Another Spectre In The Shell

Apr 11, 2026

They unpack an AI model that uncovered dozens of deep zero-days and a 27-year-old OpenBSD bug. They wrestle with what widespread exploit generation means for supply chain security and memory-safe languages. They debate cooldowns for package upgrades, recall large-scale vulnerability remediation stories, and explore AI as a personal assistant and scalable source-control ideas.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

INSIGHT

LLMs Can Unearth And Exploit Decades Old Zero Days

Claude Mythos can autonomously find and exploit deep, long-standing zero-days across major OSes and browsers.
Anthropic found 147 JS-engine bugs in Firefox and a 27-year OpenBSD bug, showing LLMs surface subtle, multi-stage exploits humans rarely craft.

INSIGHT

Automated Research Changes The Threat Model

Democratized automated vulnerability discovery changes threat models because bugs once impractical to exploit become trivially discoverable and weaponizable.
Many findings are memory-safety issues remaining from C/C++ code; the quantity accelerates triage demand on small teams.

ADVICE

Use Short Release Delays For Automated Security Checks

Prefer short analysis delays over blanket cooldowns by exposing new releases only after automated checks run.
Steve suggests servers could withhold advertising a version as "latest" for days to allow scanners to catch issues.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

It's Kris, Matt, and Steve this week. It's also Matt's last episode before becoming a father. The conversation opens with Claude Mythos, Anthropic's unreleased model that found 147 zero-days in Firefox's JavaScript engine and a 27-year-old bug in OpenBSD. Steve, who's lived through before, puts it in context. The panel also discusses cooldown periods for package upgrades, the implications of nation-state hacking capability becoming available to anyone, and using AI for good.

Supporter content? We've got it! This week it includes a dive into post-quantum security and state-sponsored social engineering attacks. Not a supporter yet? Fix that today by heading over to https://fallthrough.fm/subscribe where you'll get not only extra content but also higher quality audio. Sign up today!

If you prefer to watch this episode, you can view it on YouTube.

No episode of Break this week. We'll have more aftershow episodes soon! In the meantime, catch up on previous episodes at https://break.show.

Thanks for tuning in and happy listening!

Table of Contents:

Prologue (00:00:00)
Chapter 1: Matt's Last Episode Before Fatherhood (00:01:09)
Chapter 2: The Supply Chain Crisis and Claude Mythos (00:03:18)
Chapter 3: The Implications of Democratized Hacking (00:08:43)
Chapter 4: The Cooldown Period Debate (00:13:00)
Chapter 5: Steve's Rails Zero-Day War Story (00:18:54)
Chapter 9: Using AI as a Personal Life Assistant (00:23:13)
Chapter 12: Steve & East River Source Control (00:28:54)
Chapter 13: Git's Design Limitations and the Stack Diffs Model (00:39:08)
Epilogue (00:44:57)

Hosts

Socials:

(00:00) - Prologue
(01:09) - Chapter 1: Matt's Last Episode Before Fatherhood
(03:18) - Chapter 2: The Supply Chain Crisis and Claude Mythos
(08:43) - Chapter 3: The Implications of Democratized Hacking
(13:00) - Chapter 4: The Cooldown Period Debate
(18:54) - Chapter 5: Steve's Rails Zero-Day War Story
(23:13) - Chapter 9: Using AI as a Personal Life Assistant
(28:54) - Chapter 12: Steve & East River Source Control
(39:08) - Chapter 13: Git's Design Limitations and the Stack Diffs Model
(44:57) - Epilogue