00:00Most people who use software every day don't think about bugs.
00:04They don't think about what can happen if the software that they depend upon suddenly is less secure.
00:12That's something that software developers have to deal with every single day.
00:19So software has always had flaws and vulnerabilities. That's not new.
00:23For an average person, the bugs are by and large not something they notice on a daily basis because if
00:30they do, they get fixed.
00:32But then every so often, there are vulnerabilities that have real severe impacts.
00:36Like one single bug that works its way into shared software that many, many, many different products or websites use.
00:45So one issue just gets magnified out around the world.
00:48So historically, finding and patching vulnerabilities has been a slow, time-consuming, and expensive process.
00:55If LLMs are now able to write code at the level of some of the greatest software developers in the
01:03world,
01:04it can also be used to find bugs and exploit that software equally effectively.
01:09These models have capabilities which are raising the bar from a cybersecurity point of view
01:16with their ability to help defenders as well as potentially help adversaries.
01:23We recently developed a new model, Claude Mythos Preview.
01:27Early on, it was clear to us that this model was going to be meaningfully better at cybersecurity capabilities.
01:33There's a kind of accelerating exponential, but along that exponential, there are points of significance.
01:40Claude Mythos Preview is a particularly big jump along that point.
01:45We haven't trained it specifically to be good at cyber.
01:48We trained it to be good at code, but as a side effect of being good at code, it's also
01:53good at cyber.
01:53The model that we're experimenting with is, by and large, as good as a professional human identifying bugs.
02:03It's good for us because we can find more vulnerabilities sooner, and we can fix them.
02:07It has the ability to chain together vulnerabilities.
02:10So what this means is you find two vulnerabilities, either of which doesn't really get you very much independently.
02:15But this model is able to create exploits out of three, four, sometimes five vulnerabilities that, in sequence, give you
02:22some kind of very sophisticated end outcome.
02:24And we think that this model can do this really well because we notice that this model is very autonomous.
02:30It's just generally better at pursuing really long-range tasks that are kind of like the tasks that a human
02:38security researcher would do throughout the course of an entire day.
02:41Obviously, capabilities in a model like this could do harm if in the wrong hands.
02:46And so we won't be releasing this model widely.
02:49More powerful models are going to come from us and from others.
02:53And so we do need a plan to respond to this.
02:56That's why we're launching what we're calling Project Glasswing, where we partner with a number of the organizations that power
03:03some of the world's most critical code
03:04to put the model into their hands, to allow them to look at how they can use models like this
03:10to bring down risk and protect everyone.
03:12And by giving these software developers advanced tools before anyone else, it gives all of us a collective head start.
03:22It allows us to find things that we couldn't find before, and it helps us fix these things much more
03:30quickly.
03:30Working with our partners, we've been finding vulnerabilities across essentially every major platform.
03:36I found more bugs in the last couple of weeks than I found in the rest of my life combined.
03:41We've used the model to scan a bunch of open source code.
03:44And the thing that we went for first was operating systems, because this is the code that underlies the entire
03:51internet infrastructure.
03:52For OpenBSD, we found a bug that's been present for 27 years, where I can send a couple of pieces
04:01of data to any OpenBSD server and crash it.
04:05On Linux, we found a number of vulnerabilities where, as a user with no permissions,
04:10I can elevate myself to the administrator by just running some binary on my machine.
04:16For each of these bugs, we told the maintainers who actually run the software about them,
04:20and they went and fixed them and have deployed the patches so that anyone who runs this software is no
04:25longer vulnerable to these attacks.
04:26For a developer who tirelessly maintains software, a model that can help them discover vulnerabilities in their own code
04:34and fix them before they can be exploited, that is an invaluable tool.
04:40We've spoken to officials across the U.S. government, and we've offered to work with them
04:44and collaborate to assess the risks of these models and to help defend against the risks of these models.
04:51Everything that we do in our lives now depends on software.
04:55Software kind of ate the world.
04:57Every analog aspect of our life is somehow represented in digital domain.
05:01And so all of our daily lives run on the idea that we can rely on the systems that power
05:07them.
05:08Cybersecurity is the security of our society.
05:11It is essential that we come together and work together across industry to help build better defensive capabilities.
05:19No single organization sees the whole picture and can tackle this on their own.
05:22This is not going to be done as part of a few-week program.
05:25This is going to be the work of certainly months, perhaps years.
05:29But what I do hope is that at the end of this, we can be in a position where the
05:34world's software,
05:35its customer data, its financial transactions, its critical infrastructure are safer than they were before.
Comentarios