #информационная_безопасность #it_security

Идеальный кейс внедрения DevSecOps. Так бывает?

Привет, на связи отдел безопасной разработки СИГМЫ (ОБР). И хоть наша команда сформировалась относительно недавно, мы уже приобщились к «вечному» — а именно «противостоянию» разработки и безопасников. Если вы читаете эту статью, скорее всего такое знакомо и вам. Но иногда в этом взаимодействии формируются настоящие бриллианты. И сегодня речь пойдет как раз о таком кейсе.

https://habr.com/ru/companies/sigma/articles/808999/

#it_security #dast #sast #fuzzing #appsec #устранение_уязвимостей #безопасная_разработка #разработка_по #информационная_безопасность #devsecops

Fiese Phishing-Attacke, denn wer will schon zu Weihnachten auf sein Netflix verzichten...

#Phishing #Netflix #IT_Security

LogoFAIL gefährdet fast alle Personal Computer

#Datensicherheit #IT_Security #Linux

https://gnulinux.ch/logofail-gefährdet-fast-alle-personal-computer