He describes himself as "Software engineer. Writing code prompts at Google".
So throwing his own, apparently poorly written, creation under the bus will get him applause and promotions by the AI lunatics.
It is a currently popular strategy among AI boosters.
What a weird comment.
You think he cynically decided to boost his career by writing a detailed description of the exploits found in his own software.
Is there no room in your model of the world for someone to figure out something interesting using AI tools and then write about it just because they like sharing interesting information?
It is not at all, in the slightest, weird heuristic to deploy in the Agentic Era.
It’s a heuristic after all. There is no proof one way or the other.
Seems to be working for a lot of people, and I won't really blame them that much. People want promotions, money and a job in general, and they will do stupid stuff to keep their jobs and increase their pay. Unfortunately, it's an incentives problem of our current mode of production.
I can't speak to the larger trend of AI boosters, as I don't go out of my way to pay attention to them, but the practice of being vocally self-critical and openly discussing the flaws found in one's own software (whether from AI or human analysts) is a damn good idea for reasons that can best be understood by rehashing the vulnerability disclosure debate in one's own mind.
The cool thing about LLMs is that once a capability is "good enough" you can always "chain" them together for better overall results. On the client side this means "write an API that does x y z" -> "analyse this API for security concerns" -> "PoC for each finding from this report" -> "fix this code according to these verified claims".
On the "server side" (i.e. training) you can use the current gen models to improve the training data by running many parallel environments with a similar loop as above. Then incorporate the new data and repeat. Reminiscent of the old GAN approach, where the generator and discriminator are trained together in an adversarial regime. The end result should be safer code on "vanilla" prompts. "Write an API that does x y z" should now contain the learnings from this loop, and the models should produce better code.
Works really well for every verifiable scenario. And as the models become better, they can also more reliably create environments that closely match real-world scenarios. If you also have some data from human devs (say you run a subsidised coding model for a few months), even better.
An example of turning a "normal" repo into a verifiable environment that I read recently in the Cursor blog: take a repo, ask an LLM to remove a feature, verify that the app still works w/o the feature, verify that the tests for that feature fail. Ask a generator to "add feature x". Verify with the original tests. If pass -> give carrot :)
The key is composition. Once you unlock a new capability, that gets implemented and incorporated into the next training run. Pretty neat, I would say, and the main driver for the recent increase in the breadth of capabilities for new models.
> If pass -> give carrot :)
More like, give $$$ pass or not.
… running thru my head. All the bugs they found…
Not gonna fix 'em!
I found, in my rather recent experience with Go, that using anything other than zero for invalid, default or "sentinel" values is a source of potential problems due to the lack of real constructors.
Yes I'd say 0 should always be treated as a None or Invalid value.
The upside of the lack of real constructors is less incidental complexity which every object having a constructor written which then has to be read and maintained.
Another option of course is to write constructors - there's nothing to stop you doing so in go and using those when creating objects (e.g. foo.New() whenever you want one of these things), but it'd be a convention rather than something required.
Nice writeup. A practical example of a project, what was found, how it was found, the quality of the findings, reproducible.
> Trying to work around Anthropic blocking security-related prompts does get pretty tiring though.
Didn't know this is a thing... interesting for a company that's marketing their Mythos so hard not allowing security prompts.
I am also curious how the cheaper Chinese models do, I have an Opencode Go plan, so I'll let 'em rip over the weekend, hopefully I get to see a few bugs!
I think that's consistent of Anthropic.
The whole point of Mythos/Glasswing is "our models are scary good at security research, so much so that we won't let them help you find vulnerabilities unless you are a trusted partner".
sometimes i feel mythos is just that a myth
Agreed. Considering Anthropic had a sandbox bypass vulnerability in CC for a year, silently patched it, and still hasn't made a disclosure statement, no one on Earth should trust them or believe a word they say. https://www.securityweek.com/anthropic-silently-patches-clau...
The "too many security issues" meme feels like a form of product placement marketing. How many of the bugs found would have also been found if you said to a security team - ok you now have a project with independent time to go spelunking for bugs - this is your highest priority for the next month. Now do the same with a bunch of security teams across multiple organizations across the industry doing that at the same time. What is the differential in actuality with and without Mythos. The brilliant part is now those discoveries have a Anthropic mythos tag on them.
Even if it is marketing, at least there is some positive side effects of identified and closed security flaws.
I think you meant marketing*
I don’t really care about posting in bold 20 bugs when it comes to a hobby project. (In before “Linux was just a hobby project”) No need to LLM post over what this tells us about the trajectory of society, oh my.
We can save that dialogue for finding bugs in widely used projects.
Edit: Something I tried to reply to a now-dead top level comment here: Whoever claims that new accounts alone is a signal for submission-boosting comments etc. needs to update their heuristics.