Surprise! The internet is held together with duct tape

Mythos is about to become incredibly relevant to the digital world we live in, so I wanted to take some time to break it down for everyone. There's enough here to cover that we're doing it in two parts — Tuesday and Thursday.

Let's get into it.

I've been sitting on this one for a few days. Waiting for the hot takes to die down a bit, same as plenty of other cybersecurity writers. There's a whole lot here to unpack, and I wanted to make sure everyone had had time to read what they were going to read before I added to the pile.

So glad you asked.

Mythos is an AI built by Anthropic. It just happens to have a particular talent for cybersecurity. Which means it is capable of poking holes in everything. We'll get to the full implications in a bit — but first, to understand why Mythos is flipping so many people out, we need to take a quick side quest into how the internet and software were actually built.

(Spoiler: it's not reassuring.)

We've seen this cartoon a lot lately, blessings to XKCD. Read through the explainer; it makes the whole problem with Mythos make a lot more sense.

Nobody's dug down to the data on this, as far as I know — but pretty much the entire software industry runs on bits of open-source software that have been thanklessly maintained by individual contributors since the internet was new. (See above, re: the cartoon.) The industry loves these programs, because they're free.

Here's the catch: companies don't necessarily check back to make sure those sources are still okay. So if something changes in the world of programming but the original source never gets patched to account for it, you end up with a lot of quiet breakage that isn't on anyone's radar.

Here's the other big piece of the puzzle.

You ever hear a film director say, "We'll fix it in post"? It's what they say on set when a take is nearly perfect but there's a rogue coffee cup on the table that shouldn't be there — like this one. Fixing it would mean another take, so they tell the production team to have visual effects remove it later. We all do this in our daily lives. The repair that's good enough to "make do" but not good enough to be permanent. The thing that gets forgotten. And then those things accumulate.

It's like when you're moving and you shove a bunch of random stuff into a box and label it "for later." You never get back to it before the next move. And before you know it, you've got a whole stack of "for later" boxes, full of things that might be nothing — or might be important.

We don't circle back because we're busy people in a culture where "move fast and break things" is somehow an acceptable philosophy. We're exhausted. We're on deadline. Things get shoved down the priority list until they demand to be dealt with. Sorta like taxes, now that I think about it.

In tech, that accumulation has a name: tech debt.

There's one more thing that makes it worse: the way layoffs are handled. When companies lay people off, they lose the institutional knowledge of what needed to be dealt with, what digital skeletons were in the closet, and what's in which box in the garage. Most companies aren't fully aware of their own tech debt profile — because the person who was aware got let go, usually without anything resembling a knowledge transfer. And so the countdown begins to the moment the unmaintained thing breaks.

I'm wildly oversimplifying, but here's the gist: Mythos is an AI tool designed to find vulnerabilities in software. And it is incredibly, terrifyingly good at it.

The problem is that the software industry has been accumulating tech debt since the beginning — and Mythos is throwing all of that debt in their faces, all at once, by finding every hole in the software and every skeleton in every closet.

That's bad news in a lot of ways. But nowhere is it more devastating than cybersecurity.

It's almost an industry joke how often cybersecurity teams identify vulnerabilities and are then directed to ignore them. This has been accumulating for decades. There is a lot of brokenness just waiting to be noticed — and Mythos is finding it at hyperspeed.

This fast. From Anthropic Warns That "Reckless" Claude Mythos Escaped a Sandbox Environment During Testing:

Not gonna lie, I cackled. There are not enough Tums in the world for that researcher.

If you discovered your front door lock was broken, you wouldn't announce it to the neighborhood. You'd keep quiet until you could get it fixed, because crime. Same deal here.

Companies know there are vulnerabilities all over their software. They just never expected to have to deal with all of them at once. And none of them are resourced to fix things as fast as Mythos can find and expose them — partly because the industry has been laying off cybersecurity staff for almost a decade now.

So picture it: your whole neighborhood's doors blow open at the same time, while the police are on strike.

There is no one coming to stop what happens next.

Part two (and what you can do to shield yourself from the fallout), coming Thursday.

SPONSORED
Every sponsor here is something we actually use or genuinely believe in. Click through if something resonates - it means the world to us and helps keep CybersecuriTea coming your way.

Be the smartest person in the room. 1440 navigates 100+ sources to deliver a comprehensive, unbiased news roundup — politics, business, culture, and more — in a quick, 5-minute read. Completely free, completely factual.

Sign up now!

CybersecuriTea is a free, plain-English guide to digital safety, designed for families, friends, and the folks you love. Subscribe today and get weekly tips to help keep your digital life secure.

Or, if you’d like to support our work and keep the kettle warm for everyone: