A sign of things to come.
You’ve probably read that Anthropic, the company behind Claude AI, announced a new version of its LLM, Mythos1. What made it extra newsworthy is that while announcing its existence, Anthropic also indicated that Mythos was being purposely withheld from public access.
Why? Because it had proved too adept at discovering vulnerabilities in existing software, including every major operating system and many other popular tools. Instead, a select few — typically the owners of the operating systems, tools, open source projects, and a few others — would be given access, presumably so they could correct all the vulnerabilities Mythos had discovered.
Myth? Hype? Reality?
It’s unclear. Anthropic has played games with their announcements before, so it’s possible this was a stunt.
But even if it was, it doesn’t matter, because it’s pointing out something much more important about the future of AI.
Mythos may not matter
AI is getting powerful enough to find thousands of security holes in major software. That sounds scary, but the fix is the same as always: keep your software updated and stay alert to phishing. No matter how smart AI gets, most of your security still comes down to what you do.
Just what is Mythos?
Mythos is a large language model (LLM) designed to understand how text, or language, is structured. Earlier Anthropic LLMs include (currently selectable when using the Claude chatbot):
- Sonnet 4.6
- Sonnet 4.5
- Opus 3
- Opus 4.7
- Opus 4.6
- Haiku 4.5
If Mythos were released publicly, it presumably would be another item on that list. Each of these AI families has strengths and weaknesses, and is typically chosen for various purposes aligned with those characteristics. The more-or-less fantastical claim by Anthropic about Mythos is this:
We have identified thousands of additional high- and critical-severity vulnerabilities that we are working on responsibly disclosing to open source maintainers and closed source vendors.
As a result, they deemed Mythos too powerful for general use and instead created Project Glasswing, a responsible disclosure in which select participants could access the model and correct the reported vulnerabilities. They’ve stated that “Mythos-class” LLMs will be made available publicly at some point, but have not said when.
What’s interesting about Mythos is that it was never designed to be a vulnerability-finding machine. It’s just the new, more powerful general-purpose LLM from Anthropic. It happens to be Really Good at vulnerability-finding. Who knows what else it’s really good at?
Help keep it going by becoming a Patron.
Related
Why Do We Suddenly Need AI?
AI might feel sudden and overwhelming, but it’s not the first fast-moving, world-changing technology we’ve faced. I'll compare AI to the rise of the automobile and explore why understanding and engaging with AI, rather than dismissing it, is probably the smartest move we can make.#183047
All AI is only getting more capable
Anthropic’s action around Mythos could be unwarranted hype. Or it could be completely legit, and letting Mythos fall into the hands of “the bad guys” could allow them to attack and exploit those thousands of vulnerabilities.
It doesn’t matter.
Eventually, such a model will be created by Anthropic or some other AI company. It’s also just a matter of time before a “Mythos-class” LLM — again, from Anthropic or someone else — becomes available publicly.
The hype will eventually be true, if it isn’t already.
Could AI fix the vulnerabilities it finds?
If not today, then yes, very soon. The members of Project Glasswing are likely using every tool at their disposal to analyze the reported vulnerabilities and fix them. And those tools will almost certainly include AI.
And, once again, if today’s AI can only help, but not actually “fix ’em”, it’s almost certain that a model in the near future will make that leap. AI is, after all, only getting more capable.
It’s a new race
I’ve long talked about what I call “the race”: malware authors are always one step ahead of the anti-malware tools that try to identify and neutralize their efforts.
AI has introduced a new race: using AI tools to find and fix vulnerabilities faster than “the bad guys” use AI tools to find and exploit them. Particularly since they’ll be using multiple AI tools with different capabilities and availability, this is likely to be quite a race indeed.
But in a sense, it’s just the next logical extension of the race we’ve been in since computers and malicious software came into existence.
Related
More Tips to Protect Yourself from AI Scams
AI has entered the chat. And the email. And the voice call. And the video. And it's making scams even harder to detect.#176909
Does it matter?
It all sounds very scary, and in a way, it is. If those “thousands of vulnerabilities” can be exploited, then various systems are at risk of compromise… maybe even yours.
Or maybe not.
As my TEH Podcast co-host, Gary Rosenzweig, pointed out, it’s still easier to ask someone for their credentials than to compromise their account or system. Traditional phishing is cheap, easy, and all too often successful. Hackers will apply AI there first, making phishing attempts even more realistic than they are today.
Besides, in order for unpatched, newly discovered vulnerabilities to be exploited, the user must do something, like open an attachment or click a link. So don’t do that. I know that seems like a flip statement, but the reality is that much of, if not most of, your security is in your own hands. Mythos can identify all the unpatched vulnerabilities it wants, but you’re still safer (not “safe”, as there is no such thing) as long as you avoid the things malware authors try to get you to do.
I expect that corporations and governments will be most affected by this. While many of them are compromised by phishing attacks on workers, their public-facing systems are under constant automated attacks that can now easily include newly discovered vulnerabilities.
What does the future hold?
As I’ve said in multiple places, we’re currently seeing the worst AI we’ll ever see. Put another way, AI will only get more powerful.
Ideally, software engineers will use that ever-improving AI to find and fix vulnerabilities before their software is released. In other words, they’ll get ahead in the race.
But of course, everyone will have access to continually improving AI, including those looking to find and exploit unpatched vulnerabilities released. The race will continue.
Do this
It’s a very boring bottom line, and of course, you should already be doing this anyway.
- Take updates, of course. When vulnerabilities are fixed, you want to make sure the software on your machine(s) gets those fixes.
- Keep your own guard up and remain skeptical. Phishing is only going to become more and more convincing, which means you’ll have to become more and more adept at avoiding, or at least questioning, what you encounter.
Above all, don’t panic. Don’t lose sleep over the constant stream of AI-related news and announcements running the gamut from “save the world” to “it’s the end of the world”. The truth is somewhere in between, and many people are working to ensure that in the long run, AI remains a tool for (mostly) good.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Footnotes & References
1: And, in response, it would seem, a few weeks later OpenAI released Daybreak.
2: From Anthropic’s Assessing Claude Mythos Preview’s cybersecurity capabilities.
Related
Behind the Scenes Hardening Firefox with Claude Mythos Preview – An interesting view from one project’s developers on the impact of Mythos. Pay particular attention to “Firefox Security Fixes by Month”.
I’m not overly concerned about Claude Mythos finding so many vulnerabilities in so many operating systems and other software. Eventually they will get fixed and improvements will be made, I’m sure.
Based upon a few articles I’ve read, AI companies are going to be facing a reckoning. I’ve not heard that any have even reached the break even point financially, or even have an idea of what it would be. Sooner or later venture capitalists are going to say enough or shareholders will start clamoring for their dividends. Some of the companies and developers of AI agents are changing what is available for free, adding ads, or moving to tiered levels for those with a subscription. Not to mention the costs for more and larger data centers to handle the more advanced LLMs.
Eventually what I suspect will happen is that AI will move mostly into the corporate, higher education and government realms and will only be available to those who can afford to pay for it. It has already impacted the costs and availability of components for computers, phones and other electronic devices. And it will have an effect on utility costs. I won’t be surprised to see this rush to AI reach a critical point and implode, similar to what happened with the Dot.com bust back in the 90s.
AI in the form of LLMs will have its place, but not in the way that companies have hyped. I know I will not be paying for yet another subscription. I tried Copilot and ChatGPT but balked when asked to sign up for a subscription after a couple of queries that I made to see what they could do.