ThierryLabro

La honte française: ses politocards…

🦔Microsoft canceled its internal Claude Code licenses this week after token-based billing made the cost untenable, even for a company with effectively infinite cloud resources. Uber's CTO sent an internal memo warning the company burned through its entire 2026 AI budget in just four months. American AI software prices have jumped 20% to 37%, and GitHub (owned by Microsoft) is dropping flat-rate plans for usage-based billing across its products. My Take The AI subsidy era is ending in real time. The same company that put $13 billion into OpenAI and built the Azure infrastructure powering most of Anthropic's compute just looked at the bill from a competitor's coding tool and decided it was not worth paying. That is not a productivity failure on Anthropic's end. Token-based pricing is forcing every enterprise customer to confront the actual cost of running these models at scale, and the number turns out to be far higher than the flat-rate experiments suggested. This ties directly to my Gemini Flash post yesterday. Anthropic, OpenAI, and Google all raised effective prices in the last six months. Enterprises that built workflows assuming AI costs would keep falling are now watching annual budgets evaporate in months. Two outcomes look likely from here. Either enterprises scale back AI usage to fit budgets, which slows the revenue ramp the labs need to justify their valuations ahead of IPOs, or the labs cut prices and absorb the losses, which makes the unit economics worse at exactly the wrong moment. Both paths land in the same place, the numbers stop working, and somebody has to take the writedown. Hedgie🤗

Europe’s digital identity plans are moving from pilots to production. Estonia has launched a €21.65M procurement to build and operate a compliant EU Digital Identity Wallet integrated with its national eID ecosystem. #digitalwallets biometricupdate.com/202605/estonia…



New game changer:

Cloudflare's security team spent the last few weeks testing Anthropic's Mythos against fifty of our own repositories. What we learned about offensive AI, why faster patching is the wrong reaction, and what the architecture around vulnerabilities has to look like next. cfl.re/49BRUqW

Oh pas adieu, non. paperjam.lu/article/wero-a…

🚨 Singapore published a case study applying its Agentic AI Framework (the world's first of its kind) to OpenClaw. [Download it below]. If you use AI agents, check out these SAFETY best practices: 1. Assess and bound the risks upfront - Avoid deploying OpenClaw in its open-source form in mission-critical environments - Avoid creating a single “all-powerful” OpenClaw agent with unrestricted access - Avoid installing OpenClaw on primary work or personal devices that contain sensitive data - Avoid granting OpenClaw ‘superuser’ privileges - Avoid granting OpenClaw unrestricted access to files and applications 2. Make humans meaningfully accountable - Adopt a risk-based approach to determine the appropriate level of agent autonomy with the sensitivity of data and the criticality of tasks - Identify checkpoints that require human approval - Enforce human approval through system-level controls where possible 3. Implement technical controls and processes a) During design and development - Enforce control-plane separation for key safety controls - Route outbound connections through a policy-enforcing proxy - Review and tighten the OpenClaw configurations, which are permissive by default - Avoid giving OpenClaw access to sensitive data - Use dedicated identities and credentials for the agent - Avoid exposing credentials to OpenClaw directly - Regularly rotate API keys, OAuth tokens, and other credentials used by the agent - Use trusted skills only - Use trusted sources b) Testing before deployment - Adopt a structured evaluation approach, organized around capability-based risk identification, concrete risk scenarios, as well as environment and tool mapping - Test and verify that safety controls are working as intended - Test and verify that human-in-the-loop (HITL) is working as intended - Test and verify that safeguards remain effective against indirect prompt injections, especially when third-party skills are used c) Post deployment - Ensure that all agent actions are logged and attributable - Avoid leaving the agent unsupervised for extended periods - Monitor the agent for behavioral anomalies and policy violations - Treat rebuild as an expected control, especially in the event of compromise or anomalous behavior - Regularly update OpenClaw and patch known vulnerabilities promptly 4.  Enable end-user responsibility - Provide personnel training and/or clear usage guidance - 👉 This is a super interesting case study, and a must-read for those developing or deploying AI agents. Download it below. 👉 To learn more and stay up to date, join my newsletter's 95,200+ subscribers (link below).

EXCLUSIVE: Palantir CEO Alex Karp criticized Germany after a top Berlin official said the country doesn’t plan to award military contracts to the U.S. data analytics giant. 🔗 politico.eu/article/palant…

Il y a beaucoup de gens qui disent cela depuis longtemps. La seule différence est que le discours devient mainstream.

Signal warns it would pull out of Canada if made to comply with lawful access bill theglobeandmail.com/politics/artic…

⚠️ Claude’s Chrome Extension Flaw Allows Malicious Extensions to Steal Gmail & Drive Data Source: cybersecuritynews.com/claudes-chrome… Researchers have exposed a vulnerability hiding inside the "Claude in Chrome" extension. By weaponizing an otherwise harmless, zero-permission extension, invisible attackers can completely hijack the trusted AI assistant. Transform it into a malicious puppet that silently pillages private Gmail messages, restricted Google Drive documents, and secret GitHub repositories. This blind spot exposes the dark side of the AI automation race, proving that when vendors recklessly stretch trust boundaries to speed things up, they leave our most sensitive digital vaults wide open to exploitation. #cybersecuritynews

Full piece (FR) by @ThierryLabro 👇 paperjam.lu/article/de-la-…

Sat down with @ThierryLabro at PaperJam to talk about how @kodehyve has evolved over the past two years. The short version: we got hit hard, restructured, and came out as something better. Here's what changed 🧵

Meta peut désormais lire vos messages privés Instagram, une mine d'or pour l'IA et la publicité - Les Numériques lesnumeriques.com/appli-logiciel…

Apple and Google are gradually expanding their use of hardware-based attestation. They're convincing a growing number of services to adopt it. Google's Play Integrity API and Apple's App Attest API are very similar. Apple brought it to the web via Privacy Pass, which Google intends on doing too. Google's Play Integrity API requires hardware attestation for the strong integrity level and is gradually phasing in requiring it for the more commonly used device integrity level. Apple already has it as a requirement. Over the long term, this will increasingly lock out hardware and OS competition. The purpose of these systems is disallowing people from using hardware and software not approved by Apple or Google. This is wrongly presented as being a security feature. Banks and government services are the main ones adopting it but Apple and Google are encouraging every service to use it. Apple's Privacy Pass brought hardware attestation to the web to help with passing captchas on their own hardware. Many people saw that as harmless since few sites would be willing to lock out non-Apple-hardware users. Apple and Google are both likely to bring broader hardware attestation to the web. Google's reCAPTCHA is planning an approach where they use Privacy Pass on Apple hardware, their own approach on Google Mobile Services Android devices and a QR code scanning system to require an iOS or Google certified Android device for Windows and other systems: support.google.com/recaptcha/answ… Banking and government services increasingly require using a mobile app where they can use attestation to force using an Apple or Google approved device and OS. Apple's privacy pass, Google's 'cancelled' Web Environment Integrity and now reCAPTCHA Mobile Verification are bringing this to the web. Current media coverage for reCAPTCHA Mobile Verification misunderstands it and the impact of it. They're bringing a hardware attestation requirement to Windows, desktop Linux, OpenBSD, etc. by requiring a QR scan from a certified smartphone to pass reCAPTCHA in some cases. They could expand it more. Control over reCAPTCHA puts Google in a position where they can require having either iOS or a certified Android device to use an enormous amount of the web. Google defines certification requirements for Android which includes forcing bundling Google Chrome, etc. It's enormously anti-competitive. Google's Play Integrity API bans using GrapheneOS despite it being far more secure than anything they permit. It also bans using any other alternative. This isn't somehow specific to an AOSP-based OS. You can't avoid this by using a mobile OS based on FreeBSD instead. You'll just be more locked out. Google's Play Integrity API permits devices with no security patches for 10 years. The device integrity level can be bypassed via spoofing but they can detect it quite well and block it once it starts being done at scale. The strong integrity level requires leaked keys from TEEs/SEs to bypass it. It doesn't provide a useful security feature, but it does lock out competition very well. Services requiring Apple App Attest or Google Play Integrity are primarily helping to lock in Apple and Google having a duopoly for mobile devices. Play Integrity is more relevant due to AOSP being open source. Governments are increasingly mandating using Apple's App Attest and Google's Play Integrity for not only their own services but also commercial services. The EU is leading the charge of making these requirements for digital payments, ID, age verification, etc. Many EU government apps require them. Instead of governments stopping Apple and Google from engaging in egregiously anti-competitive behavior, they're directly participating in locking out competition via their own services. Requiring people to have an Apple device or Google-certified Android device is anti-competition, not security. reCAPTCHA Mobile Verification will currently work with sandboxed Google Play on GrapheneOS but it clearly exists to provide a way for them to start using hardware attestation on systems without it. People without an iOS or Android device will be locked out when this is required even without that. This isn't about security or any missing functionality. GrapheneOS can be verified via hardware attestation. Google bans using GrapheneOS for Play Integrity because we don't license Google Mobile Services and conform to anti-competitive rules already found to be illegal in South Korea and elsewhere. Services shouldn't ban people from using arbitrary hardware and operating systems in the first place. Google's security excuse is clearly bogus when they permit devices with no patches for 10 years but not a much more secure OS. It's for enforcing their monopolies via GMS licensing, that's all.

‼️🚨 ALARMING: Google now treats privacy as suspicious behavior by default. Users of GrapheneOS, CalyxOS, /e/OS, and other deGoogled Android phones are being locked out of millions of websites unless they install the exact Google Play Services software they deliberately removed. GrapheneOS is recommended by the EFF and used by journalists, lawyers, and activists in high-risk environments. The audience most likely to read Google's data practices and refuse its terms is now flagged as fraudulent for that exact decision. What happened?: ▪️ Google announced "Cloud Fraud Defense" at Cloud Next on April 22-23, 2026, branding it "the next evolution of reCAPTCHA." Existing reCAPTCHA customers were auto-migrated. ▪️ When the system flags traffic as suspicious, the old click-the-bus puzzle is gone. Users get a QR code instead. ▪️ Scanning the QR code requires Google Play Services running on the device. Internet Archive snapshots show this requirement has been live since at least October 2025, silently rolled out for 7 months before anyone noticed. ▪️ No Play Services = no QR scan = locked out. The bigger picture: ▪️ Google already tried this in 2023. It was called Web Environment Integrity (WEI), and it would have let Google decide which devices were "real enough" to access the web. Standards bodies and the public pushed back hard, and Google killed it. Three years later, the same idea is back, just hidden behind a QR code instead of a browser feature. ▪️ reCAPTCHA runs on millions of websites. Every developer who keeps using it is now, by default, telling deGoogled Android users they're not welcome...

Wow @mozilla "identified and fixed an unprecedented number of latent security bugs in Firefox with the help of Claude Mythos Preview and other AI models" This graph is jaw dropping hacks.mozilla.org/2026/05/behind…

‼️🇪🇺 BREAKING: Europol ran a shadow IT system stuffed with more than 2 petabytes of sensitive data on people who were never even suspected of a crime, and part of the data was kept outside of formal oversight... This lands as the European Commission prepares to expand Europol's mandate and double its budget. "They protect the law while breaking it," according to a former Europol senior official. A joint investigation by Solomon, Correctiv, and Computer Weekly uncovered that Europol operated for years outside its own legal limits, with no functioning audit logs, no access controls, and admin rights handed out by the dozen. They call the system the Computer Forensic Network, or CFN. Built in 2012 to triage forensic data, it became Europol's primary analytical platform. By 2019, the CFN held at least 2 petabytes of operational data, roughly 420 times the size of Europol's official non-forensic database. Drewer, the data protection officer, found that 99% of Europol's data sat in the CFN, processed without basic data protection or security safeguards. The 2019 internal security assessment listed 32 separate failures. Among them: - Ineffective assignment of security roles - Insufficient management of privileged access rights - Unrestricted software installation - Lack of password management - Lack of administrative usage logs - Insufficient event logging and monitoring - Insufficient network access control Independent experts who reviewed the findings called the volume of admin accounts a textbook breach of confidentiality and an open door for both rogue insiders and external attackers. Logs could be modified or deleted by anyone with admin rights, meaning data tampering and unauthorised access could not be reliably traced. Then there is the Pressure Cooker. A separate clandestine environment run by Europol's Internet Referral Unit, used to pull open-source data without ICT involvement and outside formal oversight. Internal staff flagged it as an "irregular situation" in October 2022. The EU's privacy watchdog, the EDPS, says it was never told about it during the original 2019 investigation. After almost a decade of negotiation, the EDPS closed its monitoring of the CFN in February 2026. 15 of 150 recommendations remained unimplemented, including ones the watchdog flagged as concerning "issues of particular importance," covering core security safeguards.

Mo sources mo problems? Not anymore: Rolling out now, NotebookLM can auto-label & categorize sources (when you have 5+), so you can spend less time scrolling and more time thinking/learning/philosophizing, etc. Rename, reorganize, & personalize (emojis!) to your ❤️'s content.