Christian Stöcker2d ago
That does sound very concerning. And in this case, I don‘t think it is just hype. Otherwise they would not share this stuff with Google, Amazon, Microsoft, Oracle et al.
#Anthropic #MythosPreview #AI #Zerodays
Show threadEberhard Wolff2d ago
@chrisstoecker Why would this unlike all the other stuff be no hype? I have lost count of the number of instances where AI was supposed to be an incredible threat to everything.
Show threadJohannes Link2d ago
@ewolff @chrisstoecker Security holes share complicated but (I assume) characteristic patterns. Why don’t find humans them easily? Because you often need a longish sequence of steps to reveal them. This could be a sweet spot for generative models. The claim has been made for a couple of exploits in the preceding months.
Show threadJoeHenzi2d ago

@jlink @ewolff @chrisstoecker This isn't only hype. ChatGPT has teased AGI for 2 years. Both companies leak stupid things like how Claude is "anxious" to garner buzz. I am largely suspect of Claude, they have astroturfed the entire internet about their capabilities.

However, these tools have been finding exploits from the start, they are getting even better, cases are documented, piling up. Agreed - they are finding things others aren't, bypassing fuzzing. They are equally good at writing defects and buggy code - but I don't think this is only hype.

Anthropic says they are monitoring usage now they have realized this is dangerous. Using their API to probe things like the Linux kernel will get their attention they claim.

Show threadEberhard Wolff2d ago
@JoeHenzi @jlink @chrisstoecker I want to see these “thousands of high severity vulnerabilities” and why they are considered high severity. Security is not exempt from scientific methods. Show the data, publish a peer-reviewed paper. In this state, is just marketing by an AI company.
Show threadJohannes Link2d ago
@ewolff @JoeHenzi @chrisstoecker Wouldn’t it be a good thing if one of the innumerable harms and risks of GenAI gets attention in time? But you’re right; it may just be another piece of marketing to save the bubble from bursting.
Show threadJoeHenzi2d ago

@jlink @ewolff @chrisstoecker Could be or that projects need to patch the issues before we tell the world how to exploit them. Simple search turns up stories with examples. There is a false choice here - it can be good at finding issues and still be imperfect - but I don't doubt the team is onto something in that these tools are finding things people can't...

https://venturebeat.com/security/anthropic-claude-code-security-reasoning-vulnerability-hunting

Show threadEberhard Wolff
@JoeHenzi @jlink @chrisstoecker does the article give any sources except for Anthropic?
Apr 7 at 7:24pmMastodon for iOS
Show threadJoeHenzi2d ago
@ewolff @jlink @chrisstoecker You'll need AI to find out.
Show threadSebastian Kempken2d ago

@ewolff @JoeHenzi @jlink @chrisstoecker They claim that they'll share a "cryptographic hash" of the details, which will be published later after some vulnerabilities have been fixed.

https://www.anthropic.com/glasswing

Show threadEberhard Wolff2d ago
@skempken @JoeHenzi @jlink @chrisstoecker https://red.anthropic.com/2026/mythos-preview/ describes three vulnerabilities in detail.
- denial of service for OpenBSD
- FFmpeg problem (“we believe it would be challenging to turn this vulnerability into a functioning exploit.”)
- denial of service for a virtual machine monitor
- FreeBSD remote code execution (that sounds actually bad)
etc (I don’t want to read all of this).
Interesting but for my limited security knowledge not too harmful?
Claude Mythos Preview \ red.anthropic.com