Plutonic Rainbows

Bloomberg reported on Sunday that OpenAI, Anthropic, and Google have started sharing threat intelligence through the Frontier Model Forum, the nonprofit the three companies co-founded with Microsoft in 2023. The arrangement works like a cybersecurity ISAC: when one company detects a suspicious query pattern, it flags the signature for the others.

The target is adversarial distillation. Chinese labs — DeepSeek, Moonshot AI, and MiniMax — have been systematically querying Claude, ChatGPT, and Gemini through fake accounts to generate training data for cheaper models. Anthropic's February disclosure put numbers to it: roughly 24,000 fraudulent accounts generating over 16 million exchanges with Claude alone. MiniMax accounted for 13 million of those. The operations used what Anthropic called "hydra cluster" architectures — sprawling proxy networks managing thousands of accounts simultaneously, mixing distillation traffic with innocuous requests to avoid detection.

The Decoder has a good free summary of the Bloomberg story, which reports that US authorities estimate the practice costs American AI labs billions annually.

What's interesting isn't the distillation itself. That problem has been visible since DeepSeek R1 shook the market in January 2025. What's interesting is the vehicle. The Frontier Model Forum was chartered to study catastrophic risks: CBRN threats, advanced cyberattacks, the kind of existential scenarios that get discussed at Senate hearings. Its stated mission mentions nothing about distillation, model copying, or commercial intelligence. The pivot from "prevent bioweapon synthesis" to "detect bulk API scraping" is a significant scope expansion, and nobody seems to have remarked on it.

The legal terrain underneath all of this is surprisingly weak. Fenwick & West's analysis found that copyright offers little protection, because AI outputs generally lack the human authorship required. The Computer Fraud and Abuse Act has a gap since Van Buren v. United States (2021): if you have authorized API access, misusing the data violates terms of service but possibly not federal law. Trespass to chattels requires proving system degradation. Patents may be the strongest tool, but nobody has tested distillation-specific claims in court.

Policy hawks are pushing harder. Joe Khawam at the Law Reform Institute proposed a three-phase escalation: Entity List designation for the three Chinese labs, an IEEPA executive order creating sanctions authority over AI capability theft, and ultimately full SDN blocking sanctions. CSIS testimony from May 2025 went further, suggesting offensive countermeasures including data poisoning.

The irony sits right on the surface. These are companies that built their models by ingesting the open web, books, articles, code repositories, forum posts, without explicit permissions from creators. The legal and ethical arguments they used to justify that training are structurally similar to the ones Chinese labs could deploy to justify distillation. Monash University's analysis compared distillation to reverse engineering under Sega v. Accolade: studying a system's outputs to learn its methods is not, historically, the same as copying the system.

None of this means the alliance won't work. Sharing detection signatures is a practical step. DeepSeek has already pivoted to domestic silicon, which suggests the API route was always supplemental. But the Forum's quiet transformation from safety research body to competitive defense mechanism deserves more scrutiny than it's getting. When three companies that control most of the world's frontier AI capability coordinate to restrict access, the word for that depends entirely on where you're standing.

Sources:

• Detecting and Preventing Distillation Attacks — Anthropic

• OpenAI, Anthropic, and Google Team Up Against Unauthorized Chinese Model Copying — The Decoder

• The Case for Imposing Costs on China's AI Distillation Campaigns — Just Security

• Protecting Our Edge: Trade Secrets and the Global AI Arms Race — CSIS

• DeepSeek, Model Distillation, and the Future of AI IP Protection — Fenwick & West

• AI Distillation and the Law — Monash University

On the Firefox exploit benchmark, Claude Mythos Preview produced 181 working exploits. Opus 4.6 managed two. Anthropic published those numbers yesterday alongside a 244-page system card and the announcement that it would not release the model to the public.

The March leak described a model with dramatically higher scores on coding, reasoning, and cybersecurity. I expected the official numbers to confirm that framing. They don't. They blow past it. Mythos was tested against roughly a thousand open-source repositories across seven thousand entry points and found zero-days in every major operating system and every major web browser. Some had been sitting in production code for decades.

A 27-year-old signed integer overflow in OpenBSD's TCP selective acknowledgment handling allows a remote attacker to crash any host from anywhere on the internet. In FreeBSD's NFS authentication layer, Mythos found a 17-year-old stack buffer overflow (CVE-2026-4747) and autonomously constructed a six-packet ROP chain to write an SSH key into root's authorized_keys. FFmpeg's H.264 codec has a flaw that automated fuzzing tools encountered five million times over sixteen years without flagging it.

The historical arc puts those numbers in context. DARPA's Cyber Grand Challenge in 2016 ran automated tools against purpose-built binaries. Google's Project Zero Big Sleep found one SQLite vulnerability in 2024 that 150 CPU-hours of fuzzing had missed. Last year's AIxCC competition found 18 zero-days across 54 million lines of code. The progression from five hundred bugs to thousands is not linear.

Instead of a general release, Anthropic launched Project Glasswing: a coalition of twelve companies including Apple, Microsoft, Google, AWS, CrowdStrike, and Palo Alto Networks, committed to using Mythos for defensive cybersecurity. Roughly fifty organisations total. Anthropic put up to $100 million in usage credits behind it and donated $4 million to the Linux Foundation and Apache Software Foundation.

Picus Security called it "the Glasswing Paradox": the thing that can break everything is also the thing that fixes everything. Anthropic's own disclosure puts a number on it. Fewer than one percent of Mythos-discovered vulnerabilities had been patched at announcement. Discovery is outrunning repair.

Weeks before the official announcement, Linux kernel maintainer Greg Kroah-Hartman described something shifting: "Something happened a month ago, and the world switched" from low-quality AI-generated vulnerability reports to genuine findings. Daniel Stenberg, who created curl, went from shutting down his bug bounty over AI noise to spending hours a day triaging legitimate ones.

Simon Willison called the restriction "necessary" while noting that saying a model is too dangerous to release is a great way to build buzz. The GPT-2 comparison is inevitable. But GPT-2's predicted harms never materialised, and 181 Firefox exploits did. Jack Clark, who co-founded Anthropic and now heads its public benefit division, has framed the core tension before: AI good at finding vulnerabilities for defense can easily be repurposed for offense.

Glasswing partners can access Mythos at $25 per million input tokens and $125 per million output, through Claude API, Bedrock, Vertex, and Microsoft Foundry. The broader situation is a timing problem. Defenders work at calendar speed. Attacks happen at machine speed.

Sources:

• Project Glasswing — Anthropic

• Assessing Claude Mythos Preview's Cybersecurity Capabilities — Anthropic Red Team

• Project Glasswing sounds necessary to me — Simon Willison

• The Glasswing Paradox — Picus Security

• Anthropic is giving some firms early access to Claude Mythos — Fortune

In 1953, Rose Macaulay published a book about ruins that ended in surrender. Pleasure of Ruins is a four-hundred-page march through the Western imagination's romance with broken stones: Roman ruins, Mayan temples, the gothic abbeys English aristocrats had built in their gardens just to watch them moulder. Macaulay wrote it a decade after the Blitz had taken her Marylebone flat and her library, and the book closes with a verdict she meant for the whole tradition. Ruinenlust, she said, had come full circle. We had had our fill.

Thirty-nine years later, Karl Lagerfeld read the book and built a couture collection out of it.

The Chanel Spring 1992 haute couture show was presented in Paris in January of that year, and even now it gets cited more than almost anything else from Lagerfeld's tenure. Most of the citations are for one dress: a slim black silhouette layered with chunky gold-and-glass chain, worn down the runway by Christy Turlington and later, in the long afterlife of fashion images, by Penélope Cruz in Broken Embraces and Lily-Rose Depp at the 2019 Met Gala. The dress was also a brilliant marketing vehicle for Chanel costume jewellery, which was the brand's most profitable category at the time. A Trojan horse with chains.

The most interesting things in the collection were not the chains. They were the jackets. Lagerfeld had built a series of trompe-l'œil tweeds that were not tweed at all: they were raffia, painted in watercolour to look like the house's signature weave. The tailoring was so tight the jackets had to be zipped up the back rather than buttoned at the front; gold jewelled buttons running down the lapels were decoration, not closure. He called the silhouettes "diabolically body-conscious," and looking at a single look the cameras kept, you can see what he meant. A red-orange jacket structured into one architectural line. Black opera gloves. The whole pose engineered around the absence of a front opening.

The same logic carries through the rest of the collection. A white jacket worn over gold leather trousers repeats the architecture in a colder palette: dark trim and gilded buttons running the lapels for show, a single real button doing the actual work, the front pose engineered around the absence of a closure to draw the eye to.

This is where the Macaulay reference starts to matter, and where it also starts to look strange.

Lagerfeld's tattered chiffon skirts (separate from the jackets, but shown alongside them) were the show's literal acknowledgement of Pleasure of Ruins. Lagerfeld is the one who told the press the book was on his mind, his favourite, the thing that pushed him toward the deliberate decay of the silk. The trade press accepted the citation at face value, then and now: Lagerfeld read a book about loving ruins, and made some clothes about loving ruins. Done.

The trouble is that Pleasure of Ruins is not really a book about loving ruins. Macaulay's argument, and you have to push past the gorgeous central chapters about Pompeii and the Cambodian temples to get there, is that the Romantic appetite for ruin was something Europeans had earned through centuries of safe spectatorship, and that the twentieth century had revoked the licence. The bombed churches and cathedrals of postwar Europe gave her, she wrote, "nothing but resentful sadness, like the bombed cities." Her closing line is the one I quoted at the top. Ruinenlust was over. We were finished with it.

So either Lagerfeld read the book against itself, mining the picturesque chapters and ignoring the postwar conscience, or he understood Macaulay perfectly and was making something more complicated than the trade press credited him for. A couture show built on an aesthetic the source text had already declared exhausted is, at the very least, a knowing gesture. In the same show he wrapped tree trunks in graffiti and floated bubbles down from the ceiling; he was not above an inside joke. I think he was reading Macaulay the way he read everything in his enormous, untouchable library — not as a thesis to defend but as a quarry. He took what he wanted and left the rest.

The Met has a Lagerfeld Chanel piece from his Spring 1983 debut in its collection. It is a black dress trimmed in trompe-l'œil baubles made by the House of Lesage: fake jewels embroidered to look real. Nine years before he zipped the backs of those raffia jackets, he was already running this exact substitution. The jewels would not be jewels. The tweed would not be tweed. The chain dress would be a vehicle for the actual chains in the boutique. There is a coherence to Lagerfeld's half-century at Chanel that has very little to do with reverence for Coco and almost everything to do with what Suzy Menkes once said — that Karl had to destroy Chanel or become a caricature of her.

In January 1992, he picked up a book about the end of European ruin-aesthetics and built a runway collection from it. Macaulay had written a decade past the bombs that took her library, telling the tradition to go home. He heard a different sentence and answered it.

Sources:

• Karl Lagerfeld's Chanel Spring 1992 Couture Show: A Look Back — W Magazine

• 1992 Chanel Couture Chain Dress — The Looking Glass

• "A Horrid Malicious Bloody Flame": Elegy, Irony and Rose Macaulay's Blitzed London — The Literary London Journal

• Dress, Karl Lagerfeld for House of Chanel, Spring/Summer 1983 — The Metropolitan Museum of Art

Ceefax transmitted its data in the vertical blanking interval, the millisecond gap where a CRT's electron gun returned to the top of the screen. You never saw it happen. The information rode an invisible seam in the broadcast signal, cycling through hundreds of pages in a continuous carousel. You keyed in a three-digit number and waited.

That wait defined the medium. Page 302 was football scores. On Saturday afternoons you entered the number and the screen went blank. A counter ticked upward as pages streamed past in the carousel, and you sat with the specific tension of not knowing when your page would come around. Maybe eight seconds. Maybe twenty-five. The data was always there, always cycling, but you could not summon it. You met it on its schedule.

What stays with me is not the content but the temporal architecture. Anyone can look up a football score now in two seconds. The carousel was not a flaw to be engineered away. It was the medium itself. Information arrived when the cycle permitted. Andy Holyer, writing in The Conversation, compared it to a sushi conveyor belt: you watched the stream and waited for your order to come around. Except with Ceefax you couldn't see the plates approaching. You sat in front of a counter ticking from 297 to 298 to 299.

Ceefax launched on 23 September 1974 with thirty pages. By the mid-1990s it had over two thousand, and twenty-two million people were using it weekly. The name was a phonetic compression: see facts. It offered what Holyer called "medium-latency information," the category between tomorrow's newspaper and a live broadcast interruption. Weather. Train times. News compressed into sixteen lines of thirty-eight characters each, tighter than a tweet. Page 888 for subtitles.

Information had mass in that era, and even the fastest source still asked something of you. Ceefax was faster than walking to a newsagent but slower than a conscious thought. It occupied a gap that no longer exists: a middle distance between knowing and not knowing where you could sit for fifteen seconds and be fine with it.

"Pages from Ceefax" filled the overnight schedule. Selected teletext screens scrolling over stock library music at three in the morning, blocky weather maps cycling while nobody watched. It was ambient television before anyone used those words together.

The whole service ended on 23 October 2012 at 23:32:19 BST, when Dame Mary Peters switched off the last analogue transmitter in Northern Ireland. By then broadband had been widespread for years and the audience had dwindled. But the teletext art community was already rebuilding. Dan Farrimond creates work within the medium's savage constraints: eight colours, a 24-by-40 character grid. He told Creative Bloq that "people might come for the nostalgia, but they stay for the fun and accessibility." Peter Kwan built Teefax on a Raspberry Pi, delivering community teletext to compatible TVs almost a decade after Ceefax died.

Something in that revival goes beyond nostalgia. Nostalgia wants to return. The teletext artists want the constraint. The grid. The carousel logic of working within limits rather than transcending them. The analogue textures of that period carry a specific charge now, and teletext sits at the centre of it: institutional, patient, slightly uncanny. A public service that asked you to wait. You did. The waiting was the point.

Sources:

• Teletext was slow but it paved the way for the super-fast world of the internet — The Conversation

• Dan Farrimond on the enduring allure of teletext art — Creative Bloq

• The life and death of teletext, and what happened next — Den of Geek

• The retro aesthetics of teletext art — Hyperallergic

Tonight I tried to clean up four scanned magazine pages from early-90s fashion editorials. Helena Christensen on every one. A brown Hermès coat on a white background, a black Moschino jacket against the Catherine Palace, a Fabrizio Ferri beach shot, a French magazine spread. Soft gradient backgrounds. The kind of photographs that should have looked clean and didn't.

I tried four things in sequence, the way you do when each one fails. Topaz Wonder 2, which I praised earlier this year for finally showing some restraint, sharpened the whole image and made the gold rope braiding on the jacket pop, but the gradient bands behind her (vertical pinks and lavenders in the foreground concrete) became more visible, not less. Sharper bands. Nano Banana Pro hallucinated a "VOGUE OCTOBER 1994" stamp into the top corner of one image and garbled the French body copy on another. The ffmpeg gradfun filter softened the bands at strength four, then six, then eight, with diminishing returns. Eventually I added film grain on top of the gradfun pass and the bands disappeared. Not because they were fixed. Because the grain hid them.

That last move was the only thing that worked, and it didn't work the way I wanted it to.

I sat with that for a while. The gap between what these tools say they do and what they're actually capable of is wider than the marketing wants you to believe. Topaz Wonder 2 promises clean, natural, professional results. Black Forest Labs describes FLUX.1 Kontext as in-context image generation, not restoration. Google ships Nano Banana Pro as image generation and editing. None of the model makers themselves use the word restoration in their official copy. It lives in third-party blog posts, enthusiast tutorials, and the marketing decks of resellers. The people who actually built these things are careful about it. They know what they're shipping.

The reason became clearer the more I thought about it.

By the time that Vogue page reached my Desktop, three lossy steps had already happened in series. The photographer's smooth gradient was rasterized into CMYK halftone dots at print time. The printed page was then scanned in 8-bit, which captures only 256 brightness levels per colour channel — a smooth gradient needs more than a thousand intermediate values, and the other 750 were rounded away. The scan was saved as JPEG, which divides the image into 8x8 blocks and throws out the high-frequency data that would have hidden the quantization steps. Three quantizations in a row, each one mathematically irreversible. By the time I opened the file, the smooth gradient the photographer captured no longer existed inside it. What was there was a banded approximation, and the bands were the data.

That's the wall.

Any tool that processes the file has to look at the bands and decide: is this region a real banded image, or is it a smooth gradient that's been damaged? Without context, those two states are indistinguishable. The tool has to guess. Every guess creates new artefacts.

Audio engineers have been living with this exact mathematics for forty years and they're more honest about it than image software is. When you reduce a 24-bit master to 16-bit for CD release, the quantization step destroys information nothing can recover. The standard fix is dither — adding deliberate, low-level noise that converts the structured quantization distortion into broadband noise the ear is less sensitive to. No mastering engineer would ever say dither fixes the bit reduction. They say it masks it. The vocabulary is precise: quantization error is irreversible; dither is a perceptual trade.

Image restoration borrowed the tools but dropped the honesty. Topaz markets debanding as recovery. Adobe sells Generative Fill as reimagining. Cloud upscalers promise enhancement, which by now means whatever the user wants it to mean. The actual operation, in every case, is the same: invent the missing information based on a learned prior, and hope the invention is plausible enough that nobody notices. The ffmpeg gradfun documentation is unusually candid about this. It describes itself as a filter designed for playback only and warns "do not use it prior to lossy compression, because compression tends to lose the dither and bring back the bands." The author of the filter is telling you, in the official docs, that the fix is perceptual and any subsequent compression will undo it.

Topaz's own docs are gentler. Their generative models "add definition and detail," the page says. Generation, not restoration. The vocabulary just sounds nicer than what the audio engineers say.

What worked for the Helena pages was the audio engineer's trick. Run gradfun first to soften the gradients. Then add a layer of controlled film grain. The grain hides the remaining bands by giving the eye texture to focus on instead of stepped edges. The result looks grainy instead of banded. For a 1990s magazine page, grainy is the right answer. Actual printed pages had paper texture, ink dot patterns, and physical grain. The artificial grain slots into that aesthetic in a way that fake-smooth gradients never would. It's not recovery. It's masking. It's the same trade audio mastering has been making for decades.

The deeper thing I keep coming back to is that this was an information loss problem hiding inside a UX problem. The tools were doing exactly what they were designed to do: adding plausible detail, smoothing gradients, generating new content from priors. None of them were designed to recover something that no longer existed. The frustration came from believing the marketing, not from any specific tool being broken.

Helena is still on my Desktop, eight files now. Original, four failed attempts, plus the gradfun-and-grain version that almost works. The gradient behind her is grainy in a way the printed page never was. Some of her hair is a little sharper than the source. Her eyes are slightly bluer. The text caption on the left side is pixel-for-pixel identical to the original, because the tool I trusted the most (ffmpeg, the dumbest one) knew it had no business touching real detail.

Sources:

• Wonder Model Documentation — Topaz Labs

• Introducing FLUX.1 Kontext — Black Forest Labs

• gradfun Filter Documentation — FFmpeg

• Dither — Wikipedia

• Generative Models — Topaz Labs

Unmarked VHS tapes started landing in US mailboxes on April 6, shipped from the address Warp and Bleep use for fulfilment. Black sleeve. Seven white hexagons. An NTSC sticker. Inside: a minute or so of degraded analogue video, shortwave-style audio, and layered vocal fragments that fans on KEYOSC and r/boardsofcanada have identified as manipulated material from Societas x Tape. Some listeners are picking apart what sounds like frequency-shift keying data embedded in the audio itself.

No music. Just a transmission.

This is the exact playbook Boards of Canada ran for Tomorrow's Harvest in 2013: mystery 12" singles hidden in record shops, Adult Swim late-night broadcasts, a Tokyo billboard, shortwave fragments, a six-digit code hunt. Thirteen years of silence, and then suddenly the same kind of cryptic analogue mailout arrives at people's doorsteps. Resident Advisor asked Warp for comment. Per RA, Warp were, unusually, unavailable for comment.

The hauntology aesthetic running through all of this isn't decoration. It's the point. The whole band was always a transmission from a future that didn't quite arrive. Now the broadcast is picking up again.

Sources:

• Boards of Canada Mail Mysterious VHS to Fans — Stereogum

• Boards of Canada Tease Cryptic Return — Resident Advisor

• 2026 VHS Promo Megathread — KEYOSC

There's a specific kind of missing that doesn't behave like other missings. Most loss negotiates with you. You can argue with it, substitute around it, find a version of the thing or a version of yourself that makes do. Temporal loss doesn't negotiate. It sits there, complete, refusing to be anything except what it was.

The strange part is that the pull has almost nothing to do with the past itself. The past isn't pulling you backward because you want to live it again. You already did, and by the time you want it back you already know how it ends. What pulls is the difference between where you are standing now and where some other version of you once stood. You occupied a moment without knowing you were occupying it. By the time you notice, the door has closed and the key went with whoever was carrying it, which was not you, because that person is not here anymore.

Memory doesn't help, because memory doesn't preserve. It curates. You don't remember the morning you're reaching for. You remember a version of that morning, smoothed, with the low-grade dread and ordinary exhaustion of being a person in the middle of their own life quietly edited out. What survives isn't the morning. It's an emotional after-image of the morning, which is a different object. So you're missing something that wasn't fully assembled while it was happening. The original isn't in a room you can return to. The original isn't anywhere. There is only the shape memory gave it once it was safe to give it a shape.

Mark Fisher circled around this for years in Ghosts of My Life. The grief in hauntological thinking isn't only grief for the lost thing. It's grief for a way of being whose enabling conditions have evaporated. You can't return to the place because the conditions that made you possible in that place are not there to meet you. Even if the place is still physically standing, you are arriving at it as somebody else, and the version of you who could have met it as it was doesn't exist anywhere now, not even as a possibility. It's the same frame that makes certain music unlistenable in a particular way. The feeling that what you're hearing is signalling back from a future that didn't arrive.

That is the shape of it. Not just "the past is gone". Everyone knows that. The self that existed inside the past is also gone, and that's the version of you doing most of the work when the pull gets bad. You're grieving yourself. Specifically, you're grieving a briefly-existing person who was made possible by conditions that no longer exist, and whose absence is more total than almost any other absence you encounter.

Most things that go away leave the imagination something to do. A friendship fractures and somebody maybe repairs it. A place changes and you visit and find some remnant. A body breaks, and medicine and time and acceptance take over. Having work for the imagination is what makes most grief survivable, because the work is what spaces out the loss and gives it a corridor to move through.

Time doesn't give the imagination any work. The autumn you miss can't be repaired. It can't be recovered. It isn't a thing that was stolen or hidden from you. It's a thing that simply stopped being, in a way that leaves no mechanism by which it could start being again. The closest you can get is a rhyme. A similar quality of light. A similar smell when the air changes. A similar quiet at the same hour. And the rhyme is worse than nothing, because the rhyme reminds you that rhyming is the most you're ever going to get.

This is why nostalgia sometimes feels less like sadness and more like a floor that wasn't there when you put your weight on it. Sadness has a shape, a direction, an object. This doesn't. What you're feeling isn't the loss of a particular thing. It's the shape of absolute irreversibility pressing against what you were thinking about. For a second you understand what the word actually means. Then you look away, because you have to.

The other thing is that the memory keeps getting heavier. The more stories you've told yourself about a moment in the years since it happened, the more you've used it to explain other things about yourself, the more weight the moment ends up carrying. Eventually the moment isn't carrying its own weight anymore. It's carrying the weight of everything you've made it mean. When you reach for it you aren't reaching for a moment. You're reaching for a cumulative thing. An invented weight, almost, though it never feels invented from the inside.

I think about this more often than is strictly useful. That tends to be how these things keep you.

Anthropic just handed Claude Mythos to eleven launch partners. Not a public preview. Not a research release. A controlled handoff, named Project Glasswing, with AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks on the inside, plus around forty other organisations getting access behind them.

Twelve days ago, a draft of the Mythos announcement leaked through a CMS toggle. That document called Mythos "currently far ahead of any other AI model in cyber capabilities" and warned it "presages an upcoming wave of models that can exploit vulnerabilities in ways that far outpace the efforts of defenders." CrowdStrike fell 7 percent on the news. Palo Alto Networks fell 6. Stifel analyst Adam Borg called it "the ultimate hacking tool."

Both of those companies are now Glasswing partners.

That isn't subtle. Anthropic spent twelve days watching their own model get described in the financial press as a vulnerability factory, and their answer is to put it directly in the hands of the firms whose stock prices moved.

The benchmarks earn the framing. On CyberGym, a vulnerability reproduction test, Mythos scored 83.1 percent against Opus 4.6's 66.6 percent. That's a sixteen-point jump on a benchmark where prior frontier models had been clustered tightly. More telling is the Firefox 147 JavaScript engine work. Anthropic's own writeup notes that Opus 4.6 turned its findings into working JavaScript shell exploits "only two times out of several hundred attempts." Mythos developed working exploits 181 times in the same setup, and achieved register control on 29 more. That isn't an incremental improvement. It's a different kind of capability.

OSS-Fuzz tells the same story from another angle. Across roughly seven thousand entry points, Sonnet 4.6 and Opus 4.6 each reached tier 1 between 150 and 175 times and hit tier 2 about 100 times, but each landed only a single tier 3 crash. Mythos hit 595 crashes at tiers 1 and 2 and achieved full control flow hijack on ten separate, fully patched targets. Some of the vulnerabilities it found in major operating systems had survived decades of human review.

So Anthropic has a model that reliably finds and exploits the kind of bugs that ship in every browser and kernel. They're committing $100 million in usage credits to the Glasswing partners, plus $4 million in direct donations to open-source security organisations. And they aren't releasing it publicly.

Whether the head start works is the real question.

Defenders patching with Mythos help everyone, because patches ship to all users. Attackers exploiting with Mythos help only themselves, until the patches catch up. The asymmetry favours the defenders if they move fast and if Mythos stays inside Glasswing. Both of those conditions are doing a lot of work.

The first one I believe in. CrowdStrike and Palo Alto Networks aren't slow. Cisco has incident response teams that move on weekends. JPMorganChase has the budget to throw a model at every internal codebase they own. If Mythos can find decades-old browser bugs in testing, it can find decades-old bugs in proprietary banking infrastructure too, and the patches will quietly ship inside the partner organisations long before anything equivalent becomes public.

The second condition is harder. Anthropic's last two weeks haven't been a triumph of operational security. The same company that shipped 512,000 lines of unobfuscated TypeScript through a missing .npmignore is now the gatekeeper for the most cyber-capable model anyone has talked about publicly. Forty-plus additional organisations are getting access behind the named eleven. That's forty-plus opportunities for a misconfigured CMS toggle, a forgotten npm publish step, or a researcher leaving a laptop in a hotel.

The dual-use problem isn't solved by picking the right first eleven companies. It's delayed. And the delay is the entire strategy. Give defenders enough lead time, the thinking goes, and the security baseline rises before the attackers catch up. It's a reasonable bet. It's also a bet that has to keep being placed, because every Glasswing-style program eventually expires when the model becomes public.

One detail I can't stop thinking about. The system card notes that Mythos found vulnerabilities in cryptographic libraries. Cryptographic library bugs are the worst kind. They break silently, they affect everything downstream, and they often sit undiscovered for years because reviewing crypto code requires specific expertise that almost nobody has. If Mythos is finding these autonomously and the patches flow through Glasswing partners first, the Linux kernel maintainers and the Mozilla security team are about to have a very busy month.

The lab that tried to walk away from defence work over surveillance concerns just picked up a different kind of weapon and handed it to the people who run incident response for half the Fortune 500. The framing is defensive. The capability isn't. Whether those two things stay aligned depends on what happens between now and the public release date that Anthropic hasn't announced yet.

Sources:

• Project Glasswing — Anthropic

• Claude Mythos Preview — Anthropic Red

• Anthropic debuts preview of powerful new AI model Mythos in cybersecurity initiative — TechCrunch

• Anthropic gives firms access to Claude Mythos — Fortune

• Tech giants launch AI-powered Project Glasswing — CyberScoop

OpenAI released a thirteen-page document on April 6 called "Industrial Policy for the Intelligence Age." Twenty specific proposals. Robot taxes. A public wealth fund modelled on Alaska's Permanent Fund. Government-backed pilots of a thirty-two-hour workweek at full pay. Automatic benefit triggers when AI displacement hits preset thresholds. Portable healthcare and retirement that follow workers between jobs instead of binding them to one employer.

The framing is New Deal. The language is Progressive Era. Altman told Axios that large tax system changes are "in the Overton window, but near the edges." The document reads like it was written by people who believe superintelligence is imminent and want to be remembered as the ones who tried to warn everyone.

The problem is who wrote it. OpenAI is the largest developer of the technology it warns about, a newly for-profit company preparing an IPO north of $800 billion, and a political actor whose Leading the Future PAC has lobbied against AI safety legislation in practice. Nathan Calvin at Encode AI documented opposition to New York's RAISE Act and alleged intimidation during California's SB 53 debate. The company proposing auditing regimes for frontier models is the same company fighting the audits.

Anton Leicht at the Carnegie Endowment called it "comms work to provide cover for regulatory nihilism." Lucia Velasco at the Inter-American Development Bank noted that OpenAI is "one of the least neutral parties in this ongoing discussion." Soribel Feliz, a former Senate AI policy advisor, said the ideas are not new. They have been the framework for every governance conversation since ChatGPT launched in 2022.

Then there is the timing. The document dropped on the same day The New Yorker published an investigation into Altman's leadership based on over a hundred interviews and internal documents, alleging systematic deprioritisation of safety commitments. A coincidence of scheduling, presumably.

The economics face pressure from a different direction. A Brookings paper by Anton Korinek and Lee Lockwood argues that taxing AI infrastructure is like taxing steel during the industrial revolution. Consumption-based approaches (digital services taxes, token taxes on AI output) would generate revenue without discouraging exactly the investment OpenAI asks the government to fast-track in the same document.

Some of the proposals are genuinely worth studying. A public wealth fund has precedent. Portable benefits address a real structural weakness. Automatic safety net triggers are smart mechanism design. But policy authored by the entity most incentivised to shape its own oversight is lobbying dressed in academic prose. White-collar payrolls have contracted for twenty-nine consecutive months. The entry-level pipeline keeps hollowing out. The people losing those jobs did not publish a thirteen-page blueprint. They just lost the job.

Sources:

• OpenAI's Vision for the AI Economy — TechCrunch

• Critics Say OpenAI's Policy Ideas Are a Cover for 'Regulatory Nihilism' — Fortune

• The Future of Tax Policy — Brookings Institution