Project Glasswing with Claude Mythos Preview

hellodolly

Hi,
just read about it online. Does that mean we are kind of safe because all the big players are involved and will fix things or are we doomed?
As an example they say Claude found a way to take over a Linux system by combining several undetected kernel exploits - no human would have ever found that I guess. Seems scary...

MetropleX

hellodolly where did you read this? Have a link?

horde

MetropleX https://www.anthropic.com/glasswing

GrapheneOS can apply for https://claude.com/contact-sales/claude-for-oss so they can try it before malicious actors with access use it against the project.

hellodolly

Just google the title.

MetropleX

hellodolly as a new member I can see why you may believe that to have been an appropriate and adequate response, however on our forum, to enable people to engage in good faith when claims are fronted either by the OP, someone in the responses or quoting them from a third party, links and evidence must be provided.

Thankyou for doing so in your following replies.

I look forward to reading the continuing discussion, however my part in it would for you to determine how you define "safe" in your question.

I'd also reserve my judgement for when claims become validated and not just third party copy/paste of press releases.

hellodolly

https://thehackernews.com/2026/04/anthropics-claude-mythos-finds.html

"...Some of these include a now-patched 27-year-old bug in OpenBSD, a 16-year-old flaw in FFmpeg, and a memory-corrupting vulnerability in a memory-safe virtual machine monitor.

In one instance highlighted by the company, Mython Preview is said to have autonomously come with a web browser exploit that chained together four vulnerabilities to escape the renderer and operating system sandboxes..."

hellodolly

Understood! Thanks
But another question just came to my mind, what are the implications for a project like GrapheneOS? Does the team need help by AI in the future or is it already a part of the development? Please apologize my poor and vague wording, I am just being curious here.

hellodolly

horde Thanks for your research. Sounds like something worth considering.

ClickClickDrone

Any "AI" touted for doing X, especially security, is always straight up snake-oil -- at best.

These claims that "AI" found flaws are likely due to cherry-picking and a lot of interference from security researchers.

LLMs cannot think, reason or do anything similar, except for being the "GO" part in GIGO.
Due to this fundamental constraint, it is impossible for an LLM to perform security analysis as robust and correctly as a human -- ever.

I hope GrapheneOS never adopts any "AI" for this purpose.

Using "AI" in citation marks, because it is not really "intelligent".

horde

ClickClickDrone I hope GrapheneOS never adopts any "AI" for this purpose.

Has nothing to do with adoption for anything, they will just see if output from these models are worth it or it is slop, GrapheneOS is already getting security "audits" by AI which they check and ignore if it completely slop.

hellodolly

horde GrapheneOS is already getting security "audits" by AI

How do you know? Is there information about that online?

ClickClickDrone

horde
The issue is that these models are almost always slop and used for slop.
Just take a look at poor Daniel Stenberg at cURL.

It would take faster to audit it by hand because one has to otherwise go through the >99% slop and "hallucinations" in the output.

So, again, why should GrapheneOS sign up and chug the "AI" Kool-Aid?

hellodolly

From the anthropic homepage:

As part of Project Glasswing, the launch partners listed above will use Mythos Preview as part of their defensive security work

The launch partners are said to include Amazon Web Services, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA.

Doesn't sound like slop to me.

ClickClickDrone

hellodolly
It doesn't matter, really, because as I said earlier, it's a fundamental constraint because LLMs cannot reason about code and its security: It's just a text generator which guesses words in a sequence based on what it's been trained on.

So, a model has to be trained, and the material has to be picked*, and so it works best for vulnerabilities that are common, because there is more material to be trained upon for say, memory leaks in C code, than a super-specific flaw in a Bluetooth driver written in Assembly. Not much code is available for the latter.

* mostly from the hellscape of the internet, scoured without any rights whatsoever.

starglider

hellodolly Honestly, just don't engage. There's a fringe group of people who are obsessed with convincing themselves that LLMs are useless slop machines. It's the same "don't believe your lying eyes" phenomenon you see with political types. Whether it's terror of losing their job or politics or some other fear, it's become religious. And of course there's a pro-AI religion out there, too.

I do hope GOS applies for access; it seems right up their alley. That said, most of the vulns likely exist in AOSP, and there's no question Google will be taking advantage of findings and issuing patches that GOS can inherit. I'd be very worried if I were running some third-party Android fork (OneUI or the various other custom OEM ones) that take forever to get patches.

ClickClickDrone

starglider
I interprete it as you ment to mention me,
Personally, I believe that LLMs are fine for some tasks, like web search, but not security.

I think we both can agree to disagree?

koocmit

starglider Though not privy to internal discussions, I believe GrapheneOS philosophy is attacking bug classes instead of bugs: Memory tagging to stop memory vuln instead of fixing any and all user software to not have memory vulns. Same with parsing: Fix the parser by sand-boxing it as much as possible instead of trying to create bug free parsers.

AI will be very useful (is currently very useful in my line of work) in discovery of bugs, but real impactful work will always be in eliminating vuln classes rather than specific bugs. So I don't think GOS will benefit much from access to a pentesting AI (and will anyway benefit from upstream work by Google and rust-ification of android).

Access to an AI that can work with the vast android or chromium code base would be nice for new feature development, but none exist last I checked.

Chipper

ClickClickDrone Is it also your position that creating ai suitable for finding security loopholes is an impossible task which we will never achieve, or are your comments based on and limited to, the current known issues with training good models one being the availability of and requirement for clean, high quality, curated data sets?

SierraBravo

This just got covered by Anderson Cooper.

Let's just hope that Claude, Anthropic, and those who get access to it use it for good.