Discussion

US summons bank bosses over cyber risks from Anthropic’s latest AI model

sroussey: Promoting the model as potentially dangerous might backfire with the government banning it from being released by executive order.

nothinkjustai: Looks like the marketing worked at least somewhat lol. Such an obvious playbook by now I’m surprised some people here fell for it.

causal: Maybe it's marketing, but I think it's regrettable that Anthropic paired project Glasswing with Mythos. It really makes it seem like Mythos is the threat, rather than the fact that tons of vulnerabilities have always been ignored throughout the software world.If Glasswing has been started years ago with the goal of applying fixes to AI-found gaps, then this would just be another model to add to that effort. But doing so in the ominous shadow of some new super model boosts panic IMO.

skybrian: A year ago the LLM's weren't good enough to find these security issues. They could have done other stuff. But then again, the big tech companies were already doing other stuff, with bug bounties, fuzzing, rewriting key libraries, and so on.This initiative probably could have started a few months sooner with Opus and similar models, though.

vonneumannstan: >This initiative probably could have started a few months sooner with Opus and similar models, though.Evidently they tried and even the most recent Opus 4.6 models couldn't find much. Theres been a step change in capabilities here.

causal: No, Opus has found a lot and 112 vulnerabilities were reported to Firefox alone by Opus [0]. But Mythos is uniquely capable of exploiting vulnerabilities, not just finding them.[0] https://red.anthropic.com/2026/mythos-preview/

causal: That's not quite true, even a year ago LLMs were finding vulnerabilities, especially when paired with an agent harness and lots of compute. And even before that security researchers have been shouting about systemic fragility.Mythos certainly represents a big increase in exploitation capability, and we should have anticipated this coming.

Analemma_: A lot of those bugs were found by seasoned developers and security professionals though. Anthropic claims that Mythos is finding vulns from people who have no security background, who just typed "hey, go find a vulnerability in X", went home for the night, and came back the next morning with a PoC ready. They could definitely be an exaggerating, but if it's true that's a very different threat category which is worth paying attention to.

PedroBatista: The more I live the more I believe people at the top operated in some sort of cult mentality. The level of gullibleness, temporary lack of critical thinking is only matched by their sociopathy and Machiavellianism.I'm sure it's a great big model, but the level of hype and dishonesty is something out of Sam Altman's book.Of course it's because of the upcoming IPO, but that's the end game, for now it's critical to get those private equity guys and bank institutions to believe the gospel and hold the bag, only then the suckers from the secondary markets will be allowed to be suckers too.

icedchai: A good percentage of cybersecurity has always been theater. If their model helps to separate the wheat from the chaff, maybe it'll be an improvement.

reducesuffering: Or, you're wrong. And the smartest AI Research Scientists and the top banking officials are both correctly worried about the ramifications. That's what you'd expect if there really was an issue here. Are you aware of the deep seated bugs in critical software that were already uncovered with Mythos? Are you able to steelman the issue here at all?

colechristensen: Two things can be true.Historically bad security that people just got by with matched with powerful tools that aren't any better than the best people, but now can be deployed by mediocre people.

SpicyLemonZest: I'm definitely optimistic that the long-term trajectory is positive. All important software can undergo extensive penetration testing with cutting-edge vulnerability research techniques before launch? Sounds great. The problem is what goes wrong on the pathway to there.

__natty__: I wonder whether this kind of release of model could become the spark that ignites a new digital "cold war" between us, europe, india and china, in which they will try to outwit their rivals and compromise their critical infrastructure using artificial intelligence.Also I’d like to believe that this really is such a huge step forward compared to Opus, but lately I’ve found it hard to believe when I look at the statements made by the CEOs of AI companies and their associates, who are fuelling the hype surrounding this topic even further. Of course, it is good that large companies and industries that are crucial to the country are the first to have access to this, but until the launch takes place, I will approach this with a degree of scepticism.

mieubrisse: This invisible cyberwar is already happening; it's just that the brains powering it is getting smarter.

petcat: > the government banning it from being released by executive order.There's no legal mechanism for the president or the government at all to do that.

rf15: I'm sure they will find something when it really starts to bother them personally.

guzfip: It sounds like it’ll just kill the wheat and the chaff.Still probably a benefit depending on your philosophy.

downrightmike: Need to dump the bag on retail investors and pensions before they implode

pixel_popping: Cybersecurity is taken too lightly and it mostly boils down to recklessness of developers, they are just "praying" that no-one act on the issues they already know and it's something we must start talking about.Common recklessness obviously include devs running binaries on their work machine, not using basic isolation (why?), sticky IP addresses that straight-up identify them, even worse, using same browsers to access admin panels and some random memes, obviously, hundred more like those that are ALREADY solved and KNOWN by the developers themselves. You literally have developers that still use cleartext DNS (apparently they are ok with their history accessible by random employees outsourced)

snovymgodym: > it mostly boils down to recklessness of developersI disagree. I think in big tech and the corporate world, it boils down to the organization fundamentally not valuing security and punishing developers if they "move slow", which is often the outcome when you maintain a highly security-oriented process while developing software and infrastructure.When big leaks happen, the worst that occurs is that some trivial financial penalty is applied to the company so the incentive to ignore security problems until you're forced to acknowledge them is high.

charcircuit: I hope these banks are complaining how Anthropic is preventing them from accessing their latest model and giving preferential treatment to other businesses.

LunaSea: Highly disagree.It's most of the time a question of management not caring about security or disliking the inconvenience that security can bring.