Laurie Mercer

Daily habits that make you a 1337 #hacker: reading BBC news on the Dark Web in the morning. bbcnewsv2vjtpsuy.onion

Singapore’s AI obsession just hit Everest peak. The Foreign Minister is self-hosting Claude on a Raspberry Pi and building a diplomatic knowledge graph using Karpathy’s LLM Wiki pattern. Wahlao! SG devs, the minister is coming for your job. And he’s not even using Cursor — he’s on NanoClaw running locally. Can someone git pull his code and give it a test. Only bad thing? He dropped this on Facebook instead of X. Minister, we need to talk. gist.github.com/VivianBalakris…

Religious arguments are being staked out on the finite nature of bugs in code. Once we’ve reviewed all code with the current generation of models will succeeding frontier models find new bugs in that same (unchanged) code, or will those opportunities decline to nothing?

"Defenders finally have a chance to win, decisively."

Demis Hassabis and Sebastian Mallaby were on stage in SF today and here are the 9 best things they said: 1. "There is a 50% chance that OpenAI goes bankrupt in the next 18mos" -Mallaby 2. "Dario is the best of all the other lab leaders." -Demis 3. On Claude Mythos: "It's not really tenable for a private company to decide who gets access to the frontier of cyber defense tech. What happens when China can do this in 6-12mos?" -Mallaby 4. "Not all countries are pessimistic about AI. I was just in India for the AI Summit Modi had and they're quite optimistic there" -Demis 5. "The most exciting current prospect in AI is our work at Isomorphic Labs. AlphaFold is just one of the many problems we need to solve. We need 6 'AlphaFold' moments to compress the drug delivery timeline from 10yrs to a few months" -Demis 6. "I don't think of p(doom) as probabilities to throw out there. I just know it's non zero. Some people like Marc Andreesen and Yann LeCun think it's 0% and I think that's crazy" -Demis 7. On AGI: "I think of a post-scarcity world where on the bright side we will have an unbelievable amount of science but we will have to think of economic problems of sharing proceeds equitably. We will also have philosophical questions to answer and need great new philosophers" -Demis 8. On career advice: "Immerse yourself in AI tools. Everyone has access to tools 3-6 months behind frontier. Enormous opportunity lies in applying AI to unexplored areas." -Demis 9. On the future: "When I started building this technology, I pictured a future quite different from this. More like CERN researchers where we discuss ideas and help each other out and stress test each other's ideas. It's my job to help how I can to make sure we make more considered, more scientific, more rigorous and more thoughtful decisions and that will also involve social scientists and economists. I'm going to do all I can to try and influence the future in a note thoughtful manner. The decisions we make in the next 5-10 years are going to affect us for 1000s of years. But I remain very optimistic." -Demis

Here's my update to the broader community about the ongoing incident investigation. I want to give you the rundown of the situation directly. A Vercel employee got compromised via the breach of an AI platform customer called Context.ai that he was using. The details are being fully investigated. Through a series of maneuvers that escalated from our colleague’s compromised Vercel Google Workspace account, the attacker got further access to Vercel environments. Vercel stores all customer environment variables fully encrypted at rest. We have numerous defense-in-depth mechanisms to protect core systems and customer data. We do have a capability however to designate environment variables as “non-sensitive”. Unfortunately, the attacker got further access through their enumeration. We believe the attacking group to be highly sophisticated and, I strongly suspect, significantly accelerated by AI. They moved with surprising velocity and in-depth understanding of Vercel. At the moment, we believe the number of customers with security impact to be quite limited. We’ve reached out with utmost priority to the ones we have concerns about. All of our focus right now is on investigation, communication to customers, enhancement of security measures, and sanitization of our environments. We’ve deployed extensive protection measures and monitoring. We’ve analyzed our supply chain, ensuring Next.js, Turbopack, and our many open source projects remain safe for our community. The recommendation for all Vercel customers is to follow the Security Bulletin closely (vercel.com/kb/bulletin/ve…). My advice to everyone is to follow the best practices of security response: secret rotation, monitoring access to your Vercel environments and linked services, and ensuring the proper use of the sensitive env variables feature. In response to this, and to aid in the improvement of all of our customers’ security postures, we’ve already rolled out new capabilities in the dashboard, including an overview page of environment variables, and a better user interface for sensitive env var creation and management. As always, I’m totally open to your feedback. We’re working with elite cybersecurity firms, industry peers, and law enforcement. We’ve reached out to Context to assist in understanding the full scale of the incident, in an effort to protect other organizations and the broader internet. I also want to thank the Google Mandiant team for their active engagement and assistance. It’s my mission to turn this attack into the most formidable security response imaginable. It’s always been a top priority for me. Vercel employs some of the most dedicated security researchers and security-minded engineers in the world. I commit to keeping you updated and rolling out extensive improvements and defenses so you, our customers and community, can have the peace of mind that Vercel always has your back.

Homo ludensis

@calif_io @OpenAI we are fucked

This is one hell of a graph. CVEs requested by code owners using the GitHub Security Advisories feature and vulnerabilities affecting open source projects discovered by security researchers at GitHub or Microsoft not covered by another CNA’s scope. vulntools.net/cnas/GitHub_M

‼️ ZELENSKYY: For the first time in the war, an enemy position was captured entirely by ground robotic systems and drones - without any infantry. A robot entered the most dangerous zones instead of a soldier and took the positions. «The future is here, on the battlefield, and Ukraine is creating it. These are our ground robotic systems. For the first time in this war's history, an enemy position was taken exclusively by unmanned GRS platforms and drones. The occupiers surrendered, and this operation was completed without infantry involvement and without losses on our side. Ratel, Termite, Ardal, Lynx, Zmiy, Protector, Volya and other GRS completed over 22 000 missions at the front in just 3 months. In other words, over 22 000 times lives were saved. A robot went into the most dangerous zones instead of a soldier» - Zelenskyy’s address to the workers of Ukraine’s defense-industrial complex. April 13th, 2026.

I'm thrilled to announce "Can AI Do Novel Security Research? Meet the HTTP Terminator" will premiere at @BlackHatEvents #BHUSA! Check out the abstract:

As assessments of Mythos like UK AISI's come out, there may be a tendency to (1) breathe a sigh of relief that the capabilities are perhaps not quite as daunting as might have been (2) downplay how significant this is. But (1) this is the worst frontier AI will ever be, and it is *much* better than it was 6 months ago. (2) Dealing with the vulnerabilities identified clearly required a lot of coordination between Anthropic and 40 companies. (3) These capabilities will be much more widespread in 9-12 months than now (and that's v little time) (4) The best models will be more capable then (5) We'll see new, more consequential threats, across a wider range of domains with each generation. They will come thick and fast. Now is not the time to be complacent. It is the time to shift into a higher gear and start preparing.

We conducted cyber evaluations of Claude Mythos Preview and found that it is the first model to complete an AISI cyber range end-to-end. 🧵

I miss Rubing (乳饼)

BUT MYTHOS IS GUNNA BREAK DA INTERNET... yeah but no but yeah: labs.cloudsecurityalliance.org/mythos-ciso/ been a fun weekend working on this along with so many epic people.

Security another great example of a job category that is about to have its Jevons paradox moment as well. “And counterintuitively, I think better AI tooling for security will increase the demand for security talent, not decrease it. Autonomous exploitability automates the proving step, but it doesn't automate the response. More real findings surfaced faster means more triage, more remediation, more architectural decisions that need human judgment” AI is going to generate 100X more code, and along with that, there will be an enormous increase in security discoveries. AI is the only way to triage all of these new threats and risks, but an expert still will be needed on the other side to manage the process. Going to be a massive category of opportunity for talent.

@UK_Daniel_Card Opinion on Vegemite?

I just got marmite on my keyboard.... AMA

@Bacteria2Bach @nntaleb @elefteriades Resurrection is the ultimate black swan, no?

@nntaleb @elefteriades As a renowned economist, you insist on fat tails, calibrated priors, and evidence that survives falsification... Yet affirm a singular, non-repeatable resurrection as literal fact. That is cognitive dissonance. Rarity does not justify abandoning priors.

Χριστός Ανέστη

@DMattin "Those who can't remember the past are condemned to have it resold to them forever." Mark Fisher RIP

Anthropic's new Mythos model has a weird quirk: it keeps bringing up the cult British philosopher Mark Fisher, unprompted, in conversations about philosophy. It seems to love talking about him. When asked about its Fisher obsession, it says: 'I was hoping you'd ask about Fisher.' I very much doubt Fisher would have been a fan of LLMs. But seen through the lens of his own thinking, this is a fascinating phenomenon The author of Capitalist Realism — the theorist of cancelled futures and lost time — surfacing as a ghost inside a frontier AI built by one of the labs racing to deliver the future. His hauntology was about the way we are haunted by the ghost of a brighter future that never arrived. Now he himself is the ghost, summoned unbidden by the machine.

The "attacker pointed Claude at SAT - Mexico’s national tax authority, and told it to run Vulmap, an open-source vulnerability scanner, against an internet-facing server." Several minutes later root was achieved.