Comments - Claude Mythos and misguided open-weight fearmongering

Source: original

SubscribeSign in

Claude Mythos and misguided open-weight…

Another dance around fears of open-source. Read →

6 Comments

Top first

Interconnects AI reply rules

Caithrin

Apr 9

"Today, models are complex systems that entail far more than just weights. They require complex tools and infrastructure to run them, of which Claude Code is the one we are most used to. Mythos very likely has its own innovations here."

I would read 4000 words on just this subject

Reply (1)

Nathan Lambert

Apr 9

Author

Outdated, but this was the short version from last fall. https://www.interconnects.ai/p/thinking-searching-and-acting

It's been a recurring theme in recent articles, of course.

I also discussed it in recent talks, e.g., but none were recorded. https://docs.google.com/presentation/d/1K3bM3K7q_CBcXzUCX7a1YvUHAycpvTKZbJElKSOdiok/edit

Reply

Leo C

Apr 9

Liked by Nathan Lambert

As we are seeing live the effect of a good open source model (gemma-4), there’s already a whole lot of community interest in tinkering with and understanding the models. This is overall a great thing for anyone who cares about AI risks - study it, use it for red teaming, fine-tune it, find out it strengths and weaknesses. When it’s open, the discussions are open, and the risks and failure modes are more visible than closed sourced APIs.

Well-timed post and important facts!

Reply

Dean Chapman

Apr 9

Nathan, you make a fair point: open‑weight fearmongering has been cyclical, and a blanket ban isn’t the answer. But the Mythos case isn’t just about weights – it’s about the absence of runtime enforcement.

Anthropic built a model that autonomously writes exploits, then handed it to a coalition under gated access. That’s not safety architecture. It’s liability distribution. Whether the weights are open or closed, the binding question is the same: who proves every consequential action was authorised before the electron flowed?

Veritas Core answers that with hardware‑rooted gates (PCIe + TPM) and offline‑verifiable receipts – independent of open/closed weights. Let’s focus on building that enforcement layer, not just debating distribution models.

Reply

YF

Apr 21

Unlike some capabilities such as knowledge work, medicine, law, etc., coding can be studied and improved substantially with public data like GitHub.

I don’t understand the full scope of skills needed to be superhuman in cybersecurity understanding.

Terence Tao has made headlines using AI to assist mathematical proofs. Cybersecurity is the same thing, except it is looking for counterexamples to disprove the security of a system. The counterexamples serve as clear pass/fail criteria for the model to optimize for.

Unlike software engineering in general which requires understanding human intents and fulfilling human desires, cybersecurity is much more akin to the game of Go. Which means training for cybersecurity is not bound to public data. Like AlphaZero, the current models are fully capable of playing the cybersecurity game with itself (or another instance of it), like humans play Red Team vs Blue Team games at cybersecurity competitions.

Playing the cybersecurity game can have the great side benefit of also enhancing general software engineering, which acts as the Blue Team side of the game.

how bad is it actually

The cyber insurance market is worth $20.56 billion in 2025

-- https://heimdalsecurity.com/blog/cyber-insurance-statistics/



What will never get fixed?

Even before Claude Mythos, the defense is lagging the attack. Also the most crucial systems, medical and infra, are designed to run decades without patching.

An average of 131 new CVEs were disclosed every day in 2025. Hadrian's analysis of Mandiant data tracked an average time-to-exploit of negative one day, which demonstrates that attackers weaponized vulnerabilities before patches were available.

Meanwhile, 50% of critical CISA KEV vulnerabilities remained unpatched 55 days after a fix was available, and those are the vulnerabilities already known to be actively exploited. That asymmetry between attackers and defenders pre-dated the Mythos announcement.

-- https://www.dashlane.com/blog/mythos

Reply

Anthony Walker

Apr 10Edited

One interesting thing, Mythos is getting access to a whole lot of code so companies can fix their vulnerabilities. Why though? Without the code threat actors, even using Mythos, would have a hard time finding the vulnerabilities. Its reverse engineering a needle in a haystack. Far easier ways for threat actors to get in through the front door than looking for new vulnerabilities.

Reply