Google says criminal hackers used AI to find a major software flaw
62 points
9 hours ago
| 13 comments
| nytimes.com
| HN
Unlocked: https://www.nytimes.com/2026/05/11/us/politics/google-hacker..., https://archive.ph/I4Ui5

https://apnews.com/article/google-ai-cybersecurity-exploitat...

https://www.cnbc.com/2026/05/11/google-thwarts-effort-hacker...

sowbug
58 minutes ago
[-]
Security will be a wedge to restrict the sophistication of open-weight and local LLMs, just as it's been used to demonize and restrict cypherpunk technologies.
reply
kshacker
46 minutes ago
[-]
As long as it is within the country, restriction works. How do you restrict the capability from a foreign entity, especially a hostile one?
reply
jazzyjackson
19 minutes ago
[-]
netsplit, I guess. decide that the risk of an open network is too great and simply block all routing out of the country through the ISPs and consider the political power that goes along with a global satellite constellation under rule of a single, government-aligned corporation.
reply
s3p
1 hour ago
[-]
>But new A.I. models like Anthropic’s Mythos, which was announced last month, appear to be so good at finding such holes that Anthropic shared it only with a limited number of firms and government agencies in the United States and Britain.

Immediate distrust of the article. GPT 5.5 is out with nearly the same capability. The author might be parroting company marketing, unable to discern that a lot of this is much less complex than it seems. For all we know this group could have had a model examine some obscure line of code thousands of times until it found something.

reply
reaperducer
39 minutes ago
[-]
Immediate distrust of the article… The author might be parroting company marketing, unable to discern that a lot of this is much less complex than it seems.

https://www.nytimes.com/by/dustin-volz

> I am based in The Times’s Washington bureau, and much of my focus is on the dealings of U.S. cybersecurity and intelligence agencies, including the National Security Agency, Central Intelligence Agency, Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation, as well as their counterparts abroad, chiefly in China, Russia, Iran and North Korea.

> My remit spans nation-state hacking conflict, digital espionage, online influence operations, election meddling, government surveillance, malicious use of A.I. tools and other related topics.

> Before joining The Times, I worked at The Wall Street Journal, where I spent eight years covering cyber conflict and intelligence. My recent work at The Journal included a series of articles revealing a major Chinese intrusion of America’s telecommunications networks that breached the F.B.I.’s wiretap systems and has been described as one of the worst U.S. counterintelligence failures in history. I have also worked at Reuters and National Journal, where I began my career in Washington chronicling congressional efforts to reform surveillance practices at the N.S.A. in the wake of the 2013 Edward Snowden disclosures.

> My work has been internationally recognized, including by the White House Correspondents’ Association, the Gerald Loeb Awards, the Society of Publishers in Asia and the Society for Advancing Business Editing and Writing.

What have you done lately?

reply
LudwigNagasena
27 minutes ago
[-]
Reporting on such stuff requires networking skills, not technical knowledge.
reply
reaperducer
22 minutes ago
[-]
Reporting on such stuff requires networking skills, not technical knowledge.

Guess how I know you've never been a reporter.

reply
himata4113
12 minutes ago
[-]
nytimes reporters have recently been very disappoiting and starting to feel like they're people who managed to become relevant long time ago, but haven't kept up with recent changes and are just parroting things others have said instead of unique thoughts.
reply
flextheruler
30 minutes ago
[-]
https://www.logicallyfallacious.com/logicalfallacies/Appeal-...
reply
reaperducer
26 minutes ago
[-]
Not at all.

OP posited that the author didn't know what he's talking about. I pointed out that the author has far more knowledge and experience in the field than rando internet griefers on HN who immediately reach for "shoot the messenger" when they read something that doesn't neatly fit into their pre-conceived worldview, instead of perhaps learning things from other people.

But at least your trope acknowledges that he's an authority on the subject.

reply
megous
16 minutes ago
[-]
How many zeroday vulns had the article author discovered using AI assisted methods?
reply
bouncycastle
15 minutes ago
[-]
Meanwhile, I cannot ask ChatGTP how to pick my own lock. Even though this information is available in a book in the library.
reply
gman2093
38 minutes ago
[-]
Black hat hacking seems to be a well-fit use case for these LLMs. Attackers only need to be right once, so the sometimes-wrongness of the attacks might be trivial. This probably devalues stashes of zero-day exploits for those that have been witholding them.
reply
skywhopper
10 minutes ago
[-]
Drives me nuts that the NYT just uncritically cites Anthropic’s unverified claims of “thousands of zero-days” without a hint of skepticism.
reply
atrocities
40 minutes ago
[-]
Can we link to the actual google article, instead of these editorialized articles about the article?

https://cloud.google.com/blog/topics/threat-intelligence/ai-...

reply
CrzyLngPwd
1 hour ago
[-]
People used LLMs to find flaws in Google software.
reply
amelius
58 minutes ago
[-]
But did they use Gemini?
reply
freedomben
18 minutes ago
[-]
I don't know, but given how often Gemini refuses benign requests IME, I would suspect it's a complete non-starter for finding security holes.
reply
Andrex
10 minutes ago
[-]
> the company added that it did not believe it was its own Gemini chatbot.

-TFA

reply
0xWTF
35 minutes ago
[-]
Wait until the bio version of this shows up.
reply
SecretDreams
1 hour ago
[-]
If "bad guy AI" can find flaws, can "good guy AI" patch them faster when backed by trillion dollar companies?
reply
boothby
36 minutes ago
[-]
Do your AI patches introduce fewer flaws than they repair?
reply
j2kun
1 hour ago
[-]
The bottleneck is probably validating and deploying the fix, which requires coordination.
reply
cyanydeez
1 hour ago
[-]
If I sell weapons to both sides of a conflict, can I become rich?
reply
mindcrime
7 minutes ago
[-]
No. To become really rich you have to draw a 3rd player into the conflict, and then sell weapons to them as well.
reply
SecretDreams
55 minutes ago
[-]
Ask anyone selling AI hardware recently!
reply
4128-1228
1 hour ago
[-]
The Google Threat Intelligence Group wants to increase its relevance and casually point out the it was not Mythos which found the exploit!

Security "researchers" are overpaid buffoons who hype things for their own salaries and their companies. And the stenographers from the press dutifully copy everything.

This is a despicable game to fool politicians into giving money and favorable AI legislation.

Strangely enough these buffoons never offer their models to open source developers. It is always a select group of highly paid other buffoons that throws some very occasional results over the wall.

reply
ppqqrr
53 minutes ago
[-]
...says yet another company hell bent on integrating it into every facet of our lives. This reads like a celebration, if you ask me.
reply
simmerup
1 hour ago
[-]
Can google please use AI to find bugs then?

Software is in such a state now, Gmail is full of bugs around sharing attachments to the position that I have to tell my dad to turn his phone off and on again in order to attach a document

reply
j2kun
1 hour ago
[-]
https://secgemini.google/

https://projectzero.google/2024/10/from-naptime-to-big-sleep...

https://deepmind.google/blog/introducing-codemender-an-ai-ag...

reply
JCTheDenthog
59 minutes ago
[-]
Those are all for security vulnerabilities, OP is talking about bugs with functionality.
reply
andrepd
28 minutes ago
[-]
It's probably the AI overuse introducing many of those bugs in the first place...
reply
wnc3141
32 minutes ago
[-]
But in exchange we get to also waste vast energy and carbon while depleting job prospects for just about any college grad.
reply
andrepd
29 minutes ago
[-]
It's not all bad though. We also managed to turn the Information Superhighway of the 1990s into the Slop Wasteland of the 2020s.
reply