Hey Reader,

Anthropic has just announced Project Glasswing.​

In a nutshell, they are collaborating with major software companies like Apple, Amazon Web Services, Broadcom, Crowdstrike, Microsoft, NVIDIA, the Linux Foundation, etc. because they made a new Claude model called "Mythos" which "has already found thousands of high-severity vulnerabilities, including some in every major operating system and web browser."

I don't want to scare you, so I'll start with what you should do to be safe:

Anthropic has given access to Claude Mythos Preview to major software companies I mentioned above, so they can use it to find these vulnerabilities and fix them.

Claude Mythos Preview is NOT released to the general public.

I think Anthropic is doing the right thing here. They could have released the model that beats their current flagship model by A LOT on benchmarks, and capitalized on more revenue and more investments coming in.

And instead, they did the right thing and kept it to be used for good.

Claude Mythos Preview is a model trained for coding. But when you train a model for coding, that also includes cybersecurity, and once you find a security vulnerability, you can also exploit it.

Quoting from the announcement, here are some things that Claude Mythos Preview has found:

To be honest, the IT world knew that there were potential bugs and exploits in these software, but they were so hard to find and to exploit that it was a close to 0 chance to be actually exploited.

This is what the whole world of Ethical Hacking is based on.

An Ethical Hacker finds these vulnerabilites, and instead of exploiting them, they report it to the software company so they can fix it, and they get a reward for it.

For example, Apple has a long running Bounty program:

It's less money for them to occasionally pay an ethical hacker a bounty than to hire a bunch of them on payroll and pay them every month even if they don't find anything.

So what Anthropic is doing now essentially is that they gave out their new Claude Mythos Preview model as an "Ethical Hacker AI for hire" to the companies participating in the program (and they also gave out $100M of compute credits in the program), so the vulnerabilities Mythos Preview can exploit are patched up before it is released.

Advice for non-technical folks

Please don't use OpenClaw, Claude Code or OpenAI Codex if you don't know what you're doing.

These agentic tools get full access to the computer you run them on, and they can install a lot of things you don't even know about.

For example: Let's say you're vibecoding your website in HTML with Claude Code. The agent realizes that it doesn't have the font defined in your branding kit. As it is a paid font, it can't download it from the official source, so then it has to decide whether it should bother you for the font, or try to find it online.

Let's say it decides to try to download it from a "free font download" website. It succeeds, and it runs a command to install the font on your computer. All without your supervision or explicit permission.

In less than a minute, the AI agent compromised your computer with a random font package that might include a dormant virus.

Maybe you won't even notice that something is wrong. Maybe nothing will be wrong for a month. Then the dormant virus gets a command to activate itself and carries out its original mission.

I know it is very tempting to want to use Claude Code because you see the flashy demos all the time and you don't want to miss out.

And you can use it if you set it up safely:

• Run it inside a devcontainer like Docker
• Have strict firewall settings
• No API keys or secret credentials anywhere in the project files (Claude can read them all). Use a proxy instead.
• Educate yourself on Prompt Injections and how much harm they can do to your computer. I made a video about it.​

If you don't know what these mean, you're not ready for Claude Code or agentic tools running on your computer, and that's okay.

Reply with "ME" to this email if you'd be interested in joining a 2-hour workshop where we set up Claude Code together in a safe way. (Tickets are going to be $100 for non-members of the Guild)

What the future brings

AI LLMs are getting better at coding and thus finding and fixing (or exploiting) security vulnerabilities.

Companies (and employees) are adopting more and more agentic tools because they see how much more productive they can be with them.

Do you see where this is going?

More powerful LLMs for the attackers to use at scale, and more easy targets to pick on.

I think the most vulnerable targets will be solopreneurs and small businesses who either:

• don't know about IT or cybersecurity
• don't care
• can't afford to secure their setups because they already have cashflow problems

Medium-sized businesses and Enterprise are not in danger that much (in my limited opinion), because they have the capital to invest into securing their IT infrastructure.

Now, I don't know much about scamming people beyond what I see in viral YouTube videos when they expose scammers.

What I do know is that you don't need to have the "Ultimate Unhackable Setup 4000", you just need to be difficult enough to reach that the attackers get discouraged and pick easier targets.

"You don't have to outrun the bear to get away. You just have to be faster than the guy next to you." — Jim Butcher

Dave Talas

P.S: Help me send more relevant emails to you:

​Click here if you are a bot clicking links​