Christian Stöcker4d ago
That does sound very concerning. And in this case, I don‘t think it is just hype. Otherwise they would not share this stuff with Google, Amazon, Microsoft, Oracle et al.
#Anthropic #MythosPreview #AI #Zerodays
Show threadEberhard Wolff
@chrisstoecker Why would this unlike all the other stuff be no hype? I have lost count of the number of instances where AI was supposed to be an incredible threat to everything.
Apr 7 at 6:41pmMastodon for iOS
Show threadJohannes Link4d ago
@ewolff @chrisstoecker Security holes share complicated but (I assume) characteristic patterns. Why don’t find humans them easily? Because you often need a longish sequence of steps to reveal them. This could be a sweet spot for generative models. The claim has been made for a couple of exploits in the preceding months.
Show threadJoeHenzi4d ago

@jlink @ewolff @chrisstoecker This isn't only hype. ChatGPT has teased AGI for 2 years. Both companies leak stupid things like how Claude is "anxious" to garner buzz. I am largely suspect of Claude, they have astroturfed the entire internet about their capabilities.

However, these tools have been finding exploits from the start, they are getting even better, cases are documented, piling up. Agreed - they are finding things others aren't, bypassing fuzzing. They are equally good at writing defects and buggy code - but I don't think this is only hype.

Anthropic says they are monitoring usage now they have realized this is dangerous. Using their API to probe things like the Linux kernel will get their attention they claim.

Show threadEberhard Wolff4d ago
@JoeHenzi @jlink @chrisstoecker I want to see these “thousands of high severity vulnerabilities” and why they are considered high severity. Security is not exempt from scientific methods. Show the data, publish a peer-reviewed paper. In this state, is just marketing by an AI company.
Show threadJohannes Link4d ago
@ewolff @JoeHenzi @chrisstoecker Wouldn’t it be a good thing if one of the innumerable harms and risks of GenAI gets attention in time? But you’re right; it may just be another piece of marketing to save the bubble from bursting.
Show threadJoeHenzi4d ago

@jlink @ewolff @chrisstoecker Could be or that projects need to patch the issues before we tell the world how to exploit them. Simple search turns up stories with examples. There is a false choice here - it can be good at finding issues and still be imperfect - but I don't doubt the team is onto something in that these tools are finding things people can't...

https://venturebeat.com/security/anthropic-claude-code-security-reasoning-vulnerability-hunting

Show threadEberhard Wolff4d ago
@JoeHenzi @jlink @chrisstoecker does the article give any sources except for Anthropic?
Show threadJoeHenzi4d ago
@ewolff @jlink @chrisstoecker You'll need AI to find out.
Show threadSebastian Kempken4d ago

@ewolff @JoeHenzi @jlink @chrisstoecker They claim that they'll share a "cryptographic hash" of the details, which will be published later after some vulnerabilities have been fixed.

https://www.anthropic.com/glasswing

Show threadEberhard Wolff4d ago
@skempken @JoeHenzi @jlink @chrisstoecker https://red.anthropic.com/2026/mythos-preview/ describes three vulnerabilities in detail.
- denial of service for OpenBSD
- FFmpeg problem (“we believe it would be challenging to turn this vulnerability into a functioning exploit.”)
- denial of service for a virtual machine monitor
- FreeBSD remote code execution (that sounds actually bad)
etc (I don’t want to read all of this).
Interesting but for my limited security knowledge not too harmful?
Claude Mythos Preview \ red.anthropic.com

Show threadJoeHenzi4d ago

@ewolff @jlink @chrisstoecker

Hey, not knowing what's going on doesn't mean someone is hiding something from you. Few months ago a startup that has a ton less resources found 12 bugs in OpenSSL, software/code that has received more attention than most. But they also went through disclosure and were patched.

Even that company says it's not a replacement for human review - but it did something humans hadn't before. Ignoring doesn't do anything.

Show threadEberhard Wolff4d ago
@JoeHenzi @jlink @chrisstoecker I am not ignoring. I am complaining about the lack of due diligence and criticality examining marketing material.
Show threadLars Stitz4d ago

@ewolff Probably related: https://mastodon.social/@bagder/116362046377975050

@JoeHenzi @jlink @chrisstoecker

Show threadJoeHenzi4d ago
@stitzl @ewolff @jlink @chrisstoecker This video is key: https://youtu.be/1sd26pWhfmg
Nicholas Carlini - Black-hat LLMs | [un]prompted 2026

YouTube
Show threadLars Stitz4d ago

@JoeHenzi You missed my point, which is: Daniel is the last to shill LLMs, *especially* in context of CVE reporting.

@ewolff @jlink @chrisstoecker

Show threadJoeHenzi4d ago
@stitzl @ewolff @jlink @chrisstoecker I didn't miss anything or react in any way you're imagining.
Show threadEberhard Wolff4d ago
@stitzl @JoeHenzi @jlink @chrisstoecker this is indeed a valuable source and he claimed that quality of the reports has improved significantly. I’d be interested to see whether that is such as high risk as the Anthropic marketing material says.