I’ve had a bunch of people ask my thoughts on Anthropic’s Mythos.
-
I’ve had a bunch of people ask my thoughts on Anthropic’s Mythos. I’ve read the research paper they released and the numbers, and basically I agree with @malwaretech’s take. It’s marketing. The cybersecurity industry is historically very good at marketing cyber pearl harbour and the need to buy magic boxes.
@GossiTheDog @malwaretech i found this post very relevant
https://mastodon.social/@CuratedHackerNews/116387186190988598 -
I’ve had a bunch of people ask my thoughts on Anthropic’s Mythos. I’ve read the research paper they released and the numbers, and basically I agree with @malwaretech’s take. It’s marketing. The cybersecurity industry is historically very good at marketing cyber pearl harbour and the need to buy magic boxes.
Marcus Hutchins
Malware, Threat Intelligence, Ex-Hacker
Since multiple people have asked me to comment on Claude Mythos / Glasswing, here it is: I can't possibly comment on something I haven't even seen, let alone used.
I, like everyone issuing hot takes, have absolutely no information to go off. We're all looking at the same marketing post with scant falsifiable data or testable hypotheses.
People need to stop clapping like a herd of trained seals every time a corporation drops a new press release. Why not wait for actual impartial data and empirical evidence, then evaluate accordingly?
Press Releases are designed to make a product look as good as possible (and in many cases much better than it actually is, see: Devin, GPT-5, Humane Al, Sora, etc). These are marketing publications not peer-reviewed articles in scientific journals.
We really, as an industry, need to start being more objective. I get that everyone is excited for Al, but we don't need 200,000 hot takes about how "cybersecurity is over" or "the world is ending" every time a new press release drops.
Marketing teams get paid lots of money to hype up new products. Why are you doing their work for free? -
I don't think anybody actually watches videos any more, so here's MWT's core point -
The flagship and lead vuln in the research is a BSD vuln, it cost $20k to discover with Mythos. Anthropic only reached a crash, and the vuln class in 99%+ cases never reaches RCE, just crashes.
So.. cool.. you spent $20k of VC money to find a crash as the flagship vuln. But... uhm... that isn't the end of the world.
The proof is going to be if any of the open source vulns turn out to be important. So far:
@GossiTheDog IMO it's not nothing but not apocalypse. Enough for forward thinking groups to start taking it seriously and considering risks.
-
Anthropic set the project across open source projects and provided access and reported the vulns. Typically, you'd expect to see NCSCs spinning up advisories to patch high impact vulns, CISA telling orgs to patch etc etc etc.
What's actually happening is... uhm... a whole heap of nothing but people copy and pasting marketing about how cybersecurity is over.
It's not though, is it?
@GossiTheDog Even *if* the word prediction box is now capable of findings vulns by throwing massive compute at the problem (leaving all the problems with this aside), you still need to get people to fix their shit. Like have they ever looked at what it takes to get a company to just patch their god damn network edge devices?
-
I’ve had a bunch of people ask my thoughts on Anthropic’s Mythos. I’ve read the research paper they released and the numbers, and basically I agree with @malwaretech’s take. It’s marketing. The cybersecurity industry is historically very good at marketing cyber pearl harbour and the need to buy magic boxes.
@GossiTheDog @malwaretech I, too, had my a-technical and very pro-A"I" colleague singing Mythos' praises. When I pointed out that we don't know how many false positives it also produced, it did dawn on him that it might not all that it seems
The thing is, is that he is in marketing, so he should know he's being fed a crafted story. But when it comes to this LLM-craze all critical thinking goed overboard, it seems.
I'm so worried about the future.
-
I’ve had a bunch of people ask my thoughts on Anthropic’s Mythos. I’ve read the research paper they released and the numbers, and basically I agree with @malwaretech’s take. It’s marketing. The cybersecurity industry is historically very good at marketing cyber pearl harbour and the need to buy magic boxes.
i keep thinking of the pet rock
and beanie babies
create buzz, create demand, get out early, everyone else is left with useless stuff cluttering their homes
-
I’ve had a bunch of people ask my thoughts on Anthropic’s Mythos. I’ve read the research paper they released and the numbers, and basically I agree with @malwaretech’s take. It’s marketing. The cybersecurity industry is historically very good at marketing cyber pearl harbour and the need to buy magic boxes.
@GossiTheDog @malwaretech Someday we will have a TV show called "Mythos Busters" where real cyber security experts debunk stuff like this ...
-
@GossiTheDog Even *if* the word prediction box is now capable of findings vulns by throwing massive compute at the problem (leaving all the problems with this aside), you still need to get people to fix their shit. Like have they ever looked at what it takes to get a company to just patch their god damn network edge devices?
In my observation, organizations use these PR announcements & media releases to do layoffs, so they can outsource to a nephew's startup or grandchild's consultancy.
And the necessary patches or policy changes never get implemented.
-
@GossiTheDog They aren't claiming it's over, that's a strawman. But interestingly they are providing commit hashes of things they've found. Some of these are seriously scary. I've saved a copy of the webpage and will be waiting to see if the promised commits turn up. If they do check out my opinion of Anthropic will rise. If not...
@trademark @GossiTheDog What does "commit hashes of things they've found" even mean? No non-slop project is going to merge the same commits they used in their fixes, because they're LLM slop without provenance to license. If any of these are real, the upstream will fix the bug properly in a way the actual people working on the project understand and can document.
-
In my observation, organizations use these PR announcements & media releases to do layoffs, so they can outsource to a nephew's startup or grandchild's consultancy.
And the necessary patches or policy changes never get implemented.
@Npars01 from experience, we can even leave out the nepotism and just trace it back to incompetence within the management team
-
Anthropic set the project across open source projects and provided access and reported the vulns. Typically, you'd expect to see NCSCs spinning up advisories to patch high impact vulns, CISA telling orgs to patch etc etc etc.
What's actually happening is... uhm... a whole heap of nothing but people copy and pasting marketing about how cybersecurity is over.
It's not though, is it?
@GossiTheDog the thing I find the funniest is that their headline vulnerability in OpenBSD was closed as a reliability, not security issue & without a CVE, as far as I can tell?
-
@GossiTheDog Haven't we already been there with fuzzing?
Anyway, even if Mythos is as good as they claim, that's not really a problem as long as it is available only to a few. It's when every script kiddie gets access to it that we should start worrying.
@bontchev @GossiTheDog if it really did burn $20k in tokens to find the vuln, those script kiddies would have to be very well funded.
-
@trademark @GossiTheDog What does "commit hashes of things they've found" even mean? No non-slop project is going to merge the same commits they used in their fixes, because they're LLM slop without provenance to license. If any of these are real, the upstream will fix the bug properly in a way the actual people working on the project understand and can document.
@dalias @trademark @GossiTheDog the hashes are of advisories they claim they will publish in the future afaik, not patches.
-
@dalias @trademark @GossiTheDog the hashes are of advisories they claim they will publish in the future afaik, not patches.
@dalias @trademark @GossiTheDog so easily verifiable if they actually turn up but the hype cycle will have moved on by then and they already got the PR benefit of claiming a huge number of bugs
-
Well cybersecurity is over but not because of this but because of everyone and their mother deploying openclaw in production...
@agowa338 @GossiTheDog And anybody with a lick of knowledge about security getting laid off.
-
@GossiTheDog but other than that... yeah hype-marketing playbook 101.
Didn't OpenAI pull the:"oh no it's too powerful, humanity couldn't take it yet so we're not releasing it to the public", stunt with one of their earlier models as well?^^
-
@dalias @trademark @GossiTheDog so easily verifiable if they actually turn up but the hype cycle will have moved on by then and they already got the PR benefit of claiming a huge number of bugs
@azonenberg @dalias @GossiTheDog I think it will be a big deal if they don't keep their promises. It's the sort of thing journalists will use for attack pieces. We do already know that some of the bugs are real, for instance Anthropic is keeping the exploit for CVE-2026-4747 secret, but somebody else used public version of Claude to create their own working exploit: https://blog.calif.io/p/mad-bugs-claude-wrote-a-full-freebsd
-
Anthropic set the project across open source projects and provided access and reported the vulns. Typically, you'd expect to see NCSCs spinning up advisories to patch high impact vulns, CISA telling orgs to patch etc etc etc.
What's actually happening is... uhm... a whole heap of nothing but people copy and pasting marketing about how cybersecurity is over.
It's not though, is it?
@GossiTheDog They’re doing the right thing with responsible disclosure, but omg they’re full of themselves. Zero days are not part of the daily cybersecurity churn to begin with, at all, but even so what they’ve found is unimpressive. Yet they literally take it as a given that they’ve turned the industry upside-down. Quod effing none.
-
@azonenberg @dalias @GossiTheDog I think it will be a big deal if they don't keep their promises. It's the sort of thing journalists will use for attack pieces. We do already know that some of the bugs are real, for instance Anthropic is keeping the exploit for CVE-2026-4747 secret, but somebody else used public version of Claude to create their own working exploit: https://blog.calif.io/p/mad-bugs-claude-wrote-a-full-freebsd
@trademark @azonenberg @GossiTheDog I love how they hype what's a vuln in the in-kernel NFS server (FFS we've been doing this shit at least 2/3 of my lifetime, stop doing NFS/sunrpc shit already) as "FreeBSD RCE".
I knew when I was like 15 that you don't run NFS unless you want to get popped.
-
@trademark @azonenberg @GossiTheDog I love how they hype what's a vuln in the in-kernel NFS server (FFS we've been doing this shit at least 2/3 of my lifetime, stop doing NFS/sunrpc shit already) as "FreeBSD RCE".
I knew when I was like 15 that you don't run NFS unless you want to get popped.
@dalias @azonenberg @GossiTheDog To summarize your position: "If Anthropic witholds something to give defenders time to fix it, it means they're lying and have nothing. When they do release a real bug it means that it was for some stupid thing you shouldn't be running anyway." Got it.
