惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Schneier on Security
F
Fortinet All Blogs
B
Blog
GbyAI
GbyAI
P
Proofpoint News Feed
量子位
The Register - Security
The Register - Security
宝玉的分享
宝玉的分享
大猫的无限游戏
大猫的无限游戏
云风的 BLOG
云风的 BLOG
V
Visual Studio Blog
B
Blog RSS Feed
WordPress大学
WordPress大学
Recorded Future
Recorded Future
Recent Announcements
Recent Announcements
V
Vulnerabilities – Threatpost
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
S
Secure Thoughts
雷峰网
雷峰网
Stack Overflow Blog
Stack Overflow Blog
C
Cybersecurity and Infrastructure Security Agency CISA
Webroot Blog
Webroot Blog
AWS News Blog
AWS News Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
The GitHub Blog
The GitHub Blog
爱范儿
爱范儿
O
OpenAI News
月光博客
月光博客
H
Hacker News: Front Page
S
Security Affairs
W
WeLiveSecurity
The Hacker News
The Hacker News
aimingoo的专栏
aimingoo的专栏
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Help Net Security
Help Net Security
MongoDB | Blog
MongoDB | Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
D
Docker
T
The Blog of Author Tim Ferriss
Spread Privacy
Spread Privacy
Blog — PlanetScale
Blog — PlanetScale
J
Java Code Geeks
S
Securelist
Microsoft Azure Blog
Microsoft Azure Blog
TaoSecurity Blog
TaoSecurity Blog
T
Threat Research - Cisco Blogs
M
MIT News - Artificial intelligence
A
About on SuperTechFans

Hacker News - Newest: "AI"

AI can't read an investor deck AI as an attorney? Student uses ChatGPT, Gemini to sue UW over alleged racial discrimination Hacking MCP Servers in AI Systems – The Rug Pull: Tool Changes After Approval GitHub - MeepCastana/KubeezCut: Free Web based video editor GitHub - GenAI-Gurus/awesome-eu-ai-act: Curated tools, official sources, OSS, templates, and guides for EU AI Act compliance. Can AI judge journalism? A Thiel-backed startup says yes, even if it risks chilling whistleblowers Coming soon: 10 Things That Matter in AI Right Now DARPA built an AI to fact-check enemy weapons claims What explains heterogeneity in AI adoption? When AI Meets Muscle: Context-Aware Electrical Stimulation Promises a New Way to Guide Human Movements - Department of Computer Science AI Changed How We Build. It Did Not Change What Matters. Linux rules on using AI-generated code - Copilot is OK, but humans must take 'full responsibility for the… Meta spins up AI version of Mark Zuckerberg to engage with employees Code Mode: Let Your AI Write Programs, Not Just Call Tools | TanStack Blog GitHub - Delavalom/graft: Go framework for building AI agents. Type-safe tools, multi-provider (OpenAI, Anthropic, Gemini, Bedrock), zero vendor SDKs. India's TCS tops estimates, says new AI models did not dent services demand Gen Z's fading AI hype Strong feeling: we are in a folded AI reality GitHub - machinarii/total-recall-catalog: A reference catalog of latest knowledge retrieval, memory & RAG systems GitHub - mensfeld/code-on-incus: Give each AI agent its own isolated machine with root, Docker, and systemd. Active defense detects and stops threats automatically.. Quantization, LoRA, and the 8% Problem: Benchmarking Local LLMs for Production AI Iran war: We spoke to the man making Lego-style AI videos that experts say are powerful propaganda Powell, Bessent discussed Anthropic's Mythos AI cyber threat with major U.S. banks GitHub - immartian/bellamem: Persistent belief-graph memory for AI agents. Retrieves decisive context by importance — not recency, not RAG, not /compact. recursive-mode: The Repo-Native Operating System for AI Engineering After the attack on Sam Altman's home, will AI CEO's go on the offensive? The biggest advance in AI since the LLM Opus 4.6 vs GPT 5.4 One Prompt Unity World Generation Test “AI polls” are fake polls Client Challenge Can AI be a 'child of God'? Inside Anthropic's meeting with Christian leaders How to Switch AI Chatbots and Why You Might Want To GitHub - MattMessinger1/agentic_refund_guardrail: Safe refund policy layer for AI agents — Python + TypeScript. Same behavior, shared tests. Adam/papers/emergent_values_whitepaper.md at master · strangeadvancedmarketing/Adam Ask HN: How do you stop playing 20 questions with your AI coding tools How far can automation and AI support psychotherapy? - @theU GitHub - stagas/rtdiff: realtime git diff gui and AI-assisted commits A Mac Studio for Local AI — 6 Months Later A History of the Early Years of AI at the University of Edinburgh Why AI Coding Tools Still Feel Stuck on Localhost MSN AI Datacenters Are Becoming Strategic Targets twitter.com Penn Researchers Use AI to Surface Unreported GLP-1 Side Effects in Reddit Posts Show HN: MoodSense AI (ML and FastAPI and Gradio, Deployed on Hugging Face) Moodsense Ai - a Hugging Face Space by aman179102 AI models are terrible at betting on soccer—especially xAI Grok GitHub - xialeistudio/echoic GitHub - HimashaHerath/github-dev-wrapped: AI-powered weekly GitHub activity reports deployed to GitHub Pages GitHub - alejandrobalderas/claude-code-from-source: Architecture, patterns & internals of Anthropic's AI coding agent — reverse-engineered from source maps AI and Tech brief: Ireland ascendant GitHub - Titovilal/context0: Context0 - Never Surrender Training for a Marathon with an AI Coach: What Worked and What Didn't Cyber Pulse: Agentic Intel - Apps on Google Play I Built an AI PR Reviewer That Catches Bugs by Not Looking for Bugs Gen Z workers are so fearful AI will take their job they’re intentionally sabotaging their company’s AI rollout | Fortune How AI Is Reimagining the Game of Golf–For Both Players and Courses GitHub - nattergabriel/reseed: A CLI tool for managing and distributing agent skills across projects Is SVG the final frontier? My AI workflow evolved from prompts to a near-autonomous workflow MLSharp Help - 3DGS Viewer & Generator I put my cognitive field based AI's runtime on GitHub Is Numble the first AI-proof game? A3: Kubernetes for autonomous AI agent fleets | Emergent Principles Deepali Vyas ("The Elite Recruiter") GitHub - msmarkgu/RelayFreeLLM: A restful API designed to route user prompts to various AI model providers. Unionized ProPublica staff are on strike over AI, layoffs, and wages Unleashing the Advantage of Quantum AI We're heading for an AI-fueled 'dementia crisis,' brain scientist warns The AI-Assisted Breach of Mexico's Government Infrastructure [pdf] GitHub - stef41/lmscan: 🔍 Detect AI-generated text and fingerprint which LLM wrote it. Open-source GPTZero alternative. Zero dependencies, works offline. MSN GitHub - visionscaper/collabmem: Enabling long-term collaboration with Agentic AI - building up episodic and world model memory over time with in-context awareness We gave an AI a 3 year retail lease in SF and asked it to make a profit | Andon Labs AI Code is Hollowing Out Open Source, and Maintainers are Looking the Other Way What leaked "SteamGPT" files could mean for the PC gaming platform's use of AI AI is the boss at this retail store. What could go wrong? GitHub - Wuzu11517/agentic-proxy: Local proxy meant to help reduce With Drones, Geophysics and ArtificiaI Intelligence, Researchers Prepare to Do Battle Against Land Mines A Single Operator, Two AI Platforms, Nine Government Agencies: The Full Technical Report 在 Steam 上购买 FriedrichAI: Offline AI 立省 10% GitHub - inevolin/resume-cli: Hit Claude usage limits? Resume any AI coding session elsewhere. Switch tools at zero friction. GitHub - atripati/ark: AI Runtime Kernel — a context operating system for AI agents. Eliminates tool bloat, loads only what’s needed, and gives LLMs their reasoning space back. How to Build a Secure AI PR Reviewer with Claude, GitHub Actions, and JavaScript This Startup Wants You to Pay Up to Talk With AI Versions of Human Experts Intel Arc Pro B70 Brings 32GB VRAM to Local AI for $949 WordPress 7.0: The Good, the AI, and the Still Missing AI on the couch: Anthropic gives Claude 20 hours of psychiatry IatroBench: Pre-Registered Evidence of Iatrogenic Harm from AI Safety Measures AI Agents Know About Supabase. They Don't Always Use It Right. The history and future of AI at Google, with Sundar Pichai Inside an AI‑enabled device code phishing campaign How Meta Used AI to Map Tribal Knowledge in Large-Scale Data Pipelines AI for Systems: Using LLMs to Optimize Database Query Execution Forecasting the Economic Effects of AI Introducing Tinker: Play with AI, bring your ideas to life AI sheds light on an ancient gaming mystery People really hate AI but not as much as Iran—or Democrats | Fortune What is an AI Product Engineer? Phoebe Gates wants her $185 million AI startup to succeed with 'no ties to my privilege or my last name': 'I have a chip on my shoulder' | Fortune
Mythos Fallout, U.S. Government Weighs AI Model Regulation
speckx · 2026-05-08 · via Hacker News - Newest: "AI"

Mythos Fallout, U.S. Government Weighs AI Model Regulation

The Trump administration is considering applying stricter oversight to American artificial intelligence (AI) models due to their cybersecurity impact. However, before pulling the trigger on strict and inflexible regulation, we believe the government should spend a little time watching and learning.

This apparent shift from the administration's light touch AI regulation has reportedly been driven by concern about the hacking capabilities of frontier models. 

According to the New York Times, the administration wants to establish a group made up of tech executives and government officials to propose oversight procedures for the roll out of all new AI models. The group is likely to consider a range of options, including a formal government review process.

Globally, cyber security authorities are already bracing for the impact of increasingly capable models. Last week, the U.K.'s National Cyber Security Centre CTO Ollie Whitehouse warned of an impending "vulnerability patch wave" as AI finds and fixes vulnerabilities that have accrued over decades.

The Cybersecurity and Infrastructure Security Agency (CISA), meanwhile, is considering imposing shorter patch deadlines for U.S. government systems. The default patch deadline for bugs that are being actively exploited could be reduced from three weeks to as little as three days. For what it's worth we think patching faster is a fine idea, but we also think organisations will get more bang for their buck by focusing on security fundamentals that help to mitigate all bugs. You can't patch your way out of "the bugpocalypse".

While Whitehouse describes a "wave" of patches, the reality is it will be waves, plural. Every time new models are released they will rapidly be used to discover more bugs in commonly used software with basic prompts. If that capability is available to all and sundry, it will cause problems. Anthropic and OpenAI are seemingly aware of this and have taken different approaches to mitigating these risks.

Anthropic released its latest model, Mythos Preview, to a limited number of trusted organisations, in its Project Glasswing initiative. The idea was to give these organisations a head start in finding and patching vulnerabilities before the model was rolled out more broadly. Mozilla reported that it had fixed 271 Firefox vulnerabilities after being granted access. 

Unlike Anthropic, which restricted access to Mythos to a select few, OpenAI released its latest model GPT5.5 to all customers who wanted it and instead relied on model safeguards to prevent it from dangerously spilling 0day exploits. Users in cybersecurity roles who ran into these safeguards could verify their identity with OpenAI to get them dialled back. 

This Trusted Access for Cyber program provides users "reduced friction around safeguards" when individuals and enterprises are able to satisfy its Know-Your-Customer and trust requirements. Customers who prove that they are legitimate cyber defenders can also get access to more niche versions of OpenAI's models that have more advanced cyber capabilities coupled with fewer restrictions. 

These are very different release approaches for models with similar capabilities. Anthropic's approach is very cautious, OpenAI's is more open. 

The White House response so far has been to crack down on the cautious one. The Wall Street Journal reported late last week that the White House was opposing Anthropic's plan to expand access to Mythos to another 70 companies. There has been no such pronouncements about OpenAI's GPT5.5, which is funny when you consider that it is widely available and the U.K.'s AI Security Institute (AISI) found that it might actually be better than Mythos at cybersecurity tasks.

We expect that the administration will eventually zero in on a position where AI companies have consistent release policies, rather than allowing each to make up their own rules.  

It’s not just frontier models that present risks here, though. Last week Niels Provos, a former Google Distinguished Engineer, wrote a blog post titled "Finding Zero-Days With Any Model." He used an orchestration harness and older commercial and open weight models to independently rediscover bugs found by Mythos. 

Provos proved that the vulnerability discovery gap between Mythos and GPT5.5 being driven by a novice and older models being driven by experts is not as big as it seems. Thus, holding back Mythos or GPT5.5 to a White House-approved circle of trust for 90 days probably won't achieve as much as we'd like.

A better approach may be for the government to wait and see so that it can understand what is happening and can make informed decisions further down the track. How many 0day vulnerabilities does each new model release shake out? What are their CVSS scores? Is that number trending up or down over time? Are vendors actually patching the bugs? What is the state of vulnerability discovery using older and open weight models? Are the frontier labs acting responsibly? 

The broader point here is that it is pretty clear that the rise of powerful AI cyber capabilities is a generational shift that policymakers don't yet understand how to respond to. Attempting to stagger the access to the technology's bleeding edge is intuitively attractive, but there are good reasons to believe that it will have little impact. 

Australia Launches Hamstrung Cyber Review Board

This week Australia's Minister for Cyber Security, Tony Burke, announced the establishment of a Cyber Incident Review Board. This is timely, especially given the rise of AI, but the board's impact will be limited by its approach to liability. 

The Minister's press release says the board will conduct no-fault, post-incident reviews of significant cyber security incidents in Australia. The intent is to "deliver actionable recommendations to government and industry to help prevent, detect, respond to, and minimise the impact of similar incidents in the future". 

The implementing legislation, the Cyber Security Act 2024, says that one criteria for reviewing an incident should be if it "involved novel or complex methods or technologies, an understanding of which will significantly improve Australia’s preparedness, resilience, or response to cyber security incidents of a similar nature."

Timely, given that the rise of AI will undoubtedly result in novel types of attacks. 

Unfortunately the legislation states that the board must not apportion blame or provide the means to determine liability. This blunts the board's ability to point out that a serious security incident may have been downstream of a victim organisation making poor decisions and failing to prioritise security. 

See, for example, the U.S. Cyber Safety Review Board (CSRB) excoriating Microsoft for a "cascade of security failures." That report didn't pull its punches and shortly after it was released Microsoft CEO Satya Nadella issued an all-hands memo declaring that security was the company's top priority. It also served as a warning to other companies that security was something they should care about. 

The Australian version of that CSRB report? It can't apportion blame, so we’re guessing it would say something like, “Someone, somewhere made mistakes.”

By contrast, the legislation for Australia's transport safety investigations can apportion blame, while still maintaining liability protections: "A report…is not admissible in evidence in any civil or criminal proceedings."

This small change makes a huge difference to the ability of the Board to drive change and actually achieve its stated goals. We're pretty sure there will be a spate of upcoming incidents where the root cause is less technical and more greedy-executives-doing-dumb-stuff-with-AI without a passing thought about security. It would be a shame if the Board is not able to state that plainly. 

Three Reasons to Be Cheerful This Week:

  1. U.S. and China collaborate on Dubai scam center takedown: The coordinated takedown led to more than 270 arrests and dismantled nine scam centers that were being used in cryptocurrency investment scams. The takedowns involved what the Department of Justice called "unprecedented cooperation" between the FBI, the Chinese Ministry of Public Security and the Dubai Police. The Record has further coverage.  

  2. Elections Canada watermarked electoral lists releases: Ars Technica covers how Elections Canada was able to trace the provenance of a leaked electoral list because it inserts bogus data as a form of fingerprinting into the lists it distributes to legitimate recipients. We'd call this a type of watermark, but Ars uses the term 'canary trap' and we like the clever use of a simple technique.  

  3. FTC bans data broker sensitive data sales: The data broker Kochava and the U.S. Federal Trade Commission have agreed to settle a complaint in which the FTC alleged that Kochava was selling the precise geolocation of customers without consent. This included sensitive locations including places of worship and health care clinics. There was no fine, but Kochava has agreed to stop sharing or selling sensitive location data. The Record has further coverage.

Shorts

Google's Vulnerability Reward Programs Change Because AI

Google has announced changes to its vulnerability reward programs that reflect the impact AI is having on bug discovery and remediation. The program now rewards reports that are impactful and also hard for automated AI tooling to find. For example, a full chain Pixel Titan M2 compromise with persistence pays up to USD$1.5 million. But other rewards are going to be reduced. Also, bug reports now don't really need words, as much as some sort of "concrete proof of exploitability" and, ideally, proposed patches.

Risky Biz Talks

In our latest "Between Two Nerds" discussion, Tom Uren and The Grugq  discuss the breakdown of cyber norms. What would have been an unthinkable cyber operation just a few years ago is now a regular occurrence.

From Risky Bulletin:

Extremely targeted supply chain attack hits DAEMON Tools: A supply chain attack is currently ongoing on the website of DAEMON Tools, a popular app for burning CDs and DVDs, and for creating bootable USB drives.

DAEMON Tools installers have been shipping with a backdoor since at least April 8. The installers were signed with the vendor's legitimate certificate, suggesting deep access to the AVB Disc Soft's internal network and processes.

The backdoor triggers every time the user runs their PC, collects data about the host, and uploads it to a remote server. Collected data includes the machine's MAC address, hostname, system locale, DNS domain name, and a list of active processes and installed software.

[more on Risky Bulletin]

DigiCert hacked with a malicious screensaver file: A threat actor gained access to DigiCert's backend and stole 27 code signing certificates they later used to sign malware.

The incident took place last month and was traced back to a social engineering attack that successfully compromised two employees of DigiCert's tech support team.

According to DigiCert's post-mortem, the attacker posed as a customer and tricked the tech support staff into running an SCR file, a format used to install and configure Windows screensavers.

[more on Risky Bulletin]

The mysterious hack of Moldova's healthcare database: A mysterious hacking group has stolen the personal and financial information of Moldovan citizens from the country's national healthcare database.

Moldova's national health insurance agency, CNAM, confirmed that data was stolen but denied initial news reports that almost a third of the database had been destroyed in the attack.

Ion Vintilă, an adjunct director for Moldova's Cybersecurity Agency, had told reporters in a taped interview that almost 30% of the agency's data was impacted in the incident, but didn't specify in what manner.

[more on Risky Bulletin]