to audit. The danger is not that Mythos fails in those domains; it is that
Mythos may succeed for whoever brings the expertise.

Broader, structured access for academic researchers and domain specialists --
cardiologists? partners in medical device security, control-systems engineers,
researchers in less prominent languages and ecosystems -- would meaningfully
reduce this asymmetry. Fifty companies, however well chosen, cannot substitute
for the distributed expertise of the entire research community.

None of this is an indictment of Anthropic. By all appearances the company is
trying to act responsibly, and its decision to hold the model back is evidence
of seriousness.

But Anthropic is a private company and, in some ways, still a start-up. Yet it
is making unilateral decisions about which pieces of our critical global
infrastructure get defended first, and which must wait their turn.

It has finite staff, finite budget and finite expertise. It will miss things,
and when the thing missed is in the software running a hospital or a power grid,
the cost will be borne by people who never had a say.

The security problem is far greater than one company and one model. There?s no
reason to believe that Mythos Preview is unique. (Not to be outdone, OpenAI
announced that its new GPT-5.4-Cyber is so dangerous that the model also will
not be released to the general public.) And it?s unclear how much of an advance
these new models represent. The security company Aisle was able to replicate
many of Anthropic?s published anecdotes using smaller, cheaper, public AI
models.

Any decisions we make about whether and how to release these powerful models are
more than one company?s responsibility. Ultimately, this will probably lead to
regulation. That will be hard to get right and requires a long process of
consultation and feedback.

In the short term, we need something simpler: greater transparency and
information sharing with the broader community. This doesn?t necessarily mean
making powerful models like Claude Mythos widely available. Rather, it means
sharing as much data and information as possible, so that we can collectively
make informed decisions.

We need globally co-ordinated frameworks for independent auditing, mandatory
disclosure of aggregate performance metrics and funded access for academic and
civil-society researchers.

This has implications for national security, personal safety and corporate
competitiveness. Any technology that can find thousands of exploitable flaws in
the systems we all depend on should not be governed solely by the internal
judgment of its creators, however well intentioned.

Until that changes, each Mythos-class release will put the world at the edge of
another precipice, without any visibility into whether there is a landing out of
view just below, or whether this time the drop will be fatal. That is not a
choice a for-profit corporation should be allowed to make in a democratic
society. Nor should such a company be able to restrict the ability of society to
make choices about its own security.

This essay was written with David Lie, and originally appeared in The Globe and
Mail.

** *** ***** ******* *********** *************
Is "Satoshi Nakamoto" Really Adam Back?

[2026.04.20] The New York Times has a long article where the author lays out an
impressive array of circumstantial evidence that the inventor of Bitcoin is the
cypherpunk Adam Back.

I don?t know. The article is convincing, but it?s written to be convincing.

I can?t remember if I ever met Adam. I was a member of the Cypherpunks mailing
list for a while, but I was never really an active participant. I spent more
time on the Usenet newsgroup sci.crypt. I knew a bunch of the Cypherpunks,
though, from various conferences around the world at the time. I really have no
opinion about who Satoshi Nakamoto really is.

** *** ***** ******* *********** *************
Mexican Surveillance Company

[2026.04.21] Grupo Seguritech is a Mexican surveillance company that is
expanding into the US.

** *** ***** ******* *********** *************
ICE Uses Graphite Spyware

[2026.04.22] ICE has admitted that it uses spyware from the Israeli company
Graphite.

** *** ***** ******* *********** *************
FBI Extracts Deleted Signal Messages from iPhone Notification Database

[2026.04.23] 404 Media reports (alternate site):

    The FBI was able to forensically extract copies of incoming Signal messages
from a defendant?s iPhone, even after the app was deleted, because copies of the
content were saved in the device?s push notification database....

    The news shows how forensic extraction -- when someone has physical access
to a device and is able to run specialized software on it -- can yield sensitive
data derived from secure messaging apps in unexpected places. Signal already has
a setting that blocks message content from displaying in push notifications; the
case highlights why such a feature might be important for some users to turn on.

    ?We learned that specifically on iPhones, if one?s settings in the Signal
app allow for message notifications and previews to show up on the lock screen,
[then] the iPhone will internally store those notifications/message previews in
the internal memory of the device,? a supporter of the defendants who was taking
notes during the trial told 404 Media.

EDITED TO ADD (4/24): Apple has patched this vulnerability.

** *** ***** ******* *********** *************
Hiding Bluetooth Trackers in Mail

[2026.04.24] It was used to track a Dutch naval ship:

    Dutch journalist Just Vervaart, working for regional media network Omroep
Gelderland, followed the directions posted on the Dutch government website and
mailed a postcard with a hidden tracker inside. Because of this, they were able
to track the ship for about a day, watching it sail from Heraklion, Crete,
before it turned towards Cyprus. While it only showed the location of that one
vessel, knowing that it was part of a carrier strike group sailing in the
Mediterranean could potentially put the entire fleet at risk.

    [...]

    Navy officials reported that the tracker was discovered within 24 hours of
the ship?s arrival, during mail sorting, and was eventually disabled. Because of
this incident, the Dutch authorities now ban electronic greeting cards, which,
unlike packages, weren?t x-rayed before being brought on the ship.

** *** ***** ******* *********** *************
Medieval Encrypted Letter Decoded

[2026.04.27] Sent by a Spanish diplomat. Apparently people have been working on
it since it was rediscovered in 1860.

** *** ***** ******* *********** *************
What Anthropic?s Mythos Means for the Future of Cybersecurity

[2026.04.28] Two weeks ago, Anthropic announced that its new model, Claude
Mythos Preview, can autonomously find and weaponize software vulnerabilities,
turning them into working exploits without expert guidance. These were
vulnerabilities in key software like operating systems and internet
infrastructure that thousands of software developers working on those systems
failed to find. This capability will have ma
--- FMail-lnx 2.3.2.6-B20251227
 * Origin: TCOB1 A Mail Only System (618:500/1)