InvestMarketplaceEquityNews
Anthropic Mythos And Embracing The AI 'Bugmageddon'
Market Updates

Anthropic Mythos And Embracing The AI 'Bugmageddon'

Forbes10d ago

This is the online edition of The Wiretap newsletter, your weekly digest of cybersecurity, internet privacy and surveillance news. To get it in your inbox, subscribe here.

nthropic was blunt in its assessment. "AI models have reached a level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities," the $380 billion company proclaimed in a blog post last week. It had just released its Mythos model, which it said was able to find and exploit bugs in "every major operating system and web browser" available, all on its own. One worrying example: Mythos discovered a previously unknown flaw in the widely-used OpenBSD open source operating system that had been sitting there for 27 years.

Anthropic isn't the only one to have come to the conclusion that AI has reached its "singularity" moment in cybersecurity, where machines outclass people at hacking. Last month, when Israeli startup Tenzai's AI tools competed in a series of elite hacking competitions, the models outperformed over 99% of human competitors. Andrea Michi, former Deepmind researcher and cofounder of AI startup Depthfirst, warned last month AI was close to acquiring "superhuman" hacking skills.

The fear that a wave of AI-powered cyberattacks is coming has spawned hyperbolic neologisms like "bugmageddon" and "vulnpocalypse." But in the cyber community, there's a growing consensus that the prowess of AI hackers should be celebrated. For the period in which non-malicious companies are the ones in control of powerful AI, however long that lasts, they can start patching as many flaws as AI discovers. That's one reason Anthropic set up Project Glasswing, giving Mythos to a select group of 40 major tech companies so they could find vulnerabilities before cybercriminals do.

"That's what excites me most," says Daniel Cuthbert, a cybersecurity expert and senior fellow at the U.K.-based defense think tank RUSI. "If we see vendors finally start fixing stuff with this being a threat, then the internet is better off."

There's no doubt that companies need to act. On Friday, Anthropic said organizations should prepare for bigger backlogs of vulnerabilities that need addressing and advised using AI to find as many bugs as possible in a product before shipping it. The Cloud Security Alliance, a nonprofit that surveyed 250 cybersecurity executives about how to protect against AI hacking, said that companies should start using AI to do regular automated scans for vulnerabilities and "introduce AI agents to the cyber workforce across the board." Many have already started, including the White House, which is reportedly leading a review of critical infrastructure systems that could be affected by the new AI models' capabilities, according to the Wall Street Journal.

Some believe the most pertinent near-term impact will be to increase the workload for already overloaded IT teams, according to Jeremiah Grossman, CEO of Root Evidence, a cybersecurity company that helps clients with determining the importance of a given vulnerability. He tells Forbes that companies are already struggling to adequately prioritize patching bugs, leading to significant backlogs. A massive influx of AI-identified vulnerabilities will only "add insult to injury," he says. "Now we're going to be even more buried? Cool."

They may also be a distraction, given that Grossman claims only 10-20% of real-world attacks begin with an exploit of a software weakness. Most use phishing or social engineering to breach a computer network.

It's still not clear just how good Mythos will be in real-world scenarios. So far, Anthropic hasn't presented any findings that indicate the AI can break into well-defended systems, as noted by the AI Security Institute, a research organisation within the U.K. government's Department of Science, Innovation and Technology. It wrote in an assessment published Monday that it had tested Mythos and found that while it "can exploit systems with weak security posture," it hadn't been tasked with breaking through security protections like firewalls.

Grossman predicted the vast majority of security teams won't see an impact in the next few years. That should be enough time for defenders to get a headstart on attackers.

Got a tip on surveillance or cybercrime? Get me on Signal at +1 929-512-7964.

THE BIG STORY

GTA Developer Rockstar Games Hacked

For the second time in three years hackers have stolen data from Rockstar Games, the developer of the hugely popular Grand Theft Auto series. The hackers threatened to release Rockstar information if a ransom wasn't paid, though that hasn't happened so far. The company sought to downplay the severity of the breach, saying only "non-material company information" was stolen.

Stories You Have To Read Today

After myriad lawsuits and reports of child grooming on its platform, Roblox announced two new types of age-based accounts for younger users: Roblox Kids for children between five and eight, and Roblox Select for those between nine and 15. "When they roll out in early June, these accounts will more closely align content access, communication settings and parental controls with a user's age," the company wrote in a blog post.

The Trump administration is trying to unmask a Redditor user who criticized ICE and has ordered Reddit to appear before a grand jury in Washington D.C. to provide information on the person's identity, according to The Intercept. Prosecutors use such grand jury subpoenas to compel witnesses or companies to provide information so they can determine if there is probable cause to charge someone with a crime.

The FBI can find deleted Signal messages in people's iPhones because of the way Apple's operating system stores notification information, 404 Media reports.

Winner of the Week

The Department of Justice got a court order to remove Russian spies from compromised home and business routers made by the Chinese company TP-Link, allowing the FBI to send an update to affected devices to change settings and harden security. According to the DOJ, Russian agents working for the GRU intelligence agency abused their illegal access to the routers by intercepting emails and passwords for a range of targets. They included "individuals in the military, government, and critical infrastructure sectors."

Loser of the Week

A group of civil liberties organizations have called on Meta to abandon plans to introduce facial recognition into its Ray Ban and Oakley smart glasses, warning it will embolden stalkers. Previous reports in the New York Times said Meta had been testing the feature, though the company told Wired, "If we were to release such a feature, we would take a very thoughtful approach before rolling anything out."

Originally published by Forbes

Read original source →
Anthropic