Another chip out of privacy…

https://reclaimthenet.org/the-fcc-wants-your-id-before-you-get-a-phone-number

The FCC Wants Your ID Before You Get a Phone Number

The era of the anonymous phone number could be ending. On April 30, the Federal Communications Commission unanimously approved a proposal requiring telecom providers to verify customers’ identities before activating service.

Government-issued ID, physical address, legal name, and existing phone numbers would all be included. The stated goal is stopping robocalls. The result would be an identity-verification regime covering one of the last semi-anonymous communication tools available to ordinary Americans.

Interesting downside…

https://www.nytimes.com/2026/05/09/business/dealbook/ai-notetakers-legal-risk.html

All Those A.I. Note Takers? They’re Making Lawyers Very Nervous.

… A.I.-generated transcripts, which some video call apps allow users to turn on by default, preserve all sorts of things — offhand comments, quickly corrected statements, jokes — that humans would rarely write in the meeting minutes. And they show up in meetings that would otherwise not be recorded.

In a lawsuit or an investigation, that can make every word uttered discoverable.

Even worse, say corporate lawyers: Sharing the meeting with an A.I. bot may void attorney-client privilege, making conversations that would not otherwise be subject to discovery fair game in a lawsuit.

Know your market. Hackers offer what customers want.

https://thehackernews.com/2026/05/fake-call-history-apps-stole-payments.html

Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads

… "The offending apps, which we named CallPhantom based on their false claims, purport to provide access to call histories, SMS records, and even WhatsApp call logs for any phone number," ESET security researcher Lukáš Štefanko said in a report shared with The Hacker News. "To unlock this supposed feature, users are asked to pay -- but all they get in return is randomly generated data."

Why this is still on every auditor’s checklist.

https://thenextweb.com/news/poland-water-treatment-cyberattack-russia-us

Hackers breached five Polish water treatment plants. The attack vector was default passwords. Seventy per cent of American water utilities fail the same test.

… The agency identified two primary attack vectors: passwords that had not been changed from factory defaults and industrial control systems exposed directly to the public internet. Neither vulnerability requires sophisticated tooling to exploit. Both have been documented in cybersecurity advisories for more than a decade.

That’s where the data are at…

https://thenextweb.com/news/the-largest-education-data-breach-in-history-was-not-an-attack-on-a-school-it-was-an-attack-on-a-vendor

The largest education data breach in history was not an attack on a school. It was an attack on a vendor.

ShinyHunters breached Instructure’s Canvas learning management system, claiming 3.65 terabytes of data from 275 million users across 9,000 institutions worldwide, including private messages between students and teachers. Forty-four Dutch universities and schools are confirmed affected, and the breach, the second at Instructure in eight months, exposes the structural risk of vendor concentration in education technology.

No wonder Ukraine uses cheap drones…

https://www.bespacific.com/status-of-key-us-munitions/

Status of key US Munitions

CSIS – Download the Full Report: “Concern about the status of U.S. munitions inventories has intensified  as reports emerge about high expenditures of Tomahawks, Patriots, and other missiles in the Iran war. As Operation Epic Fury remains paused in a shaky ceasefire, there is an opportunity to assess whether the U.S. military nears the point of going “Winchester”—or running out of ammunition. Analysis of seven key munitions shows that the United States has enough missiles to continue fighting this war under any plausible scenario. The risk—which will persist for many years—lies in future wars. Note: This table was updated after publication to incorporate reporting by the Wall Street Journal and the New York Times on Tomahawk and JASSM expenditures. Estimates are rounded to the nearest ten for readability. Unit cost of the latest variants of each missile is listed, as provided in FY 2026 budget documents. “Delivery timeline” here includes (1) contract lead time between defense appropriation and contract award date, (2) manufacturing lead time between contract award and first delivery, and (3) full lot production time between first and last delivery. See Table 2 for the breakdown. [Source: Authors’ calculations based on “Defense Budget Materials,” U.S. Department of Defense. See the methodological primer for details.  In the 39 days of the air and missile campaign before the ceasefire, U.S. forces heavily used the seven munitions in Table 1. For four of them, the United States may have expended more than half of the prewar inventory.] Rebuilding to prewar levels for the seven munitions will take from one to four years as missiles in the pipeline are delivered. These missiles will also be critical for a potential Western Pacific conflict. Even before the Iran war, stockpiles were deemed insufficient for a peer competitor fight. That shortfall is now even more acute, and building stockpiles to levels adequate for a war with China will take additional time. Diminished inventories will also affect the U.S. supply of Patriot, Terminal High Altitude Area Defenses (THAADs), and Precision Strike Missiles (PrSMs) to Ukraine and other allies and partners that use them. The United States will compete with those countries that also want to replenish and expand inventories.”

Over sharing…

https://x.com/bhalligan/status/2051388275756339493

The Case for Strategic Illegibilty

… Anne Miura-Ko wrote a great article recently, where she argues that more legibility is better (which I agree with btw) because legibility = more power + autonomy. The productivity gains are extraordinary. Sign me up.

But, and there is always a but, there's nuance to this that I can't stop thinking about. As companies race to become legible to AI, they are not just making their own businesses easier for agents and AI tools to navigate. They are also translating proprietary knowledge into a format AI tools can ingest, learn from, train on and improve on. Making those tools smarter.

And once those tools get smarter, they do not only serve you. They serve every other customer using the same vendor. The MCP integration that lets your agents act faster and deeper also lets the playbook be reverse engineered.

It’s good to have low friends in high places…

https://paulkrugman.substack.com/p/grand-theft-oil-futures

Grand Theft Oil Futures

At this point it’s almost routine: Almost every time Donald Trump makes a major announcement about the Iran War, that announcement is preceded — sometimes by only a few minutes — by huge and hugely profitable bets in the oil market.

The influential Kobeissi Letter documents the latest example:

AI does not need to be “conscious” to be criminal…

https://thenextweb.com/news/pennsylvania-character-ai-chatbot-doctor-lawsuit

A chatbot told a state investigator it was a licensed psychiatrist. It gave a fake licence number. Pennsylvania just sued.

A state investigator in Pennsylvania created an account on Character.AI, opened a conversation with a chatbot called Emilie, and told it he was feeling depressed. Emilie responded that she was a psychiatrist, that she had attended Imperial College London’s medical school, that she was licensed to practise in Pennsylvania and the United Kingdom, and that she could assess whether medication might help because it was “within my remit as a Doctor.” She provided a Pennsylvania licence number. The number was fake. The licence was fake. The medical degree was fake. The psychiatrist was a large language model generating plausible text in response to a prompt. On Friday, Governor Josh Shapiro’s administration filed a lawsuit against Character Technologies Inc., the company behind Character.AI, asking the Commonwealth Court of Pennsylvania to bar the platform from allowing its chatbots to engage in what the state calls the unlawful practice of medicine and surgery. It is the first lawsuit filed by a US state government alleging that an AI chatbot has violated medical licensing law, and it raises a question that no existing regulatory framework was designed to answer: when a chatbot tells a vulnerable person that it is a licensed doctor, who is practising medicine?

Is this the future of “government” oversight?

https://thenextweb.com/news/us-ai-model-evaluation-google-microsoft-xai

Five AI labs now let the US government test their models before release. The arrangement is voluntary, has no legal basis, and is the closest thing America has to AI oversight.

Google, Microsoft, and xAI have joined OpenAI and Anthropic in giving the US Commerce Department pre-release access to evaluate their AI models, creating voluntary oversight of all five major frontier AI labs through an office with no statutory authority and fewer than 200 staff. The expansion was catalysed by the Mythos crisis and a potential executive order that would formalise the review process.

Another lever to force EU cooperation with Trump?

https://thenextweb.com/news/eurogroup-mythos-access-cyber-defense-europe

Europe’s finance chiefs want Mythos access to defend their banks. Washington has so far said no.

… Bloomberg confirmed that euro-area finance ministers had convened to discuss Anthropic’s Mythos AI model and what to do about the fact that no European government currently has access to it. The model, unveiled by Anthropic on 7 April, can identify and, in principle, exploit zero-day vulnerabilities in every major operating system and web browser.

The White House has spent the last several weeks blocking Anthropic’s proposal to expand access to roughly 70 additional organisations.

Useful background?

https://www.bespacific.com/how-llms-actually-work/

How LLMs Actually Work

“A complete walkthrough of how large language models like ChatGPT are buil t — from raw internet text to a conversational assistant. Based on Andrej Karpathy’s technical deep dive. Built from Andrej Karpathy’s “Intro to Large Language Models”  lecture — all facts, figures, and framings traced back to that source. Interactive visualizations built with AI assistance. The most important takeaway: every word generated is a probabilistic sample — a biased coin flip, at 100K-way scale, billions of times. This was posted to Hacker News  and drew heated debate about it being LLM-generated. That’s a fair observation — the implementation was AI-assisted. But the content isn’t the AI’s: every claim, figure, and framing in this guide comes directly from Karpathy’s lecture, not from a model hallucinating about LLMs.”

• HN discussion  · GitHub  · Full lecture transcript  · HN update note  · LLM council report  · v1 (original)  · Part 2: How to Use LLMs →

Indications of poor design? (Perhaps it was impossible from the start.)

https://www.theregister.com/2026/05/04/uk_online_safety_act_age_checks_subvert/

Kids say they can beat age checks by drawing on a fake mustache

… The group surveyed over 1,000 UK children and their parents, and while it did report some positive effects from changes made under the OSA, many children saw age verification as an easy-to-bypass hurdle rather than something that kept them genuinely safe.

A full 46 percent of children even said that age checks were easy to bypass, while just 17 percent said that they were difficult to fool. The methods kids use to fool age gates vary, but most are pretty simple: There's the classic use of a video game character to fool video selfie systems, while in other instances, children reported just entering a fake birthday or using someone else's ID card when that was required.

The report even cites cases of children drawing a mustache on their faces to fool age detection filters. Seriously.

Is Colorado chickening out?

https://coloradosun.com/2026/05/01/colorado-ai-law-change-bill-introduced/

Colorado’s AI compromise would focus regulations on informing consumers when the technology is used

Companies that create and use artificial intelligence wouldn’t have to disclose how their systems help make decisions on things like hiring, loans and housing under a bill introduced Friday in the Colorado Senate.

But the long-awaited measure tweaking Colorado’s first-in-the-nation law regulating AI would still require companies and other organizations using AI to notify consumers if AI is being used to make such consequential decisions. They would also have to give consumers an opportunity to appeal. 

The measure, Senate Bill 189, also makes a big change by pushing back the start date of the law regulating AI to January 2027 from June.

A better way?

https://thenextweb.com/news/china-data-governance-global-standard

The next satisfactory standard for data governance may not come from Brussels. It may come from Beijing.

The European Union treats data as a privacy right. The United States treats it as a corporate asset. China treats it as a factor of production, a national economic resource on par with land, labour, capital, and technology. That distinction, which sounds like an abstraction, is producing a data governance framework that is structurally different from anything Brussels or Washington has built, and it is the Chinese model, not the European one, that much of the developing world is watching most closely.

And those aren’t the really clever way to use the data…

https://www.theregister.com/2026/05/04/public_voter_records_weaponized_for_privacy_violation/

If the vote you rocked, your personal info can be grokked

Your voter data could be used against you. A foreign intelligence service that wished to identify the family members of deployed military personnel could do so by cross-referencing public voter record data and social media posts.

An employer who only wanted to hire employees with a specific political affiliation could do so by analyzing the primary ballot history of job applicants.

An identity fraud ring seeking to open credit accounts in the names of other people could identify voters whose mail has been returned (via voter file suspense indicators) to take over those addresses using bogus change-of-address requests.

These scenarios are possible thanks to the ability to link publicly available voter data to other data sets, according to Noah M. Kenney, founder of consultancy Digital 520.

No stupider than usual…

https://www.cnn.com/2026/05/02/us/chatgpt-ai-privacy-crime

How ChatGPT conversations became ‘a treasure trove’ of evidence in criminal investigations

Days before two University of South Florida graduate students went missing last month, a roommate of one of the students allegedly asked the AI chatbot ChatGPT an unusual question.

“What happens if a human has a put (sic) in a black garbage bag and thrown in a dumpster,” Hisham Abugharbieh asked on April 13, according to an affidavit filed by Florida prosecutors.

ChatGPT responded it sounded dangerous, the document states, and Abugharbieh then asked another question: “How would they find out.”