Last time, we talked about what Mythos is and why the security world is losing its mind. Today: what actually happened after it launched, what it means for regular people, and what you can do about it.
Enter Glasswing
Right about the same time as everyone figured out exactly how much of a big deal Mythos was going to be, Anthropic announced Project Glasswing:
"Today we're announcing Project Glasswing, a new initiative that brings together Amazon Web Services, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks in an effort to secure the world's most critical software."
Sounds great, right? Except it isn't really security. It's marketing.
As William Henderson put it: "Project Glasswing is an enterprise marketing program posing as a socially responsible research breakthrough. Whether the threats are real or not, I don't buy the intentions for a minute."
And then, in the week between when I wrote this and when it was published, we discovered that Mythos was leaked on the same day it was "carefully released" to Glasswing.
The whole point of Glasswing was to use the same big corporations that allowed tech debt to accumulate in the first place to protect us from the consequences of that accumulation. That positioning is now void. The genie is out of the bottle. You can't put the toothpaste back in the tube. You can't un-ring the bell. None of that is getting undone.
Things to think about
Part of the reason we felt we had to write this piece right now is because the New York Times published "It's the End of the Internet as We Know It" this week, and we wanted to make sure you had something to read that wasn't designed to send you spiraling.
Here's the thing: Mythos doesn't just expose vulnerabilities — it also opens up exploits. It flags that something is broken, but thanks to the rise of Vibe Scamming (also brought to you by AI, naturally), companies now have two jobs: fix the vulnerabilities, and block attempts to exploit them while the fixing is happening. That's a programmer problem and a cybersecurity team problem, simultaneously, at scale.
That's an enormous amount of work that produces zero shareholder value, which is exactly why it's been ignored for so long. Nobody wants to be the one to tell the Board there won't be profits for a while because the teams are doing cleanup in aisle 4. I genuinely have no idea how this shakes out — and neither does anyone else. Glasswing suggests some level of accountability, but the docs I've seen don't touch the part where someone has to explain this to the CFO anywhere.
Everyone's talking about how organizations are going to need to overhaul their processes (and oh, are they ever). What nobody's asking is what a software ecosystem that's suddenly wall-to-wall with vulnerabilities means for the people who use that software. You know — you and me.
That's what we do here at the 'Tea. So here we go.
What'cha gonna do?
Update everything, all the time
The era of updating your stuff once a week, once a month, or whenever you feel like it is over. Teams are going to be pushing patches at increasing frequency, and you need to keep up.
Turn on auto-updates wherever you can. If you're not sure something has auto-update, go look it up. Seriously.
Check for updates across everything you use. Phone apps, browser, operating system, desktop applications. Also any smart devices — your Roomba, your fridge, your smart home setup. Also your car. Software. Firmware. Everything.
Don't put off updates. If you see an "update available" notification on anything, drop what you're doing and do it now.
Restart your devices daily. The easiest way to stay clean is to shut everything down at the end of the day and turn it back on in the morning.
Figure out your workarounds. What's your plan if your smart coffeemaker goes down? It sounds silly until it isn't.
Back up, back up, back up some more
With Mythos in the picture, you will never know which vulnerabilities got announced in which software you use, or which ones will get fixed when. Or, to put it another way, not everyone announces patches in a timely manner. There is literally no way to track it, and right now there's no legislation forcing companies to disclose anything. You should assume that anything you use could go down at any moment, experience data loss, or be unrecoverable.
Back up anything that matters to you.
If you can sync to your desktop, do that.
If you can't, set a recurring calendar reminder to download your files from the cloud — iCloud, Google Drive, OneDrive, your password manager, all of it.
Passwords, MFA, the usual
We've been talking about this for a while. Consider this your klaxon.
Password manager. Proton Pass is our current favorite.
MFA (multifactor authentication) everywhere. No exceptions.
Freeze your credit.
Reduce your data footprint. Especially: delete every account you possibly can. Do you really need that Tumblr from the 90s? Download the data, then delete the account.
Death, or renaissance? You decide.
It's going to be chaotic for a while. Existing tech culture suggests that boards aren't suddenly going to do an about-face and get serious about eliminating their tech debt. But then again, that tech debt has never been exposed this thoroughly, this publicly, at this speed before.
From the cybersecurity and consumer side of things, it's possible that Mythos — and the adversarial AIs that follow it — will finally be the forcing function that makes technology slow down and fix its stuff, the way it should have been doing all along.
Want to learn more?
A few of our favorite writers on this topic, so far. We'll update this list as more emerge.
Vulnapalooza: Why Anthropic's Mythos Is the Loudest Headliner Nobody Bought Tickets To — Katie Moussouris explains why this is just going to keep being a thing. Spectacular piece.
Mythos, Memory Loss, and the Part InfoSec Keeps Missing — Justin Elze reminds us that panic isn't helpful, but underreaction hasn't done much good either.
Project Glasswing Is Impressive. The Questions Nobody Asked Are More Interesting — Michael Reichstein: "The cybersecurity industry has a structural problem that predates AI, predates Glasswing, and will outlast both if nobody addresses it directly. It is the gap between knowing about a vulnerability and actually fixing it." He's absolutely right.
SPONSORED
Every sponsor here is something we actually use or genuinely believe in. Click through if something resonates - it means the world to us and helps keep CybersecuriTea coming your way.
Free email without sacrificing your privacy
Gmail tracks you. Proton doesn’t. Get private email that puts your data — and your privacy — first.
Join us for tea!
CybersecuriTea is a free, plain-English guide to digital safety, designed for families, friends, and the folks you love. Subscribe today and get weekly tips to help keep your digital life secure.
Or, if you’d like to support our work and keep the kettle warm for everyone:
Issue # 36
This content may contain affiliate links. If you choose to sign up or make a purchase through them, we may earn a small commission, at no additional cost to you. Thank you for supporting CybersecuriTea.
