On April 7, the American AI company Anthropic sounded the alarm. Their new AI model Claude Mythos's coding ability was so high that it was uncomfortably good at finding - and exploiting - security holes.
Mythos found vulnerabilities in all major operating systems and browsers, some that had been undiscovered for decades.
Previous Claude models have also been good at going through code and following detailed instructions from humans - the difference is that Mythos does it more autonomously, according to Gerald Mako, who researches AI and cybersecurity at the University of Cambridge.
It can come up with a hypothesis itself, test it, and then fine-tune based on the results.
It can also chain together multiple weaknesses into a functioning cyber attack, he says.
Created projects
Anthropic described Mythos as so dangerous that they did not release the model freely, but instead created a project where security companies and technology giants were allowed to test the model to find and plug security holes.
Cisco is one of the companies where security expert Mark Jackson describes Mythos and similar models as a paradigm shift.
“This technology dramatically lowers the skill threshold. It allows attackers to scale up attacks that were previously completely out of their reach,” he writes via email.
Anthropic will report its findings after 90 days. In a couple of months, 23,000 vulnerabilities have been found so far, of which 6,200 are serious or critical, according to a partial report.
“There is no doubt that the situation is urgent. We expect these capabilities to become widespread as AI technology advances, and those charged with protecting must review their environments immediately,” writes Jackson.
No reason for concern
Gerald Mako points to banks, manufacturing, logistics, healthcare, sales and government as vulnerable. Ordinary individuals should view the concern in moderation.
It's not the apocalypse, but the smell of napalm is in the air because the direction is clear and AI development will not suddenly stop.
Sverker Janson, head of the research institute Rise's AI Center, also doesn't think ordinary people should be worried, because Mythos is now being used to plug security holes.
On the contrary, I am happy that we are getting better tools to find these problems, because otherwise they were open targets that ordinary people could have found too, if they gave it their all. It's not magic.
Claude Mythos is an AI model developed by American company Anthropic. The model can code and understand programming code, and according to the company, is better than almost all humans at finding and exploiting vulnerabilities.
How to use it:
1. It is allowed to read the program's source code on a computer isolated from the internet.
2. Mythos develops a hypothesis about possible vulnerabilities.
3. The hypothesis is tested to confirm or reject the suspicions, or adjust it and try again.
4. Once Mythos has found several smaller vulnerabilities, it tries to chain them together to create a more powerful attack.
5. The model writes a bug report.
Source: Anthropic
