alt.hn

4/7/2026 at 8:53:59 PM

Anthropic's Project Glasswing sounds necessary to me

https://simonwillison.net/2026/Apr/7/project-glasswing/

by simonw

4/8/2026 at 12:55:41 AM

So my home router, all my iot devices attached to it from printers to projectors, not to mention custom stacks like Lutron. BLE based locks, car key fobs.

All of these technically could have zero day vulnerabilities and people/companies who made it don't have the resources to buy 20000$ of tokens to go debug them... Maybe they don't care but if they do, what if they can't afford such models or get access in time.

I would like to know how can someone like me defend against them?

by ghm2199

4/8/2026 at 4:54:01 AM

That's the neat part, you can't.

by DustinBrett

4/8/2026 at 5:31:50 AM

> don't have the resources to buy 20000$ of tokens to go debug them

$20,000 - how many developers do these hardware companies have that they need to spend that much? Claude Team Premium is US$125/mo for a seat and even cheaper if you buy annually...

by taspeotis

4/8/2026 at 8:38:12 PM

Running a "too advanced" harness against a Claude Code subscription gets your organization banned, even if it's a shell wrapper over `claude -p`. You probably can't reproduce this research with a fixed-price subscription.

by yencabulator

4/8/2026 at 11:53:34 AM

$20000 is what the Antropic report says they spent on scanning OpenBSD [1].

[1] "Across a thousand runs through our scaffold, the total cost was under $20,000 and found several dozen more findings.", https://red.anthropic.com/2026/mythos-preview/

by stratos123

4/8/2026 at 6:19:15 PM

Going to be interesting to see how much more downward pressure gets placed on OSS projects (as already alluded to) and what the norm response becomes and what that space evolves into.

Also, assuming something like "0day becomes cheap" it will be interesting to see how this drives discovery->exploit timeframes and scope. I would assume since time is precious you would be inclined to go balls out in terms of impact and scope.

by zingababba

4/7/2026 at 9:04:18 PM

Discussion: https://news.ycombinator.com/item?id=47679121

and Related:

System Card: Claude Mythos Preview [pdf]

https://news.ycombinator.com/item?id=47679258

Assessing Claude Mythos Preview's cybersecurity capabilities

https://news.ycombinator.com/item?id=47679155)

by ChrisArchitect

4/7/2026 at 11:13:54 PM

Strong agreement. I include https://roost.tools in this category of necessary efforts. A strong privacy law would be great, but a more political thing, though there is much we can do as technologists.

by verdverm

4/7/2026 at 9:32:51 PM

I think AI bug scanning is a good thing, it will ensure almost all high severity get caught before entering prod. There can certainly be downsides but I am personally all for it.

by orenlindsey

4/7/2026 at 11:13:21 PM

Only if everyone runs it. The attacker just needs to find one vulnerable system; the defender must protect them all. Obviously given that the tool exists, the defender must run it, but it's not at all clear to me that the existence of the tool different all favours defence.

by Smaug123