Skip to content

LLM-Tier Security

Summary

"LLM-tier security" refers to the emerging shift in personal computer security as AI models reach the capability to autonomously find and exploit software vulnerabilities. As frontier models like Anthropic's Mythos achieve full control-flow hijack on patched open-source targets, the cost of remote exploitation is dropping rapidly. The appropriate defensive response combines network isolation, phishing-resistant hardware keys, outbound application firewalls, Linux process sandboxing, and proactive financial account monitoring.

Details

The Threat Model Shift

The traditional personal security threat model assumed a human attacker with limited time and resources. AI changes this in three ways:

  1. Automated exploit discovery — Frontier models can scan open-source repositories at scale for exploitable vulnerabilities. Anthropic's Mythos Preview achieved full control-flow hijack (tier 5) on 10 separate, fully patched OSS-Fuzz targets — previously requiring expert security researchers.
  2. AI-assisted phishing — Generative AI makes it cheap to impersonate others over voice, video, and text, enabling highly targeted social engineering at scale.
  3. AI-assisted supply-chain attacks — Package manager supply-chain attacks have been increasing alongside AI capabilities, as attack automation lowers the cost of compromising dependencies.

The concerning implication: within 1–2 years, anyone willing to spend ~$1K may be able to identify and exploit a remotely accessible vulnerability in common software.

Big-budget software teams have access to the same offensive AI tools and can patch proactively. The highest-risk software is amateurish or unmaintained software — personal self-hosted services (nginx, Tiny Tiny RSS, Photoprism, etc.) and software from small developers without dedicated security teams.

Defensive Posture Framework

The ideal defensive outcome has five properties: 1. Few or no remotely exploitable vulnerabilities exposed 2. Those that exist are sandboxed so exploitation causes minimal damage 3. No successful phishing 4. Even if phished, minimal damage results 5. Breaches are detected quickly and control can be regained

Network Isolation

Tailscale (a proprietary control plane for WireGuard VPN) restricts self-hosted services to whitelisted devices only, removing them from the public internet entirely. Services that must remain public (e.g., a public nginx website) should be maximally sandboxed so that compromise cannot propagate.

Phishing Resistance: Hardware Security Keys

YubiKeys with FIDO2/WebAuthn are phishing-resistant because the browser only issues a credential valid for the exact current domain — no relay attack can succeed. Key considerations: - Use only for the most critical accounts (password manager, email) — not all accounts - Maintain two physical keys (main + backup) since key material cannot be duplicated or exported - Keep paper recovery codes for accounts using hardware keys - Nano YubiKeys permanently inserted in Linux machines can replace passwordless sudo with a physical touch, and can store SSH keys instead of keeping them on disk

TOTP via a phone authenticator app (e.g., Aegis) remains reasonable for other accounts since phone OS security is managed by large vendors. SMS 2FA is risky due to SIM-swap attacks, which AI may make easier.

Outbound Application Firewall

OpenSnitch is a Linux interactive outbound firewall that prompts per-application for outbound connections. Benefits: - Detects malware attempting unexpected network connections - Eliminates silent telemetry/update connections as attack surface - Even without a firewall, if malware lands on a box it previously had unrestricted network access and would go undetected

Linux Process Sandboxing

Roughly ordered by effort:

Level Method Notes
1 Run as separate user Minimal isolation; easy
2 Flatpak Uses bubblewrap (mount namespaces); pre-packaged
3 Snap Uses AppArmor profiles; pre-packaged
4 Custom bubblewrap / bubblejail / firejail / AppArmor / SELinux High effort, fine-grained control
5 VM or separate machine Maximum isolation

Development environments pulling from npm/pip/cargo are a notable risk — running them in a container sandbox limits blast radius from a compromised package.

Financial Account Security

US consumer protections differ significantly by account type:

Bank accounts (12 CFR § 1005.6) - Zero liability if unauthorized transfer reported within 60 days of statement - Action: enable email/text alerts for every transaction

Credit cards (12 CFR § 1026.12) - Zero consumer liability for online credit card fraud - Action: monitor statements and report promptly

Brokerage accounts (no specific regulation) - No federal statute analogous to banking consumer protections - Resolution via FINRA arbitration; ad hoc per brokerage - Vanguard's public "promise" to reimburse unauthorized distributions is marketing language, not contractual - Action: maximize obvious security precautions, enable transaction alerts, report suspicious activity promptly - ACATS fraud: criminals can transfer brokerage assets without credentials by opening a new account in the victim's name and initiating an ACATS transfer. Fidelity offers an "account lock" against this; most brokerages do not have equivalent features.

Other Defenses

  • Password manager (Bitwarden + strong passphrase + 2FA): self-hosting provides little extra security since secrets are end-to-end encrypted anyway
  • Hardware cryptocurrency wallet: the only defense against clipboard-hijacking malware and software wallet theft; confirms destination address on physical device screen
  • Redundant backups (Syncthing + Restic to rsync.net): protects against ransomware for most attackers; a dedicated attacker could target and destroy backups

Key Claims & Data Points

  • Anthropic Mythos Preview achieved full control-flow hijack (tier 5) on 10 separate fully patched OSS-Fuzz targets; Sonnet 4.6/Opus 4.6 each achieved only a single tier-3 crash — [source: llm_tier_personal_computer_security]
  • AI-assisted phishing and supply-chain attacks on package managers are increasing — [source: llm_tier_personal_computer_security]
  • Within 1–2 years, ~$1K may buy Mythos-tier exploit capability behind minimal guardrails (author estimate) — [source: llm_tier_personal_computer_security]
  • US credit card online fraud: zero consumer liability; US bank accounts: zero liability if reported within 60 days — [source: llm_tier_personal_computer_security]
  • Brokerage asset protection is ad hoc via FINRA arbitration; ACATS fraud is an emerging threat requiring no credential compromise — [source: llm_tier_personal_computer_security]
  • FIDO2 hardware keys are phishing-resistant because credentials are scoped to exact domain — [source: llm_tier_personal_computer_security]

Open Questions

  • When will Mythos-tier exploit capability be available to malicious actors at low cost (~$1K), and what is the current price/capability trajectory?
  • How will phone companies defend against AI-assisted SIM-swap attacks at scale?
  • What are best-practice sandboxing setups for developer environments using npm/pip/cargo dependencies?
  • Will ACATS fraud protections standardize across major brokerages? Which currently offer account lock features?
  • How does an outbound application firewall like OpenSnitch interact with legitimate AI agents running on the same machine?

Sources