Project Glasswing: Be afraid. Be very afraid.

[Brian Howell]

As someone who has run a website that faced over a thousand serious intrusion attempts a day from all over the globe (often through multiple obscuring hops), I know that technically savvy bad actors are out there in droves. That’s why I think Thomas Friedman is right: Anthropic’s announcement and latest model release were the most important news today.

https://www.nytimes.com/2026/04/07/opinion/anthropic-ai-claude-mythos.html

Brian Howell
Read me • See Me

www.linkedin.com/in/bdhowell

When we try to pick out anything by itself, we find it hitched to everything else in the Universe. — John Muir

[Asif Ahsan]

Hi Brian,

Thanks for the link.

I find the framing of this product release interesting. By labeling a model as "too dangerous for the public," a company can generate significant brand prestige and "capability hype" to inflate its valuation. Some experts argue this approach is as much a marketing masterclass as it is a security precaution, especially given Anthropic's need for funding.

The fact that the new model hallucinates in nearly one in five complex scenarios suggests that, internally, they may be more concerned with the system's limitations than its power. It seems more like a marketing stunt or propaganda to me.

Broadly speaking, I think that the use of apocalyptic language like "dangerous" or "the end of humanity" regarding AI is largely performative in the media. These outcomes aren't realistic for a large language model or any model of software in existence. 

Asif 

--
You received this message because you are subscribed to the Google Groups "Ipse Dixit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to Ipse-dixit+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/Ipse-dixit/CAAq%2BNfeU7R3uB8HNmRRfhjG5TCWqVh8ymCJj6qit3dmHOLL%3D4Q%40mail.gmail.com.

[Scott Hotes]

On Apr 8, 2026, at 3:41 PM, Asif Ahsan <aah...@gmail.com> wrote:

I find the framing of this product release interesting. By labeling a model as "too dangerous for the public," a company can generate significant brand prestige and "capability hype" to inflate its valuation. Some experts argue this approach is as much a marketing masterclass as it is a security precaution, especially given Anthropic's need for funding.

The fact that the new model hallucinates in nearly one in five complex scenarios suggests that, internally, they may be more concerned with the system's limitations than its power. It seems more like a marketing stunt or propaganda to me.

Broadly speaking, I think that the use of apocalyptic language like "dangerous" or "the end of humanity" regarding AI is largely performative in the media. These outcomes aren't realistic for a large language model or any model of software in existence. 

Asif 

Hi Asif, all of the recent AI hype no doubts some skepticism here.

However, consider the actual claim being made by Anthropic:

"Mythos Preview has already found thousands of high-severity vulnerabilities, including some in every major operating system and web browser. Given the rate of AI progress, it will not be long before such capabilities proliferate, potentially beyond actors who are committed to deploying them safely. The fallout—for economies, public safety, and national security—could be severe. Project Glasswing is an urgent attempt to put these capabilities to work for defensive purposes."

There is no claim of general intelligence or threats to humanity.  They are simply saying that the model has already found thousands of high-severity vulnerabilities.  Does this really sound implausible to you?

We do know that these models have recently autonomously (without human help) solved a number of the outstanding Erdos problems, see for example:

https://www.dongascience.com/en/news/76292

Is it so unreasonable to think that AI could detect vulnerabilities in critical software systems?

Also, Anthropic is stating here that they are sharing this model with over 40 software and security companies so that they can patch some of these vulnerabilities before this model (or others like it) become publicly available.  I guess if this were all made up Anthropic would be at some risk of having this fabrication exposed.  Does that provide additional weight to the claim?

Scott

[Rupert Clayton]

Thanks for drawing my attention to this Anthropic announcement, Brian. (Alternative write-up via The Register: https://www.theregister.com/2026/04/07/anthropic_all_your_zerodays_are_belong_to_us/ Detailed info from Anthropic's own blog post: https://red.anthropic.com/2026/mythos-preview/ )

I have to say Thomas Friedman's framing of the issues is as annoying as I should have expected:

> Holy cow! Superintelligent A.I. is arriving faster than anticipated, at least in this area ...

> I’m really not being hyperbolic when I say that kids could deploy this by accident. Mom and Dad, get ready for:

> "Honey, what did you do after school today?”

I'm no-one's thought leader, but two things I know for sure:

1. Much as little Tommy Friedman may have enjoyed War Games and Hackers, the big risks from this development are NOT posed by rogue teenagers with too much time on their hands.

Alright, I'm being snide. Friedman was 30 when War Games came out and none of us have got any younger. But the two types of actors posing the biggest threats in contemporary cybersecurity are criminals and state actors (or combinations of those–thanks, Vlad!)

Friedman's clichéed invocation of the unsupervised teen in his bedroom doesn't really help any NYT reader understand the real issues at play.

2. A model that can efficiently generate zero-day code exploits is NOT evidence of "Superintelligent A.I."

In fact, it's something that should have been expected. Code is 100% deterministic and automated analysis doesn't require any "world model" or ability to infer the author's intent. Also, the zero-day examples Anthropic has have given (e.g. OpenBSD and FFmpeg) are notably in open-source software.

I'm not saying that to diss open-source—huge portions of our current Internet runs on open-source code and I firmly believe the "many eyes" approach results in better, more-secure systems. 

But I'm assuming these examples indicate how Claude Mythos achieved its impressive feat. It analyzed the source code to identify attack vectors, sometimes chaining together as many as four different vulnerabilities to generate an exploit. To me, this is A GOOD THING.

Current systems likely are vulnerable to all the exploits that Anthropic found and many more. The "threat landscape" has certainly been changed by Claude Mythos, and we're somewhat fortunate that Anthropic is behind this because they do have what passes for high moral standards in 2026.

They started out by disclosing some/all of the 1000+ vulnerabilities they found to the relevant developers. This follows the industry-standard Coordinated Vulnerability Disclosure process: https://www.cisa.gov/resources-tools/programs/coordinated-vulnerability-disclosure-program (Fun fact: CISA recommends making these disclosures via Carnegie-Mellon's Vulnerability Information and Coordination Environment, aka VINCE.)

Anthropic also realized that given the huge variety of existing deployed code they couldn't just send out a few notifications and then ship the Claude Mythos model. Instead, they were going to have to give access to major software vendors, so that they could scan their own code. After hand-picking a few close partners to be named in Tuesday's announcement (Marketing needs to have something to keep them busy), they also signed up 40 unnamed vendors to form the second wave of vendor patching. Presumably, there will be an ongoing program of giving additiobal vendors access to Mythos to scan (and patch) ever more niche software. 

It's a big effort, but once it's done it's not likely we'll see zero-days appear, well, every day. There is a finite quantity of exploitable vulnerabilities in existing software. And it's reasonable to think that Claude Mythos can find a significant portion of the currently unknown ones. Future versions of this model or another AI vendor's model may discover additional vulnerabilities, but not indefinitely. So, in time, existing software should be better patched. Which means fewer vulnerabilities for a ransomware gang to exploit. 

It does seem, however that Anthropic has uncovered a way to get every software vendor to treat them nicely, at least for a while. Because as well as scanning the existing code base, vendors will want to scan their upcoming code releases for anything Claude Mythos can uncover. 

To that end, I hope they expand their Project Glasswing initiative to encompass much of the industry, with possible exception of OpenAI and X.ai. ;-)

Going back to Friedman's write-up, he says that "representatives of leading tech companies have been in private conversation with the Trump administration about the implications for the security of the United States and all the other countries that use these now vulnerable software systems". 

This is where I get chills. Formerly, CISA could be mostly relied upon to prioritize public good over partisan interest. Like most of the rest of the government cybersecurity world, it has been an essentially non-partisan agency despite the fact that many of its employees have likely never voted for a Democrat.

But I'm seriously concerned that Federal cybersecurity defense is now hamstrung by the same sort of budget cuts, corrupt appointments and general fear that the regime has brought to the rest of government. Here's one example from as long ago as Monday:

> Cuts hit CISA, NIST and IRS in Trump’s FY27 budget. https://www.govexec.com/technology/2026/04/cuts-hit-cisa-nist-and-irs-trumps-fy27-budget/412636/

I think Anthropic and other responsible vendors can probably address the risks of exploit-optimized coding models without Federal coordination, but I'd much prefer this to happen in an environment where CISA is a trustworthy partner and not yet another risk factor. 

===

Unexpectedly, I just found myself sitting in presentations yesterday and today from AI researchers at IBM Research and MIT on topics such as giving AI agents memory so they can learn from experience, and inferring causality rather than just correlation. So now I feel thoroughly primed for a whole summer of Ipse Dixit conversations!

Cheers,

Rupert

To view this discussion visit https://groups.google.com/d/msgid/Ipse-dixit/CAGc2QJqz3Ji40C7__gXEWaE6KSmazY8dvmDvUFVXSL9PAU7LSg%40mail.gmail.com.

[Vince Koloski]

As I opened Rupert's useful and calming overview I noticed that there was an ai overview of the discussion above his essay. It was from Gemini and "there may be mistakes" something that always increases one's trust in the model. While the advent of these models may cause the end of civilization, perhaps it will be the extremely shaky economics of the ai sector (per Ed Zitron et. al.) that we should be worrying about. Given the $5 burn to $1 revenue structure they seem to have, and the hazy paths to profitability, what will happen when the money runs out given the extreme amounts of debt being incurred to develop these products.

VINCE

To view this discussion visit https://groups.google.com/d/msgid/Ipse-dixit/CAEfHkaqvZJK5SvfwsX9kyOvOy3V%3DPNP1PVRthNgjjtfnEetN3g%40mail.gmail.com.

[Rupert Clayton]

I read more of Anthropic's very detailed security blog post now and they seem to make the same point as me—more concisely, too.

> We believe the same [dynamic as with software "fuzzers"] will hold true here too—eventually. Once the security landscape has reached a new equilibrium, we believe that powerful language models will benefit defenders more than attackers, increasing the overall security of the software ecosystem. The advantage will belong to the side that can get the most out of these tools. In the short term, this could be attackers, if frontier labs aren’t careful about how they release these models. In the long term, we expect it will be defenders who will more efficiently direct resources and use these models to fix bugs before new code ever ships.

> But the transitional period may be tumultuous regardless. By releasing this model initially to a limited group of critical industry partners and open source developers with Project Glasswing, we aim to enable defenders to begin securing the most important systems before models with similar capabilities become broadly available.

The blog also confirms how the vulnerabilities were discovered: "A small team of researchers on our staff have been using Mythos Preview to search for vulnerabilities in the open source ecosystem."

Anthropic also has a published policy for coordinated vulnerability disclosure: https://www.anthropic.com/coordinated-vulnerability-disclosure

[Asif Ahsan]

Hi Scott,

I think there is a misunderstanding regarding my point. My comment isn't about whether AI can identify software vulnerabilities or solve complex mathematical problems; those are well-documented capabilities.

My concern is specifically with the "Project Glasswing" framing and the apocalyptic language used in the media coverage, such as the Friedman piece. While Anthropic claims to be acting out of caution by restricting access, this "too dangerous for the public" narrative serves as an incredibly effective marketing tool to drive brand prestige and valuation.

Additionally, sharing the model with security companies to patch vulnerabilities is a standard industry practice and for this case we should distinguish between a model’s technical utility in finding bugs and the performative hype surrounding its "dangerous" nature.

Best,

Asif

[Rupert Clayton]

I do think Friedman's inaccurate and breathless column is most to blame here.

After I read the bulk of the very long post on Anthropic's security blog ( https://red.anthropic.com/2026/mythos-preview/ ) I find Anthropic's actions or characterization hard to fault. 

There's a lot here that is genuinely new—most notably the ability to autonomously discover *and* exploit severe vulnerabilities at scale. It's appropriate to publicize this widely and get vendors' attention on scaling their patch-writing and deployment capabilities. It's appropriate to withhold this model from public release for now.

The blog post says vendors should expect other foundation models to achieve similar capabilities. It's not impossible that, without our knowledge, other models can already do this.

These actions might serve to boost investor confidence somewhat, but I don't think the huge investment in Anthropic is primarily driven by the possible value of its models for cybersecurity analysis and defense.

The accumulated debt of unrecognized vulnerabilities in 30+ years of enterprise code base is the justification to deem Mythos Preview "too dangerous for the public". Keeping it restricted will buy a few months of time for vendors to find and patch a large portion of vulnerabilities similar to the ones found so far.

The goal is to get to a point where vendors can find and patch vulnerabilities before code is released and certainly before attackers using similar tools are able to deploy working exploits. Seems worth a try.

One correction to my earlier assumptions. While most vulnerabilities found were based on analyzing open-source code, Anthropic also discovered a couple by reverse engineering closed source software. So, all vendors will need to analyze their code with tools like this in fairly short order. 

Rupert

--

You received this message because you are subscribed to the Google Groups "Ipse Dixit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to Ipse-dixit+...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/Ipse-dixit/CAGc2QJoFz1uC3ce8Ts%3Dr54HhVBHvyT0ir4yMEssXsrE7i88F8g%40mail.gmail.com.