00:00:00>> Most people who use software every day don't think about bugs.
00:00:04They don't think about what can happen if the software that they depend upon suddenly is less secure.
00:00:12That's something that software developers have to deal with every single day.
00:00:16[MUSIC]
00:00:19>> So software has always had flaws and vulnerabilities, that's not new.
00:00:23>> For an average person, the bugs are by and large not something they notice on a daily basis
00:00:30because if they do, they get fixed.
00:00:32>> But then every so often, there are vulnerabilities that have real severe impacts.
00:00:36>> Like one single bug that works its way into shared software that many, many, many different products or websites use.
00:00:45So one issue just gets magnified out around the world.
00:00:49>> So historically, finding and patching vulnerabilities has been a slow, time-consuming and expensive process.
00:00:55>> If LLMs are now able to write code at the level of some of the greatest software developers in the world,
00:01:04it can also be used to find bugs and exploit that software equally effectively.
00:01:10>> These models have capabilities which are raising the bar from a cybersecurity point of view
00:01:16with their ability to help defenders, as well as potentially help adversaries.
00:01:23>> We recently developed a new model, Claude Mythos Preview.
00:01:27Early on, it was clear to us that this model was going to be meaningfully better at cybersecurity capabilities.
00:01:33>> There's a kind of accelerating exponential, but along that exponential, there are points of significance.
00:01:40Claude Mythos Preview is a particularly big jump along that point.
00:01:45>> We haven't trained it specifically to be good at cyber.
00:01:48We trained it to be good at code, but as a side effect of being good at code, it's also good at cyber.
00:01:54>> The model that we're experimenting with is, by and large, as good as a professional human identifying bugs.
00:02:03It's good for us because we can find more vulnerabilities sooner and we can fix them.
00:02:07>> It has the ability to chain together vulnerabilities.
00:02:10So what this means is you find two vulnerabilities, either of which doesn't really get you very much independently,
00:02:16but this model is able to create exploits out of three, four, sometimes five vulnerabilities
00:02:21that in sequence give you some kind of very sophisticated end outcome.
00:02:24>> And we think that this model can do this really well because we noticed that this model is very autonomous.
00:02:30It's just generally better at pursuing really long-range tasks that are kind of like the tasks
00:02:37that a human security researcher would do throughout the course of an entire day.
00:02:42Obviously, capabilities in a model like this could do harm if in the wrong hands.
00:02:46And so we won't be releasing this model widely.
00:02:49>> More powerful models are going to come from us and from others.
00:02:53And so we do need a plan to respond to this.
00:02:56>> That's why we're launching what we're calling Project Glasswing, where we partner with a number of the organizations
00:03:02that power some of the world's most critical code to put the model into their hands
00:03:06to allow them to look at how they can use models like this to bring down risk and protect everyone.
00:03:12>> And by giving these software developers advanced tools before anyone else, it gives all of us a collective head start.
00:03:22>> It allows us to find things that we couldn't find before, and it helps us fix these things much more quickly.
00:03:30>> Working with our partners, we've been finding vulnerabilities across essentially every major platform.
00:03:36>> I found more bugs in the last couple of weeks than I found in the rest of my life combined.
00:03:41We've used the model to scan a bunch of open source code.
00:03:44And the thing that we went for first was operating systems,
00:03:48because this is the code that underlies the entire Internet infrastructure.
00:03:52For OpenBSD, we found a bug that's been present for 27 years,
00:03:58where I can send a couple of pieces of data to any OpenBSD server and crash it.
00:04:05On Linux, we found a number of vulnerabilities where, as a user with no permissions,
00:04:11I can elevate myself to the administrator by just running some binary on my machine.
00:04:16For each of these bugs, we told the maintainers who actually run the software about them,
00:04:20and they went and fixed them and have deployed the patches so that anyone who runs this software is no longer vulnerable to these attacks.
00:04:27>> For a developer who tirelessly maintains software,
00:04:30a model that can help them discover vulnerabilities in their own code and fix them before they can be exploited,
00:04:38that is an invaluable tool.
00:04:40>> We've spoken to officials across the U.S. government,
00:04:43and we've offered to work with them and collaborate to assess the risks of these models and to help defend against the risks of these models.
00:04:50Everything that we do in our lives now depends on software.
00:04:55>> Software kind of ate the world.
00:04:56Every analog aspect of our life is somehow represented in digital domain.
00:05:01>> And so all of our daily lives run on the idea that we can rely on the systems that power them.
00:05:08>> Cybersecurity is the security of our society.
00:05:11>> It is essential that we come together and work together across industry to help build better defensive capabilities.
00:05:19>> No single organization sees the whole picture and can tackle this on their own.
00:05:22>> This is not going to be done as part of a few-week program.
00:05:26This is going to be the work of certainly months, perhaps years.
00:05:29But what I do hope is at the end of this, we can be in a position where the world's software, its customer data, its financial transactions,
00:05:38its critical infrastructure are safer than they were before.