Development of advanced AI

[osprey]

This article: https://medium.com/@itsvksharma_/5fa3efa4dd01, describes the advanced nature of a new AI model called "Claude Mythos" by the Anthropic company which developed it. Briefly, it's an AI model that the company regarded as too powerful to release publicly because it had the capability of detecting bugs in all current operating systems, including linux, and thus, of exposing exploits against all of them.

In response to its findings, it released the AI to a bunch of companies it regarded as responsible, presumably so they could patch their systems. The Linux Foundation was one of those companies along side of Microsoft, Amazon, Apple, Cisco, Google etc.

Some quotes follow.
On linux:

In the Linux kernel, Mythos did not just find individual flaws. It autonomously chained multiple vulnerabilities together in a sequence that would give an attacker complete control over any machine running Linux, which powers the majority of the world’s servers. That kind of chained exploit discovery has historically required highly skilled human researchers working for weeks or months.

On the aim of Anthropic:

The goal is straightforward, even if the execution is enormously complex: patch the world’s most critical software before a model at this capability level ends up in the wrong hands. And everyone involved knows it is only a matter of time before comparable capabilities are available beyond organisations committed to responsible deployment.

On attack, defence and vulnerability:

Attackers need to find one vulnerability. Defenders need to find all of them. AI models like Mythos begin to close that gap by making comprehensive coverage actually feasible.

The discovery of a 27-year-old OpenBSD bug is the clearest illustration of this. That vulnerability survived countless human audits and automated scans. No single company’s security team was ever going to find it through traditional methods. Mythos found it in testing. If that kind of systematic, exhaustive review can be applied to the world’s most critical infrastructure before attackers get a comparable tool, the net impact on global security is genuinely positive.

 

[Condobloke]

That is a wonderful find, @osprey ....and more than welcome news for all concerned, in particular, (of course) Linux.

With some commonsense ruling the future of these findings, and the application of same, Linux should get a major shot in the arm, simply because of its place in the world’s most critical infrastructure.

 

[AlphaObeisance]

Don't worry, no doubt the 3 letter agencies have already swooped in and begun to use it for nefarious reasons "noble" reasons.

Snowden tried to warn the world in 2013; yet look at us. Shameful and sad truth is that in the end, there's nothing we can do to stop it.

Would be nice to see the utility used to rapidly patch the kernel to harden it world wide though. With any luck.

 

[KGIII]

Let's avoid getting too political.

AI has come a long way. Way back in the day, Back in the early 1970s, a fella you might know about named Richard M. Stallman joined the AI labs at MIT. (It wasn't until recently that he 'retired' from MIT, sometime within the past decade.

As I've said before, I've found some uses for AI. The AI blurbs in some/man/most Google search results have actually changed the way I've crafted my search terms. It is now more likely that a complicated question can be answered at the top of the page.

But, well, there's a caveat...

Don't blindly rely on the information. Instead, trust but verify. If you're just reminding yourself, or if it's in your particular field, you may not need to do a lot of verification -- but you should at least give it a mental sanity-check.

 

[osprey]

Good news for firefox after having been subjected to the advanced "Claude Mythos" AI. Firefox 150, which is now released, had 271 vulnerabilities identified using Mythos with fixes applied. Details are here: https://blog.mozilla.org/en/firefox/ai-security-zero-day-vulnerabilities/

Interestingly, the vulnerabilities were not ones that developers could not have found. Rather, they just hadn't found them yet, so in this case it seems the AI has provided a speed advantage which is sort of preventative against exploits which is more efficient than after-the-fact curative.

 

[Condobloke]

^^^ @osprey, which then means that the many and various Firefox derivatives will also benefit as soon as they take advantage of the fixes applied in Firefox 150

The speed advantage is to everyones benefit.

 

[Trml]

various Firefox derivatives will also benefit as soon as they take advantage of the fixes applied in Firefox 150

I looked up Debian's Firefox-ESR (based on FF 140). One can see the fixes have already been incorporated, the long list of CVE-2026-* will be it: https://security-tracker.debian.org/tracker/source-package/firefox-esr

I read quite a lot of news on the model and Mozilla appears to be one of the first to put out a statement about having relied on it - aside from the 12 launch partners of which some have taken on to coordinate using it on the wider Linux software stack. E.g. Daniel Sternberg, the principal maintainer of curl, has publicly cursed AI bug reports in the past, because they waste a lot of their time. Regarding the bug report he received from one of the launch partners, he replied with a thank you. Critical, uber-smart developers like him reacting like that is telling on the qualitative improvement the model achieved.

 

[CaffeineAddict]

the advanced nature of a new AI model called "Claude Mythos" by the Anthropic company which developed it. Briefly, it's an AI model that the company regarded as too powerful to release publicly

I found this interesting thread on debian forums:

Loading...

in a nutshell, it's a hype:

My personal conclusion can however not end up with anything else than that the big hype around this model so far was primarily marketing.

Stenberg: Mythos finds a curl vulnerability

Daniel Stenberg has published a lengthy article on his thoughts on Anthropic's Mythos, which th [...]

lwn.net

 

[osprey]

I found this interesting thread on debian forums:

Loading...

in a nutshell, it's a hype:

Stenberg: Mythos finds a curl vulnerability

Daniel Stenberg has published a lengthy article on his thoughts on Anthropic's Mythos, which th [...]

lwn.net

Thanks for the link. It's often most interesting to read the thoughts and analyses of developers. We depend so much on them.

It seems in this case of curl, that it's written with reasonably good code at this point and therefore finding a plethora of bugs isn't likely to happen because of its current inherent quality. So the finding that Mythos AI didn't have a higher degree of facility than "standard" AI when applied to curl, because it didn't seem particularly more revelatory with the curl code, is not necessarily a reason to suppose that Mythos AI (or any future AI development) isn't going to be deeply more informative than previous AI analysers on other code bases. That curl is in fact reasonably good code is mentioned a number of times in the article with expressions like: "curl’s status as one of the most heavily fuzzed and audited C codebases". In other words, it appears that curl just doesn't need that much AI analysing at all, just some basics which popped out a few vulnerabilities and bugs, but nothing critical that could bring it down.

It's not sound to infer that because Mythos didn't produce superior results relative to other AI engines with curl, that it cannot do so elsewhere. The author acknowledges that with his statement: "This is just one source code repository and maybe it is much better on other things. I can only tell and comment on what it found here." Ultimately the article is thus more about curl than about Mythos because of the limited nature of the author's experience. None of this means Mythos is actually living up to the hype. The world isn't fully informed about it yet because of the restricted nature of its release.