Click here: to donate by Credit Card
Or here: to donate by PayPal
Or by mail to: Free Republic, LLC - PO Box 9771 - Fresno, CA 93794
Thank you very much and God bless you.
Posted on 04/09/2026 7:06:12 AM PDT by yesthatjallen
Today we’re announcing Project Glasswing1, a new initiative that brings together Amazon Web Services, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks in an effort to secure the world’s most critical software.
We formed Project Glasswing because of capabilities we’ve observed in a new frontier model trained by Anthropic that we believe could reshape cybersecurity. Claude Mythos2 Preview is a general-purpose, unreleased frontier model that reveals a stark fact: AI models have reached a level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities.
Mythos Preview has already found thousands of high-severity vulnerabilities, including some in every major operating system and web browser. Given the rate of AI progress, it will not be long before such capabilities proliferate, potentially beyond actors who are committed to deploying them safely. The fallout—for economies, public safety, and national security—could be severe. Project Glasswing is an urgent attempt to put these capabilities to work for defensive purposes.
As part of Project Glasswing, the launch partners listed above will use Mythos Preview as part of their defensive security work; Anthropic will share what we learn so the whole industry can benefit. We have also extended access to a group of over 40 additional organizations that build or maintain critical software infrastructure so they can use the model to scan and secure both first-party and open-source systems. Anthropic is committing up to $100M in usage credits for Mythos Preview across these efforts, as well as $4M in direct donations to open-source security organizations.
Project Glasswing is a starting point. No one organization can solve these cybersecurity problems alone: frontier AI developers, other software companies, security researchers, open-source maintainers, and governments across the world all have essential roles to play. The work of defending the world’s cyber infrastructure might take years; frontier AI capabilities are likely to advance substantially over just the next few months. For cyber defenders to come out ahead, we need to act now.
SNIP
|
|
Click here: to donate by Credit Card Or here: to donate by PayPal Or by mail to: Free Republic, LLC - PO Box 9771 - Fresno, CA 93794 Thank you very much and God bless you. |
"society needs to grapple with the reality of a mythos-level model being open source in <12 months.
i’m not sure we are prepared."
Glasswing sounds fragile.
Icarus ran into trouble because he flew too high for the wax in his wings. Glass might be better, but I have my doubts.
We are not prepared.
I’m still amazed at the xz library hack.
I’ve been alerting people in my industry about this very threat. AI Agents with RAG models knowledgeable in all CVE’s, along with all the open-source projects source code, could figure out exploits that are another level of complexity that humans really aren’t going to figure out.
When I read about this new model it didn’t surprise me. That so many high-profile companies are doing this should give pause to everyone about how “next level” this threat is. China must be salivating.
I had to ask AI:
AI Overview
The XZ library hack (officially CVE-2024-3094) was a highly sophisticated supply chain attack targeting XZ Utils, a widespread data compression tool used in nearly all Linux distributions. Discovered in late March 2024, the attack involved a malicious backdoor that could have granted attackers unauthorized remote code execution (RCE) with administrative privileges across millions of servers worldwide.
Key Details of the Incident
Target: The malicious code was embedded in XZ Utils versions 5.6.0 and 5.6.1. Specifically, it compromised the liblzma library, which many systems link to for SSH (OpenSSH) support.
The Culprit: A persona named Jia Tan (JiaT75) spent over two years building trust within the open-source community. By contributing legitimate code and pressure-campaigning the original exhausted maintainer, they eventually gained “co-maintainer” status and the ability to commit malicious changes.
Discovery: The hack was accidentally discovered by Microsoft engineer Andres Freund. While testing an unstable version of Debian, he noticed a tiny performance lag—a roughly 500ms delay in SSH logins—and investigated until he found the hidden exploit.
The Exploit: The backdoor was designed to recognize a specific private key sent during an SSH login attempt. If the key matched, the code would execute commands from the attacker as root, completely bypassing standard authentication.
Why It Was So Dangerous
Sophisticated Hiding: The malicious code was not visible in the source code; it was hidden inside binary “test” files used during the build process.
Critical Impact: It received the highest possible severity score (CVSS 10.0). If it hadn’t been caught early, it would have been integrated into stable releases of major Linux distributions like Red Hat and Ubuntu, potentially compromising global internet infrastructure.
Targeted Systems: The attack primarily affected systemd-based Linux distributions (like Fedora, Debian Testing, and Kali Linux) because they patch OpenSSH to link with liblzma.
Current Status & Protection
Affected Versions: XZ Utils 5.6.0 and 5.6.1.
Action Required: Users of affected Linux distributions (mostly rolling-release or “bleeding edge” versions) should downgrade to XZ 5.4.x or upgrade to the patched version provided by their vendor.
Impacted Distributions: While the code was found in Fedora Rawhide, Debian Unstable, and some versions of Kali and Arch Linux, it did not reach stable versions of most major enterprise distributions like RHEL or Ubuntu Stable.
So what’s the defense of a portfolio of stocks and cash at an upper mid level bank and Vanguard?
This was not the way I wanted to start my morning...
First - I cannot find a cable channel that is broadcasting the First Round of the Masters Golf Tournament.
Second - Iran is blocking ships at the Strait of Hormuz.
Third - all the software that supports my life can be compromised in days or hours.
Yep...and if you know low level software, I encourage you to read about the technical details. How they accomplished the backdoor is extreme.
There’s YouTube videos on it.
Two competing security ideas:
- Security through obscurity, you don’t publish what you use and have proprietary systems & software
- Security through transparency, open source has a million eyes scrutinizing for security bugs
A combination of both is probably best. The initiative being referenced above is about what is transparent, the open-source world. That it’s being taken seriously and being proactively addressed is good to hear, hopefully the technology that can find vulnerabilities is first successful in helping plug them before they can be exploited.
Even the most out-there conspiracy theorist probably didn’t see that crowd getting together.
The Axis of Evil.
Looks like if you subscribe to three different streaming services you can watch parts of it on each. Because why sell one streaming service when you can split the event and sell it on three. NFL is behind the curve. They ought to sell different subscriptions for each quarter of each game, with premium tier on the fourth quarter.
It’s on Prime so you have to pay. Utter BS. I hope this streaming of sports kill them all.
I have worked with Andres, and I take issue with the assertion that it was “accidentally” discovered.
It was discovered because he took the time to investigate something that smelled wrong. He did not have to do that, but he did.
If you think that there are not hundreds of other similar undiscovered exploits both in Linux and Windows I have a bridge in Brooklyn to sell you. If you pay me extra I will wrap it up into a tarball and zip it up for you.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.