Matt call this an investigation of a $10 question. That undersells the importance of this encryption to frontier labs. It’s one of their primary defences against model distillation attacks, which represent major threats to their competitiveness.

My kid was joking the other day about visiting conspiracy websites, like the ones that end in .gov.

Last week I discovered that ChatGPT and Claude will send you their “encrypted raw reasoning” and of course I immediately wasted a weekend trying to do something bad with it. What I got for my trouble was this blog post: blog.cryptographyengineering.com/2026/05/29/f...

So I sort of found an issue with the OpenAI and Anthropic APIs, but they disagree. I think that means I can blog about it?

One of the things I used to like about Matthew Yglesias is that he criticized evidence-free windbags like Thomas Friedman. Now he’s an evidence-free windbag and he thinks he’s killing it.

Yeah, this. I also miss peak Infosec Twitter. I know this isn't it, but neither is current Twitter.

Last Thursday, the Texas AG Ken Paxton filed suit against WhatsApp, alleging some fairly serious (but highly nebulous) “privacy violations” in WhatsApp. I was going to write a blog post about this, but then I remembered I already had — when these allegations first surfaced.

The snark from Codex is making me uneasy.

My son is doing an internship where (against all my attempts to persuade him into a different career) he’s looking for security vulnerabilities in Chinese-made medical devices, and oh boy is he finding them. I feel like this is unhealthy validation for an 18 year old’s first job.

NCMEC's full 2025 CyberTipline report is out. 1.5MM reports "with a GAI [generative AI] nexus," but removing Amazon's useless 1.1MM reports, >182K reports of possession or (attempted) generation of GAI CSAM. That's the number to report: 182K, not 1.5 million. www.missingkids.org/gethelpnow/c...

Every single one of them could have been a great name for our kids.

Spent ten minutes trying to get Anthropic to accept my CC number to buy credits. Turns out you had to click “billing address is not the same as shipping address” and re-enter your whole address, only then can you click Continue. The quality of everything around Claude is an anti-ad for Claude.

How not to write a reassuring email 101. We meet Tuesdays 6-10pm.

There’s been some reporting that Meta contributed an unfathomable sum to promote age verification laws globally. This is broadly true, but the actual situation is a bit more complex. Figured it was worth an update.

A good primer on the new Bitlocker exploit. solcyber.com/bitlocker-in...

I’m going to confess that I love using coding LLMs. It’s basically taken software development from “cool ideas I don’t have time for” to “let’s throw together a prototype.” But I also don’t think anyone’s reviewing the production code they’re producing, at least not thoroughly.

When you ask AI to improve a picture.

The kids wanted to make a website for our dog Darwin. Turns out Darwin is a tough domain name, so we ended up here. dogw.in

I don’t quite know what to tell you about that.

JHU’s @matthewdgreen.bsky.social talks to the @nytimes.com about the potential risks of @microsoft.com Copilot’s health records tool: “There is a pot of gold of high-value data that is in one location that people can get.”

Remote attestation is a heavily underdiscussed threat to computing freedom. People often mistakenly dismiss it with "I will run my own fork (of the OS or browser) / Magisk", not understanding that with hardware attestation, you're literally unable to 1/

I think it’s weird that even Apple sends me SMS text messages rather than iMessage, from their automated systems.

Me talking to ChatGPT, after learning that the Beale ciphers are probably fake.

The latest iOS beta has support for end-to-end encryption between Apple and Android devices via RCS text messaging.

My experience being an AI-native software developer for four weeks (AKA a project manager for Codex and Claude Code) makes me laugh at Bryan Acton’s shtick: “get your hands dirty alongside their teams.” Nobody’s getting their hands dirty.

There’s something ominous about the speed with which the entire world has marched to require identification on platforms and, as I expected, begin the process of banning anonymous VPNs.

I’ve been working on this classical cipher cryptanalysis tool using a mixture of Claude Code and Codex, just to get a sense of how capable these tools are on big (advanced) code bases. So far it solves homophonic, substitution, and a few polyalphabetic test cases. github.com/matthewdgree...

I had never looked at the Kryptos ciphers before, but they turn out to be Vigenere with an alternative shift alphabet: KRYPTOSABCDE… The coding tools want to build crib searchers and I want to do frequency analysis and annealing to see if that can be recovered statistically.

🍩

I swear, every day I learn about a new type of Claude Code usage limit: daily, weekly, monthly. More types of usage limit than my dogs have chew toys.

We’re getting Zodiac Z340 decrypts!

I just taught the boy how to get out of vim.

I think it’s fascinating that we’re entering a time where the value of a lot of proprietary software tooling goes to zero, and AI companies should be the first people to realize this, but instead they’re doubling down on gobbling up proprietary software companies like Cursor.

Last Friday I took the 18y/o out against his will to find the most interesting dining experience in Baltimore. We found it at Lithuanian Hall, where we had Ceppilinai. Also I’m a member now.

As a second Claude Code hobby project I’ve been trying to get it to crack classical crypto. Turns out this requires assembling good benchmarks from a lot of public material. But at a certain point Claude Code decided that continuing on this project represented a violation of their “Usage Policy”.

Weird that a bunch of call options expire on 4/17 and suddenly the whole Hormuz situation looks better.

Two weeks ago, Google published a paper proving in zero-knowledge that they had an efficient implementation of Shor's algorithm. Today, Trail of Bits can prove that we have an even better implementation which beats Google's on all metrics! 🫢 blog.trailofbits.com/2026/04/17/w...

I have a long-running Claude session just for talking about Iran war news/economic shocks from the blockade. I shared the latest Trump tweet and it told me that it can no longer keep role-playing this fictional scenario because it's becoming concerning and detached from reality. Love this timeline.

Everything on crypto Twitter/X is quantum computing hype. It’s amazing how obviously artificial this all is.

Alright, it's official! 💰 @matthewdgreen.bsky.social and I bet on what will break first, ML-KEM-768 or X25519. The loser donates to a 501(c)(3) picked by the winner. If you have an opinion on quantum computers or lattices, you can join with a side bet. Just submit a PR! github.com/FiloSottile/...

New: France said it plans to move its government computers currently running Windows to the open-source software Linux to further reduce its reliance on U.S. tech. Comes at a time of growing instability and unpredictability on the part of the Trump administration and weaponization of sanctions, etc.

Betting on the Quantum Apocalypse... www.theregister.com/2026/04/09/c...

New, by me at TechCrunch: The developer of the widely popular Wireguard VPN says he is also unable to ship software updates to Windows users after Microsoft locked his account, marking the second high-profile app developer (VeraCrypt) in the past few weeks to face this issue.

We should be able to slow down AI takeover by a few years just by telling the model to find every bug in ffmpeg.

I feel like we're not addressing the most concerning news from Mythos

this is honestly THE best write up of how CSAM detection and perceptual handing works. the visual aids are very helpful in understanding how content is transformed and how detection methods work mahmoud-salem.net/the-invisibl...

I think this is a good precautionary analysis but I’d bet huge amounts of money against a relevant quantum computer by 2029 or even 2035.

Does anyone over here know anything about which stablecoins Iran might be using to demand tolls for Hormuz transit? www.bloomberg.com/news/article...

Well, at least blockchains are getting exciting again.