PATCH SOFTWARE

“Notably, they are not releasing this model to the public because they claim it is too dangerous to do that. Instead, they are giving access to a consortium of tech companies, including Cisco, Broadcoms, or makers of Internet infrastructure, as well as Microsoft, Apple, Amazon. Basically, every big tech company that is not OpenAI or Meta is getting access to this model, but not general access. Just access to do defensive cybersecurity testing, basically, to go out and harden their systems and their infrastructure and their software before the general public can get its hands on this model.”

“And so where I see the government potentially being involved is maybe setting some standards for disclosure. If you have an AI that has certain capabilities, do we need to track that? Do we need to notify anybody? And how is this going to be coordinated?”

“One of them was that this model apparently found a twenty seven year old security flaw in OpenBSD. OpenBSD is an open source operating system that runs on firewalls and routers. It is sort of like a critical security layer on the Internet, and it was designed specifically to be hard to hack. And this model, because of its advanced coding and reasoning capabilities, was able to find this bug that twenty seven years worth of professional security researchers had not been able to find.”

“The capabilities of Mythos Preview, according to Anthropic and those that have used it are, it's basically like a hacking ray. You can point it at software and even if you don't have the source code, it can still detect vulnerabilities and write code that will exploit it. So a human doesn't need to do anything to break into that software.”

“With Tesla starting a heavy capital expenditure program, at least 20 billion, if not higher, to fund its transition to an AI and robotics company, I think the market was worried coming into 2026 of where would that cash come from and could Tesla still generate strong free cash flow or even some positive free cash flow while that program is ramping up. And so positive free cash flow in the first quarter puts them to a good start to the year.”

“In other words, the original ceasefire wasn't actually a ceasefire. So to extend it doesn't actually mean anything, because there was no ceasefire to begin with. So as Iran said, yes, it means nothing. And we already have proof of this, because just yesterday we learned that Iran attacked another three ships in the Strait of Hormuz. They fired at one ship that was passing just off the coast of Iran, and then another two that were in the Gulf of Oman.”

“With Tesla starting a heavy capital expenditure program, at least 20 billion, if not higher, to fund its transition to an AI and robotics company, I think the market was worried coming into 2026 of where would that cash come from and could Tesla still generate strong free cash flow or even some positive free cash flow while that program is ramping up. And so positive free cash flow in the first quarter puts them to a good start to the year.”

“In the long term, it means we're going to completely change how we manage software vulnerabilities, because up until this point, at least in theory, you find out about a vulnerability, you work really hard, you patch it, maybe it'll take a few weeks, maybe it'll take a few months, and you hope that the bad guys don't manage to figure out the same thing and exploit it first, right? So we've had that lag, and now I'm sure this is a complete emergency for all the major tech companies.”

“You have a new model that you claim is the most powerful model in the world. So instead of selling it, you give a $100,000,000 of claud credits away to a consortium of companies that includes many of your competitors, which is what Anthropic is doing. That is not how I personally would market a spooky new model if I were in the business of marketing spooky new models.”

“Tesla was able to launch its RoboTaxi in two new markets by April, where we see them starting in Dallas and Houston. And interestingly, they're launching immediately into the unsupervised RoboTaxi. So if you remember, when they started in Austin, there was a human safety monitor who would ride in the front passenger seat of the vehicle. But with the Dallas and Houston launches, they're going directly to no safety monitor, which tells me that the software is progressing well, testing is going well enough to enter new markets and immediately not need the safety monitor.”

“No. In my mind, it is obvious why. Like, if you're a corporation and you release a tool and people with no real technical expertise are able to use it and within a few hours discover a novel exploit in the Linux kernel and then take over other people's machines to cause crimes, you might be held liable as a corporation. You will get in trouble at like, there will be congressional hearings. So companies just in their rational self interest do not want to sell cyber weapons on the open market.”

“One of the things we document that's new here is as a condition of the exit of the board members who had moved against Sam that he wanted out. They insisted on an outside investigation. What happened there is, in my view, quite extraordinary, which is, yes, at private companies, sometimes reports of this type, when a law firm is brought in to restore legitimacy can be kept out of writing. Often, it's to limit liability, And often, legal experts say it's a bit of a red flag. And what we report in this piece for the first time is there wasn't a report. For years, people were like, where's the report? Where's the report? There wasn't a report because it was kept out of writing.”

“We are entering the next chapter of the story, which we ought to call news fatigue, where the headlines become overwhelming, the news becomes confusing, and eventually we get bored of it, and we decide to stop caring altogether. This is what happened with Iraq, it's also what happened with Afghanistan, and it is now happening with Iran, and we are seeing that reflected in the markets.”

“The capabilities of Mythos Preview, according to Anthropic and those that have used it are, it's basically like a hacking ray. You can point it at software and even if you don't have the source code, it can still detect vulnerabilities and write code that will exploit it. So a human doesn't need to do anything to break into that software.”

“On June 10 in San Francisco, we are doing the second ever installment of Hard Fork Live. It's happening on June 10 in San Francisco at the Blue Shield of California Theater. Bigger venue than last year. Tickets will be on sale at nytimes.com/events. Not today, but next Friday, April 17.”

“Bloomberg reported that a small group of unknown, unapproved users have had access to the model Mythos for two weeks. They broke into the model the same day Anthropic launched Project Glasswing, a controlled rollout giving a select group of companies exclusive access to the model. Anthropic says it is investigating the security breach from these unidentified individuals but has found no evidence of malicious use so far.”

“And then there is the white hot center of the rivalry, the stuff you mentioned that I think is in a very different category, which is, you know, Elon Musk and other direct competitors really amplifying everything they can come up with. And in some cases, we document things that are inflated or trumped up or just seem to not be true. So Elon Musk, in particular, has intermediaries circulating some pretty spicy and pretty unsubstantiated material in Silicon Valley, and we talk about that.”

“In other words, the original ceasefire wasn't actually a ceasefire. So to extend it doesn't actually mean anything, because there was no ceasefire to begin with. So as Iran said, yes, it means nothing. And we already have proof of this, because just yesterday we learned that Iran attacked another three ships in the Strait of Hormuz. They fired at one ship that was passing just off the coast of Iran, and then another two that were in the Gulf of Oman.”

“Then if we look at factory expansion plans, the transition to take the factory that was making Model S and Model X vehicles and take that to produce the Optimus Humanoid Robots is still on track for to enter production by the end of this year. And so with Tesla's two big pillars in the future going to be self-driving cars and Humanoid Robots, both of those initiatives are on track with the positive free cash flow and that led the stock to rise after hours.”

“But I asked my friend, do you have a password manager, and do you reuse passwords for the same thing? And she said, you know, I've never really been able to to get one of those, password managers to work for me, and I do sometimes reuse my passwords. So I said, like, look. If if you're looking for something that you can do, just make sure that you have done your basic online cybersecurity hygiene. You should use a password manager. I use one password. There are many others out there that are just as good. Don't use the same password for anything. Your passwords should be randomly generated and not, you know, the name of your pet or whatever. And then use multifactor authentication where you can.”

“Relatedly, by the way, a a lot of announcements over there right concentrated around when they knew we were gonna be running and right developed in the period where we were in these intensive conversations with them. And many of them sort of pointed at the topics in the piece. You know, they announced this new safety fellowship that's very airy. They announced this new governance plan that's very sort of airy and ethereal, but are meant to, I think, you know, occupy space in the conversation on the same topics.”

“In the long term, it means we're going to completely change how we manage software vulnerabilities, because up until this point, at least in theory, you find out about a vulnerability, you work really hard, you patch it, maybe it'll take a few weeks, maybe it'll take a few months, and you hope that the bad guys don't manage to figure out the same thing and exploit it first, right? So we've had that lag, and now I'm sure this is a complete emergency for all the major tech companies.”

“Bloomberg reported that a small group of unknown, unapproved users have had access to the model Mythos for two weeks. They broke into the model the same day Anthropic launched Project Glasswing, a controlled rollout giving a select group of companies exclusive access to the model. Anthropic says it is investigating the security breach from these unidentified individuals but has found no evidence of malicious use so far.”

“Anthropic has been running this model internally for several weeks now, and they claim that this thing has found vulnerabilities in every major operating system and web browser. They gave some examples, that have already been patched. One of them was that this model apparently found a twenty seven year old security flaw in OpenBSD. OpenBSD is an open source operating system that runs on firewalls and routers. It is sort of like a critical security layer on the Internet, and it was designed specifically to be hard to hack.”

“Number two, and this is just in time for pride. They will tell you when there is a rainbow in your neighborhood. This is such a good idea for a weather app. Yes. Who does not wanna be sitting at your wage slave job? You haven't been outside in, like, seven and a half hours, and then ACME weather tells you, hey. Guess what? There's a rainbow in your neighborhood. You're gonna book it outdoors, and you are gonna behold the majesty of creation.”

“One more piece on on the regulatory front. It is crazy to me that model development of this scale and seriousness remains essentially unregulated in this country. Right? Here you have a private company saying, well, we have now created software that can create so many different kinds of novel exploits that all software might have to be rewritten, and they are not really under any kind of regulatory regime. And the regulatory regime that previous administration tried to put into place was thrown out by the current one because it might harm American competitiveness.”

“Tesla was able to launch its RoboTaxi in two new markets by April, where we see them starting in Dallas and Houston. And interestingly, they're launching immediately into the unsupervised RoboTaxi. So if you remember, when they started in Austin, there was a human safety monitor who would ride in the front passenger seat of the vehicle. But with the Dallas and Houston launches, they're going directly to no safety monitor, which tells me that the software is progressing well, testing is going well enough to enter new markets and immediately not need the safety monitor.”

“Alex Stamos said, like, yes. This is a big deal. And he was hoping for a long time that we would see a consortium come together like this because of exactly what you just said, Kevin. The intelligence in in these machines and their ability to work autonomously are now great enough that they can chain together exploits that human beings either would never see, would take them a long time to see, or they would just never get to because we're we're limited in ways that these machines are not.”

“So they are at least claiming that they are trying to get ahead of what they envision will be a reckoning, was what was the word they used, to force cybersecurity. And it seems plausible to me that in the next kind of six ish months, every major piece of software in the world is going to need to be patched, rewritten, and rereleased.”

“Then if we look at factory expansion plans, the transition to take the factory that was making Model S and Model X vehicles and take that to produce the Optimus Humanoid Robots is still on track for to enter production by the end of this year. And so with Tesla's two big pillars in the future going to be self-driving cars and Humanoid Robots, both of those initiatives are on track with the positive free cash flow and that led the stock to rise after hours.”

“And so where I see the government potentially being involved is maybe setting some standards for disclosure. If you have an AI that has certain capabilities, do we need to track that? Do we need to notify anybody? And how is this going to be coordinated?”

“We are entering the next chapter of the story, which we ought to call news fatigue, where the headlines become overwhelming, the news becomes confusing, and eventually we get bored of it, and we decide to stop caring altogether. This is what happened with Iraq, it's also what happened with Afghanistan, and it is now happening with Iran, and we are seeing that reflected in the markets.”