Digital Storm

In the summer of 2003, I reported to the US Naval Postgraduate School in Monterey to spin up the Network Security Group. I was excited about the job, the California coast, and the chance to finally put my fingerprints on a real environment. The network, on the other hand, had other plans for me.

Shortly after I arrived, the Blaster worm tore through us. If you weren't in the trenches that August, here's the tldr;: there was a narrow window between the DCOM RPC vulnerability being documented, Microsoft shipping the patch, and Blaster showing up at the door. That window was all the worm needed. My team spent weeks rebuilding infected machines. Not hours. Not days. Weeks.

It gets better. (Or worse, depending on how you tell it.)

A Class B and No Front Door

I had inherited a network with no firewall and a Class B block of public IP addresses. Any machine in the world could reach any machine on our network directly. No NAT, no perimeter, no nothing. When I say we were exposed, I mean we were exposed. Blaster propagated over the network, so yes, a firewall would have helped. But it wouldn't have been bulletproof, and I knew it even then.

Here's the thing people forget about Blaster: the painful infections weren't always the ones that came in from the internet. They were the ones that came in on somebody's personal laptop. A staff member or student would take their laptop home where it would get infected then carry it onto campus, plug into the wall or join wifi, and Blaster would hop onto the LAN from the inside. A firewall at the edge does nothing for that attack vector. To stop it, you needed Network Access Control or client isolation, and in 2003, none of us were that mature. The tech existed in research papers and a handful of forward-leaning shops. The rest of us were still fighting to get a firewall budgeted.

I learned a lot of lessons as the NSO in Monterey. Most of them the hard way.

Why I'm Telling You This Now

This week, Anthropic announced Project Glasswing, a coalition built around a new frontier model called Claude Mythos Preview. Mythos is already finding thousands of zero day vulnerabilities in software that has sat quietly for years, including flaws in every major operating system and every major web browser. Some of those bugs have been buried in critical infrastructure for more than a decade. The Glasswing partners (AWS, Apple, Google, Microsoft, Cisco, CrowdStrike, NVIDIA, Broadcom, Palo Alto Networks, JPMorgan Chase, the Linux Foundation, and about 40 additional critical infrastructure organizations) are getting early access to hunt and fix those bugs.

In Anthropic's words, Glasswing is meant to give defenders a head start. I want to be really clear about something: a head start is not a finish line. It's a window. And windows close.

We're about to relive a version of August 2003, except compressed and supercharged. The velocity and volume of patches is going to be explosive for a period of time as Glasswing partners push fixes into the ecosystem. That is the good news. The bad news is that similar capabilities are going to proliferate, and when they do, they will not all land in the hands of people who are committed to deploying them safely. Anthropic said as much in their own announcement. The race from here is measured in months, not years.

So here is the uncomfortable truth. Glasswing only works if the rest of us outpace the criminals in consuming what it produces. If Mythos finds a zero day in your browser on Monday and the patch ships on Tuesday, the only thing standing between you and a bad Wednesday is your own patching tempo. The defenders got a head start. We have to actually run with it.

I've written about patch tempo before in Day Zero Is How Long??! and An Ounce of Prevention is Worth a Pound of SOAR. The music is the same. The tempo just got a lot faster.

It also connects to something I wrote a few weeks ago in The Closing Window: AI's Value-to-Cost Ratio Is Shifting Fast. The same tools that are making defenders faster are making attackers faster. Glasswing is the biggest concrete example of that dynamic so far. It is also the best argument I have seen that the defender side of the ledger can actually win, if we act like it.

The Guidance I Gave My Team

I sent the WitFoo team this note earlier today. I'm sharing it here because none of it is proprietary and all of it is the kind of thing I wish someone had told me in 2003.

@here for the foreseeable future we're going to need to be on heightened cybersecurity awareness. The Mythos model is already discovering hidden zero day vulnerabilities. It is going to take months for this to shake out.

Please take these precautions:

  1. Temporarily uninstall any applications on your personal machines that you can live without. Smaller software firms will be hit hardest by the attacks. Freeware and open source as well.
  2. Before starting your work day, check for updates. They are going to be showing up more frequently than ever before. If you use Windows, I recommend using winget upgrade --all to also update third-party stuff.
  3. I also recommend hardening personal workstations. On Windows this is great: https://apps.microsoft.com/detail/9p7ggfl7dx57. On Mac: https://github.com/beerisgood/macOS_Hardening.
  4. Be vigilant in what you click. Don't open attachments unless you are sure about them.
  5. Your phone will be targeted and vulnerable as well. Same philosophy: remove apps you don't need. Update vigilantly.

Mike and I will move to daily patch cadences on our infrastructure and code scanning. If you have side projects, I recommend using minimal installs of the OS and purchasing auto updates like Ubuntu Pro (first 5 are free). Also recommend using hardening scripts. If the software is exploitable, it's critical that another mitigating protection (control) either stops the attack or mitigates the blast radius of it.

That last sentence is the one I want you to re-read. Assume the software is exploitable. Then ask what control catches it, or what control shrinks the blast radius when it doesn't.

A Few Things I Wish I'd Done in 2003

Looking back at my Monterey self, here's what I would tell him if I could:

  • Reduce your attack surface before you need to. Uninstall what you don't use. Shut down services you can't name. You can't patch what isn't there.
  • Patch tempo is a cultural thing, not a tooling thing. If your organization treats updates as an interruption, you're going to lose. If it treats them as oxygen, you're going to be fine.
  • Segmentation buys you time. Time is the only thing that matters when a worm is loose.
  • The laptop coming in from outside is the attack vector nobody budgets for. Plan for it now.

None of this is new. I've been banging on about process over tools since Hypnosis of your Tech and the People > Machines series. What Glasswing and Mythos change isn't the principle. It's the stakes.

Wrap Up

In 2003, I lost weeks to Blaster because the industry (and I) hadn't yet built the reflexes that a hostile network demands. We eventually built them. Firewalls got deployed. NAC happened. Segmentation became normal. Patch management matured from a chore into a discipline. It took years, and a lot of ruined weekends, to get there.

We don't have years this time. Glasswing has put a head start in the hands of defenders, but a head start only matters if you actually run. If you're reading this and your patch cadence is monthly, move it to weekly. If it's weekly, move it to daily. If you're already daily, make sure your people aren't the bottleneck. The window where defenders are ahead is open right now. I don't know how long it stays that way.

I'm not panicking. I've been here before, and the fundamentals still work. I just want all of us to tighten them up before the wave hits, not after. The Blaster version of me would really appreciate it.


Charles Herring is the co-founder and CEO of WitFoo. He is a US Navy veteran, a former Network Security Officer at the US Naval Postgraduate School, and writes about cybersecurity, AI, and the occasional cricket match from New Zealand. More at charlesherring.com.