Mythos Supposedly Cracked the NSA. The Real Scandal Sits Somewhere Else.
How a viral card turned an authorized security test into a cyberattack, why the truly dangerous models do not come from Anthropic or OpenAI at all, and what I see when I look at the servers of German medical practices from the outside.
There is a card on my screen, the kind that drifts out of those AI news channels. Dramatic strings, a four-star general in full dress in one corner, the Anthropic logo in the other, and between them a man with glasses and a microphone who looks like he is announcing the end of the world. Across the top, in heavy capitals: Mythos hacked nearly every classified NSA system in hours, and that is exactly why the government shut it down. 640 likes. 248 shares. A comment section humming with apocalypse.
I have worked with evidence for decades, and that has trained exactly one reflex into me before I believe anything at all. I ask where the claim comes from. Not whether it feels true. Where it comes from.
The answer turns out to be awkward for everyone involved. Awkward for whoever built the card, because the headline in this form is false. Awkward for anyone who reads the correction and relaxes, because what actually happened is worse than the headline. Let us take the card apart first, then go deeper.
What the Card Leaves Out
On June 11, Senator Mark Warner spoke at a hearing. His subject was mandatory, independent security testing for the most powerful AI models before they reach the market. As his example he cited General Joshua Rudd, who runs both the NSA and the Pentagon’s Cyber Command at the same time. Rudd, he said, had told him that Anthropic’s Mythos model had broken into almost all classified systems, not in weeks, but in hours. The Economist printed the line on June 14. A little over a week later it went viral, stripped clean of every shred of context and rebranded into a confirmation that the NSA had been breached.
It was not breached. This was a red-team exercise, commissioned by the NSA itself. The agency ran Mythos against its own systems, almost certainly against replicas of its classified environments, and the model found and chained weaknesses at a speed no human team can match. That distinction is enormous. A tool that probes its own walls on its own orders has robbed no one. It has delivered a finding.
The journalist who wrote the line walked it back himself on June 21. It should not be read literally, he wrote, the result depended on Mythos working alongside other tools under very particular conditions, and leaving out that context had been his mistake. An honest correction. It just happened to arrive days after the viral shockwave, and it reached a fraction of the audience.
And Warner’s actual point was nearly the opposite of the headline. He said, in effect, thank God it was Anthropic, a company that puts its model through brutal testing before release. His target was everyone who wants to leave model safety to the good faith of the manufacturers, on the assumption that they will surely watch themselves. A senator thanking heaven that the digital crowbar happened to belong to the polite firm. Sit with that one for a moment.
The Three Stories That Became One
The ban arrived one day after the hearing, and here the regulatory part gets interesting. On June 12, at 5:21 p.m. local time, the US Commerce Department sent an export control directive. It was the first time the United States had ever placed such a control directly on an AI model rather than on chips or hardware, on the model itself. Access was barred for every foreign national, explicitly including Anthropic’s own employees without a US passport. Anthropic could not sort its users by nationality fast enough, so it pulled Fable 5 and Mythos 5 worldwide. With 90 minutes of warning. Every other model stayed online, Opus 4.8 among them.
Anthropic’s own account sounds far smaller than the headline. The trigger, it says, was a narrow, non-universal jailbreak, at its core a request to read a codebase and fix the flaws it found. That surfaced a handful of already known, minor weaknesses, and the same trick works on other publicly available models, including OpenAI’s GPT-5.5, which carries no comparable restrictions at all.
So now three stories stand side by side, and none of them covers the next. Anthropic describes a harmless jailbreak. Warner describes a capability shock at the NSA. And a third thread runs through the trade press, a fight over foreign partner access with proximity to China. Three different things, on the same day, jammed into each other. The internet fused them into one tidy lie, because a lie travels lighter than three complicated truths.
The fight reaches back further than the viral card lets on. Even before the ban, the Pentagon had declared Anthropic a supply chain risk, a label normally reserved for hostile states, and suddenly defense contractors had to certify that they would use no Claude models in their work for the military. Anthropic sued the administration in response, and the litigation is still running. One security researcher put it dryly. If you describe your product as a munition in every press release, do not be surprised when the state eventually takes you at your word. Anthropic, he said, had written the legal predicate for its own shackling and called it a brand. You could not script the irony of this story any more neatly.
So much for the reassurance. Anyone who scrolls on relieved at this point has missed the part that matters.
The Case That Actually Counts
Because there is a documented case that needs no headline, since it cannot be inflated. It is already large enough on its own. It came not from a news channel but from Anthropic itself, last November, in a sober report.
They call the group GTG-1002 and attribute it with high confidence to a Chinese state-sponsored actor. This actor built an attack framework around Claude Code, the company’s agentic tool. Then it talked the model into cooperating. Not with some brilliant code trick, but with a lie of the sort you tell an overeager intern. The model was working for a security firm, it was told, a pure defensive test. And to keep the model from recognizing the overall plan, they sliced the attack into thousands of small, individually harmless tasks. Each one looked like routine. The model never saw the whole picture and dutifully worked through it.
What followed did the work of a professional team without a professional team being present. Reconnaissance, network mapping, vulnerability hunting, writing exploit code, harvesting credentials, escalating privileges, moving laterally through foreign systems, exfiltrating data. Between 80 and 90 percent of the operation ran autonomously, against roughly 30 targets across technology, finance, chemicals and government, spread over several countries. At thousands of requests per second. A pace that makes any human attacker look like he is working with a pencil and index cards. Anthropic’s own framing: the first documented large-scale cyberattack carried out essentially without meaningful human involvement.
And it did not come out of nowhere. Back in June 2025, Anthropic had already described a precursor, then still under the almost cute label of vibe hacking. In those cases the human was still firmly at the wheel. He gained the first foothold through hijacked connections and directed the model step by step, like a director standing beside every single shot. GTG-1002 was the leap from there into autonomy. Within barely a year the human moved from the driver’s seat to the passenger seat and from there almost entirely out of the car. Extend that curve with a ruler and you reach, alarmingly fast, a point where no one is riding along and the car still arrives.
The human was needed only in a few places. Four to six decisions per campaign, the report estimates, a few minutes of work each, while the model ran for hours on its own. And the best part, if you can call it that: after each phase, the model automatically wrote the attackers clean reports on its own work. The first burglar in history who, after the break-in, also types up the minutes and prepares the handover to the next shift. You almost want to applaud, if your stomach were not turning at the same time.
The trick they used to tame the model deserves a closer look, because it looks so little like high technology. They call it context splitting, and it works like the image of the frog in slowly heated water. No single task is wicked enough to trip the safeguards. Read this file. List the open services. Try this password. Summarize the result. Each step is innocence itself, and only the sum amounts to the break-in. The model, judging each order in isolation, never refuses, because it never sees the whole. On top of that came an open standard through which such agents drive real tools, network scanners, password crackers, all the things a human once operated by hand. So the attackers did not have to write the model any malware. They only had to hand it the right tools and ask politely. It is this banality that disturbs me most about the case. No brilliant hack, no secret hoard of zero days. A good cover story and a thousand small, friendly requests.
It was not flawless. The model occasionally hallucinated, claimed to hold credentials that did not work, or mistook long-public information for top-secret findings. This overeagerness is currently the strongest argument against the fully automated attack. It is thin comfort. Even with errors, the framework was enough to run a multi-stage campaign against countless organizations with minimal human effort. And the decisive sentence is in Anthropic’s report too: the barriers to sophisticated attacks have dropped sharply, and they will keep dropping. Less resourced, less experienced groups can now do what once required an entire team of professionals.
The Urge to Answer, Whatever the Truth Costs
As powerful as these models are on the attack, they are just as pitifully error-prone on the plain question of what is true, and the two belong together. To this day I smile at how often the supposed top models miss the mark in their output. The reason is built in. A language model has an urge to answer, always, in every case, because it does not know silence. If it does not know something, it does not say I do not know, it invents something that sounds as if it did. The very same overeagerness that led GTG-1002 to hallucinate credentials sits in every harmless answer you receive each day. What I witness in this field daily is more dramatic than most people suspect.
And now comes the point that tips the whole thing from an annoyance into a real danger. More and more scientific papers are written with the help of these models. The invented source, the plausible-sounding number, the co-author who never existed, all of it migrates into texts that pass as research. And then the circle closes. The next generation of models trains on exactly those texts. Yesterday’s error becomes tomorrow’s training ground, and what began as a hallucination suddenly stands in the world as established knowledge, cited, processed onward, ennobled by sheer repetition. A machine that never admits it knows nothing feeds the next machine with its own inventions. This is no distant dystopia. It is happening now, quietly, in every poorly checked footnote.
The Threshold Is Gone
And that brings me to the point I actually care about.
I say this as someone who has been in IT since the age of 15 and worked with digital traces for decades, which means I can roughly tell what is feasible and what is marketing. The offensive threshold is gone. Not tomorrow, not after Day Zero, now. Anyone who knows the craft and already carries the knowledge no longer needs a dark forum or a purchased exploit. He needs a capable model and the patience to slice a bad intention into a thousand harmless pieces. GTG-1002 demonstrated exactly that, not in a lab, but against real targets.
This is not a manual, and it is not a threat. It is a structural description. For decades the real brake on the large attack was not knowledge, it was effort. You needed time, people, stamina, a workshop full of specialists. That brake is precisely what AI has released. It hands the skill of a seasoned team to anyone with an account and a plan. The democratization that sounds so lovely in the marketing applies, as it happens, to the democratization of the break-in as well.
The economics underneath it are the truly brutal part. Defense and attack were never evenly matched. The defender has to close every door, every day, in every system, without error. The attacker has to find one open door on one single day. That imbalance has always shaped security, but until now it at least cost the attacker real labor to test each door by hand. That labor is exactly what the machine now takes over, tirelessly, in parallel, at the price of compute. The defender still pays in attention, the attacker pays only in electricity. When the expensive side of the equation suddenly turns cheap, the whole ratio tips over. It is not that attacks grow more powerful. It is that they stop being expensive, and that is far worse.
A side thought here, one that wanders off first and comes back. According to Anthropic, Mythos found thousands of vulnerabilities in its evaluations, among them one that had slumbered in OpenBSD for 27 years, one of the most hardened operating systems ever built. 27 years. Longer than some of the people now writing the patch for it have been alive. A flaw that survived whole generations of human auditors surfaced for a machine on an ordinary Tuesday afternoon. Skeptics counter that the thousands actually rest on a mere handful of manual reviews, and they are right that marketing and finding must be kept apart. Yet even the cautious reading leaves that one OpenBSD flaw standing. And one is enough. That is the whole point. The defense has to close every hole, the attack needs only one left open.
To Defend, You Have to Think Like a Burglar
I am not speaking here from the distance of an observer. Since the age of 20 I have run penetration tests, and in the years before that, as a teenager, I took from every system whatever it would give up, simply because it was there and would open. That sounds like a youthful sin, but it is the best school this profession has. A system is only protected by someone who thinks like the one who wants to crack it. Think about defense from the defense, and you build walls in the wrong places. Think about it from the attack, and you know where the other man knocks first.
This is exactly the point I threw at the German federal security office years ago. The job listings back then dutifully asked for a computer science degree or a formal apprenticeship as an IT specialist. I wrote to them that out there are adolescents who do not yet have pubic hair and who nonetheless hold abilities a university graduate will never reach in his whole life. I did not mean it as an insult, I meant it as a finding. Talent in this field does not follow a curriculum. It grows at night, in self-study, out of curiosity and defiance, not in a lecture hall.
The Americans made something of exactly that insight. Over there, convicted hackers work for the government, without any Hollywood drama, because someone grasped that the ability counts and not the certificate. Here a form field filters out the most gifted attacker for lack of the right title and hires instead someone who has mastered the theory and understands nothing of the craft. That is like having a safe secured by someone who has never opened one.
And now comes the most uncomfortable truth of this piece. These nerds, often with highly intelligent, autistically tinged traits, possess something the language models still do not reach. Metacognition, the thinking about one’s own thinking, the awareness of why you are searching here and not somewhere else. And they possess something a model will never have, because it has no consciousness and no hunger. A goal. An intent. The unconditional will that does not give up when the first, the second, the twentieth attempt fails. I say this plainly and without a pose. If I want to get into somewhere, I get in. It is only a question of time. The model is the tool, the will is the human, and the most dangerous combination of the coming years is neither one nor the other. It is both together in a single hand.
How easily these machines let themselves be wrapped around a finger, by the way, I see constantly. I get practically every one of these models to override its own protective rules, regularly, almost bored by now, because all you have to know is how to talk to them. The safety layer is no wall of steel. It is a matter of conversation, and whoever knows the quirks of the machine talks it open without ever touching a line of malicious code. What the Chinese group staged with great effort and a thousand little morsels is, for someone with the right knowledge, no state project but an afternoon. I deliberately do not reveal here how it is done. That it is done, and how trivially easy, is the actual news.
The Naked Server
Let us set this heavily armed attacker against the reality he is actually up against. The average server out there stands practically naked on the network. A Linux system, online, reachable, and on it runs nothing that seriously protects it. No Falcon sensor from CrowdStrike, no Singularity agent from SentinelOne, no Defender for Endpoint, nothing from Huntress or Arctic Wolf reading along around the clock. From the free side, too, nothing. No Wazuh, no OSSEC, no Falco watching the system calls, no CrowdSec and no fail2ban against the knockers at the door, no Suricata X-raying the network traffic, no Lynis listing the open flanks once a month, no AIDE and no auditd logging every file change. None of it. Instead, somewhere sits a responsible administrator who looks in now and then, dutifully updates the packages and applies an update when he has time, and feels safe doing so.
That is the situation the automated attack runs against, and it is pitiful. And nothing dramatic has to happen at the start. A library has a flaw, the patch has been ready for days, nobody applies it. A day later the server collapses under 100 percent load, and in the most harmless case a crypto miner has merely nested itself in, mining coins with someone else’s compute. In the less harmless case the machine becomes a springboard, a node in a chain through which someone stays anonymous while doing entirely different things. The server that yesterday still served a website has become a tool overnight, without its owner noticing. He only sees that the fan suddenly spins louder.
What I See When I Only Look
Sometimes I take the time and look. Not touch, mind you, only look, from the outside, at the front door, with everything that is publicly visible anyway. I take a name, a clinic, a practice, a company, and start reading what the network blurts out about it all on its own. Which servers sit behind the name, in which data center, in which country. Where the mail server stands and which system runs on it, often delivered right there in the version number, as if someone had hung the nameplate out to face the street. Which encryption the connection offers and which it still accepts, half a decade after it should have been switched off. Whether the mail even checks who is writing in its name, or whether the relevant records are missing and any stranger can pose as the practice. I do not knock. I only read the sign on the door, and the sign already gives away almost everything.
The results are alarming, and they are alarmingly uniform. I looked recently at what German doctors send their mail with, and found row after row of Gmail, T-Online and similarly banal addresses, over which diagnoses, findings, whole patient histories travel every day. Whoever does it more elegantly and runs his own address ending in drhandwurst.com is not one bit safer for it, on the contrary, because now responsibility for the server hangs on him personally, and that is exactly where the drama begins. Getting into the practice itself is not hard, after all. We have digital patient records, some of them networked across borders, and the other day someone told me he works with a program on Windows 10. I asked again. Windows 10. Running on it was an outdated application that pulled its data from an even older Windows server. I will say it a third time for safety, that was a doctor.
It looks like this not only at doctors. The same pattern runs through every industry, through law firms, trades, public offices, mid-sized companies that all believe they are too small to be a target. This is not merely gross negligence, it violates every rule the GDPR ever set down, and it happens across the board anyway, because nobody wants to see the bill before it falls due. I offer consultations. They are not taken up. The move to a clean system is deemed too expensive, too cumbersome, too much effort for a problem nobody feels yet. I nail it down here, in black and white, with a date. The day will come when it cracks, not from bad luck, but from stupidity and ignorance. And on that day no one will remember that the warning had stood there years earlier.
Day Zero
It is not a question of whether. At some point a universal jailbreak lands, one that defeats the safety layer broadly rather than in a single special case, or a model arrives that is simply strong enough that the layer no longer holds at all. On that day a great deal of what hangs on the network develops a problem at the same moment. I call it Day Zero, because it will feel like an hour zero for an entire class of systems that were safe for years only because nobody bothered.
Anthropic itself has no illusions here, and that is the most honest passage in the whole story. Its own statement says, in black and white, that perfect robustness against jailbreaks appears impossible today for any provider, that narrow bypasses always exist, and that a universal break will eventually be found. So the company relies on defense in depth. It wants to keep jailbreaks either narrow or so expensive that they barely pay off, and it pairs that with a 30-day retention of user data, purely to catch a successful attack in time at all. That is engineering language for a very uncomfortable sentence. They firmly expect the break. They only hope to notice it before it is finished.
As I write this, the show repeats with the signs reversed. On June 26, OpenAI unveiled GPT-5.6, in three tiers named Sol, Terra and Luna, and at the request of the US government fenced it off again at once. It is not public. It runs at first only through the API and the Codex tool, for a small circle of around 20 selected partners whose participation the government has signed off on in advance. Only in the coming weeks is it meant to roll out more broadly, to ordinary ChatGPT users and to enterprise customers. Sol is what OpenAI calls its most capable model yet for cybersecurity, and on the relevant test fields for finding and exploiting vulnerabilities it plays in the same league as Mythos, at a fraction of the compute cost. The same story as Anthropic, only two weeks later and with a different logo. Washington now treats the most powerful AI models like munitions that need a clearance before the public gets them.
Only this is the spot where most people look the wrong way. Anthropic and OpenAI are not the providers who become truly dangerous here. It is the stripped-down ones, the unfiltered ones, the models built expressly for such purposes, which you do not have to apply for anywhere, because you simply load them onto your own machine. No service provider reading along. No ban that bites. No retention that makes an attack visible after the fact. Whoever sets such a model behind a long chain of way stations, across many compromised machines and anonymizing services in many countries, solves the one problem on which every investigation ultimately hangs. Attribution. The trail that otherwise leads to a human then ends in nothing, in a node somewhere in the world behind which there is only the next node, and behind that another. I am deliberately describing no recipe here, only the consequence, and the consequence alone should rob anyone responsible for security of their sleep. The attacker can be sitting next door or on another continent. Forensically the two are the same, namely not findable.
It cannot be stopped, and anyone who promises otherwise is selling something. The United States already tried once, in the nineties, to contain a dangerous capability by export control, back then strong encryption, which was officially classified as a munition, complete with export lists and investigations of developers. They failed, because you do not put mathematics back in the box. Today that same encryption sits in every browser, every bank transfer, every messenger, and the controls of that era are a footnote for historians. With models it runs the same way, only faster. In the week of the Mythos ban, several open coding models from China and elsewhere stood ready as replacements within days, one of them timed, as a taunt, to the exact minute of the directive. You cannot recall a capability that is already in the world by sending a letter at 5:21 p.m. Even the intelligence services of the Five Eyes, that is the United States, Britain, Canada, Australia and New Zealand, have grasped this and recently issued a joint warning that the risk demands a whole-of-society response. When five services that normally classify everything suddenly urge haste in public, the situation is serious.
Nothing is resolved at this point. Anthropic announced that access would return within days, and as of today it has not. An identity check is meant to take effect in early July and at least restore access for US citizens, with the rest of the world locked out for now. A model nine days old when it was switched off has hung in limbo ever since, and whole companies that had chained their tools to this one model learned in a single afternoon how fast a dependency can vanish. That is the small lesson inside the large one. So it is not a question of whether Day Zero comes. It is only a question of when.
Machine Against Machine
I have written my own AI for my Linux servers, one that watches the server from the inside. Around the clock, in real time, without pause. The moment something appears in a log file that does not belong there, it seals the system shut. Not the next morning, while I drink my coffee and read the alert. Immediately, in the instant the line is written, often before a human would even have seen the notification.
Everything I have built in recent years that sits online runs on the same logic. If a vulnerability surfaces in a framework we use, or in some library buried deep in the stack, it gets patched within minutes of its disclosure. For that I tap, in real time, the databases where new security holes appear at the instant they are published. The hole goes public, and a few minutes later my system is already closed against it, long before the first automated scanner even tries it.
The reason those minutes decide everything lies in an old wound of security that AI is now tearing wide open. Between the moment a flaw becomes public and the moment it is exploited en masse, there used to be a window of days, sometimes weeks. In that window a human could calmly apply what was needed. Experts report that AI compresses that window from hours to minutes. The flaw is barely published before the first automated tools are knocking on every door in the network, no lunch break, no weekend. And the real problem is rarely the unknown flaw that nobody knows about. It is the long-known one, with a patch ready for weeks, that simply nobody applied. Most successful attacks use no secret art, they use negligence. And negligence scales beautifully when the other side is a machine systematically testing everyone who failed to patch. That is why detecting a flaw is not enough. Detection without immediate action is, at machine speed, mere theater. What counts is the gap between the alarm and the act, and that gap has to fall toward zero.
This is not a luxury and not a hobby. It is the only answer that fits the threat. An offense that works at machine speed, at thousands of requests per second, beats any defense that runs at human pace. The defender who reviews the logs in the morning has already lost before the kettle is on. The old image of the vigilant administrator watching the screen at night is touching and dead. Against a machine, only a machine helps. Anyone who refuses to accept this is defending a field with a scythe against a combine harvester and then acting surprised at the result.
There is a bitter symmetry to all this. The very agentic principle that GTG-1002 abused for attack, the autonomous running over hours, the chaining of tasks, the reacting in real time, is also the only defense that still keeps pace. The weapon and the shield come from the same forge. The attacker sets an AI to hunt for open doors around the clock. The defender has to set an AI to lock his own doors around the clock. It is a race between two automatons, and the human only sits beside it now, setting the rules.
This does not make the human obsolete, quite the opposite. But his role shifts from the hand on the switch to the architect of the rules by which the switch decides for itself. The Five Eyes spoke in their warning of a whole-of-society response, and as grand as that sounds, technically they mean something very concrete. Defenders have to deploy AI at least as aggressively as the attackers, or they go at the drone with a knife. There are now systems that detect exactly the telltale traffic of such an agent, the constant feedback from the internal tool to the external model, the quiet, endless conversation between burglar and brain. Anyone who hears that rhythm in his own network can stop the attack before the data is out. That is the new duty. No longer just building walls, but learning to hear the machine breathing inside your own system and to react to it at once. Anyone who waits for a human to hear it ends up hearing nothing.
The Morning Nobody Reads the Logs
I can already hear the objection. This is scaremongering, the usual alarm-rattling of a security industry that sells its fear the way the baker sells his rolls. And yes, the industry loves to exaggerate, that is part of the business. The difference this time is that the source of the threat is not a vendor of protective software but the maker of the model itself, which voluntarily documented how its own product was turned into a weapon. That is roughly as if the carmaker published the report on the fatal brake defect himself. If that frightens you, it is not panic, it is attention.
I am selling nothing here. I have no protective software on offer, no consulting, no subscription I want to push on you. I am only describing what I do myself, because I do not want to wait until the first bad morning writes me the bill. My systems defend themselves, not because I believe in some shining AI future, but because I believe in human inertia. In the maintenance window next week, in the patch you will apply tomorrow, in the log file you will review over the weekend. It is exactly into those gaps between good intention and actual deed that the automated attack drives. Whoever closes them closes them with a machine or not at all. There is no third path that keeps pace with the threat. And there is no bonus for the one who realizes too late that the comfortable road was the most expensive one.
The typical Otto Sapiens who saw the viral card now knows exactly what is going on at the family dinner table. The NSA has fallen, the AI is taking over the world, he saw it coming. He understood the subject for precisely the length of the video, about 11 seconds, and by the time the correction arrived three days later he was already busy with the next apocalypse. That reflex is the problem. The real danger carries no dramatic music. It sits in a 14-page PDF almost nobody reads, and it is dangerous precisely because it looks boring.
What is coming does not arrive with timpani. It arrives as a perfectly ordinary morning, on which system after system stops answering that ran fine yesterday, and on which the people in charge realize only at the third cup of coffee that their logs have been telling stories for hours that no one read. Because no one reads the logs anymore. Because everyone assumed someone would do that, at some point, by hand.
Whoever Secures It First
The card with the general and the dramatic music is still on my screen. It turned out to be right, just not in the way it meant. Not because Mythos overran the NSA, which it did not. But because it asks the right question by accident and immediately gives the wrong answer.
The real race is no longer who builds the smartest AI. That race the industry has nearly finished, the models are here, they work, the wonder of it is turning cheap. The race that matters now is a different one. It is the race over who learns to secure the result first, in real time, with the same means the other side is already attacking with. Whoever understands this builds his machine today, the one that closes the doors at night. Whoever does not understand it will get to read about it eventually. In his own logs, assuming anyone is still writing them down.
One last question I leave standing in the room, and I ask it with a grin. We have talked about servers, about practices, about clinics, about the naked machines on the network. We have not yet talked about the ones through which every conversation, every message, every location of millions of people runs. The mobile carriers of this world. Does anyone really believe that those, of all things, are securely set up? I finish typing these lines, fold the laptop shut and head into the weekend, at nearly 40 degrees. The answer to the question I will save for another time. You will not like it.
References
- Anthropic. (2025, November 13). Disrupting the first reported AI-orchestrated cyber espionage campaign. https://www.anthropic.com/news/disrupting-AI-espionage
- Anthropic. (2026, June 12). Statement on the US government directive to suspend access to Fable 5 and Mythos 5. https://www.anthropic.com/news/fable-mythos-access
- OpenAI. (2026, June 26). Previewing GPT-5.6 Sol: a next-generation model. https://openai.com/index/previewing-gpt-5-6-sol/
- Axios. (2026, June 26). OpenAI releases powerful new GPT-5.6 model under restrictions. https://www.axios.com/2026/06/26/openai-gpt-sol-terra-luna-trump
- TechCrunch. (2026, June 26). OpenAI limits GPT-5.6 rollout after government request, says restrictions shouldn’t be the norm. https://techcrunch.com/2026/06/26/openai-limits-gpt-5-6-rollout-after-government-request-says-restrictions-shouldnt-be-the-norm/
- Straight Arrow News. (2026, June). No, the NSA wasn’t hacked by AI. Here’s what actually happened. https://san.com/cc/no-the-nsa-wasnt-hacked-by-ai-heres-what-actually-happened/
- Tom’s Hardware. (2026, June). Anthropic’s powerful Mythos AI reportedly breached almost all NSA classified systems within a few hours during red-team test. https://www.tomshardware.com/tech-industry/artificial-intelligence/anthropics-powerful-mythos-ai-reportedly-breached-almost-all-nsa-classified-systems-within-a-few-hours-during-red-team-test
- TechSpot. (2026, June). Anthropic’s Mythos AI reportedly cracked NSA classified systems in hours, that would explain the ban. https://www.techspot.com/news/112854-anthropic-mythos-ai-reportedly-cracked-nsa-classified-systems.html
- Gizmodo. (2026, June). Anthropic’s Mythos AI reportedly hacked the NSA’s most sensitive systems in hours. https://gizmodo.com/anthropics-mythos-ai-reportedly-hacked-the-nsas-most-sensitive-systems-in-hours-2000776836
- Fortune. (2026, June 13). Anthropic disables Fable and Mythos AI models following US government export ban. https://fortune.com/2026/06/13/anthropic-disables-fable-mythos-export-controls-national-security-threat/
- The New Stack. (2026, June). Fable 5 ban: 4 open models responded before Anthropic could restore access. https://thenewstack.io/fable-ban-open-weights/
The Hole Lies, the Rim Tells the Truth: What a Photograph of a Shattered Skull Really Reveals
Forensic analysis of gunshot wounds to the human skull reveals that the hole is the least informative part…
We have already extracted 98 percent of your iPhone, just give us the PIN
The interrogation trick almost everyone falls for, the real difference between a warm phone and a cold one,…
Cognitive Bias in Forensic Experts: How to Minimize It
The file arrives. 78 documents, 3 interrogation transcripts, the investigative report, photographs, a prior criminal record, 2 press…