George Hotz Dismisses Hype Around Anthropic's Mythos AI Model
George Hotz, the renowned hacker who first unlocked an iPhone and cracked Sony's PlayStation 3, has issued a stark message to those alarmed by Anthropic's new AI model, Mythos: calm down. In a recent LinkedIn post, Hotz—now CEO of self-driving car startup comma.ai—asserted that he could identify zero-day vulnerabilities more cheaply and rapidly than Mythos, if not for legal restrictions like bug bounty programs.
Hotz's Bold Offer and Critique of Anthropic's Claims
Hotz made a provocative offer: to find one zero-day vulnerability per day until a major new AI model is released, aiming to demonstrate that such exploits are not as elusive as portrayed. He directly challenged Anthropic's assertion that Mythos represents a cybersecurity breakthrough, citing its discovery of a 27-year-old OpenBSD bug and exploitation of FreeBSD's NFS server for root access as overhyped. "These things are not that hard to find in most software," Hotz wrote, emphasizing that the difficulty lies in legal barriers, not technical complexity.
The Core Argument: Zero-Days Are Illegal, Not Impossible
Hotz's central thesis is straightforward: zero-day vulnerabilities are rare not because they are inherently difficult to detect, but because exploiting them is illegal, and skilled hackers often pursue more lucrative or ethical avenues. He noted, "Criminals are usually not very skilled, or they would choose a different line of work," suggesting that the talent pool for such exploits is limited by legal and moral constraints.
This perspective is shared by other experts in the field. AI researcher Gary Marcus labeled the Mythos announcement as "overblown," highlighting that the demonstrated Firefox exploit had sandboxing disabled—a condition that does not reflect real-world attack scenarios. Yann LeCun, co-founder of AMI Labs and former chief AI scientist at Meta, was even more blunt, calling the drama surrounding Mythos "BS from self-delusion."
Technical Pushback from AI Security Startup Aisle
The most pointed technical rebuttal came from AI security startup Aisle, which tested the specific vulnerabilities highlighted by Anthropic using small, affordable, open-weights models. All eight models evaluated, including one with just 3.6 billion active parameters costing $0.11 per million tokens, successfully detected the flagship FreeBSD buffer overflow.
Anthropic reportedly spent approximately $20,000 in tokens to uncover the OpenBSD bug across a thousand runs. Aisle's analysis suggests that once the relevant code is isolated, the core reasoning required for such detections is already accessible with existing models that are widely available today.
Recognition of Mythos's Genuine Sophistication
Despite the criticism, experts acknowledge that Mythos does possess genuine technical sophistication. Researchers examining the Linux kernel exploit chains—which involved chaining four vulnerabilities to achieve root access and bypass HARDENED_USERCOPY through innovative kernel stack reads—confirmed the model's advanced capabilities. The autonomous exploit construction rate surged from under 1% on Opus 4.6 to 72% on Mythos, indicating a significant leap in performance.
Hotz's Unanswered Challenge to the Cybersecurity Community
Hotz's challenge remains open: if Mythos is truly groundbreaking, he urges others to find new zero-day vulnerabilities at a similar level without Anthropic's assistance. To date, no one has publicly met this challenge, underscoring the ongoing debate about the model's real-world impact versus its marketed potential.
This controversy highlights broader questions in cybersecurity about the balance between AI advancements and practical exploitability, with Hotz's insights adding a critical voice to the discourse.
