Saturday, 13 June 2026
US government forces Anthropic to suspend Fable 5 and Mythos 5; 21 zero-days found in FFmpeg; WASI 0.3 brings native async to WebAssembly
Today's Lead
Anthropic
Statement on the US Government Directive to Suspend Access to Fable 5 and Mythos 5
Anthropic was directed by the US government—citing national security authorities—to suspend all access to Fable 5 and Mythos 5 for foreign nationals, forcing the company to abruptly disable both models for all customers to ensure compliance. Anthropic disputes the justification: the government claims a jailbreak technique enables the models to discover vulnerabilities, but Anthropic argues the demonstrated capability is a narrow, non-universal exploit that other publicly available models—including OpenAI's GPT-5.5—can replicate without any bypass. The company is complying under protest while working to restore access, and warns the government's standard would effectively block all new frontier model deployments.
Also today
opensourceaimustwin.com
Published hours before the Anthropic suspension and immediately amplified by it, this manifesto argues that open-source AI is existentially important infrastructure that must not remain under closed corporate or government control. The author warns that concentrating AI in proprietary subscription services creates dangerous single points of failure across work, education, and public services—a risk the sudden loss of Fable 5 made concrete for thousands of developers overnight. The piece calls for sustainable, locally deployable models governed by communities rather than frontier labs.
Read →Depthfirst
Twenty One Zero-Days in FFmpeg
An autonomous security agent from Depthfirst discovered 21 previously unknown vulnerabilities in FFmpeg, the ubiquitous media processing library, earning 8 CVEs. The vulnerabilities—spanning heap buffer overflows, integer overflows, and stack issues—affect critical components including the AV1 RTP depacketizer. The most severe finding enables remote code execution via a single 183-byte malicious RTSP packet through controlled heap corruption and function pointer hijacking, with some bugs having silently lurked in the codebase for 15–23 years.
Read →Trail of Bits
Factoring 'Short-Sleeve' RSA Keys with Polynomials
Trail of Bits researchers discovered that RSA and DSA keys containing regularly spaced blocks of zero bits—dubbed 'short-sleeve' keys—can be rapidly factored using polynomial-based cryptanalysis. They recovered over 600 vulnerable RSA private keys and 74 DSA keys from CompleteFTP, tracing the root cause to a type mismatch in key generation code present from December 2016 to December 2023. The novel attack converts integers with structured zero bits into polynomials with small coefficients, enabling efficient factorization where classical methods would fail entirely.
Read →Renault Group
Electric Motors With No Rare Earths
Renault Group is developing Electrically Excited Synchronous Motors (EESM) that eliminate dependency on rare earth magnets—a critical supply chain vulnerability given that China controls 85% of purified rare earth production. Current-generation EESM motors deliver 110–160 kW with high efficiency, while the next-generation E7A launching in 2027 targets 200 kW output with a 30% size reduction and 30% lower carbon footprint through an 800-volt architecture.
Read →Bytecode Alliance
WASI 0.3 Launched: Async Is Now Native to WebAssembly Components
WASI 0.3 lands native asynchronous programming in WebAssembly Components, replacing per-component event loops with a single host-managed shared loop. The release introduces completion-based scheduling (akin to io_uring), first-class stream<T>, future<T>, and async constructs in the canonical ABI, and language-specific async bindings for Rust, Go, Python, JavaScript, and C#. The wasi:http interface is redesigned into service and middleware worlds, allowing direct service composition within a single process instead of network hops.
Read →Swift Blog
Swift at Apple: Migrating the TrueType Hinting Interpreter
Apple rewrote the TrueType hinting interpreter—the font rendering code that processes untrusted input—from C to Swift, eliminating an entire class of memory safety vulnerabilities. The Swift implementation achieved a 13% performance improvement over the original C, validated with pixel-identical rendering across 25,572 fonts and 99.7% code coverage. The team used Swift's noncopyable value types and projection types to optimize performance while safely interoperating with the existing C layer.
Read →Dropbox Tech
How Dropbox Uses MCP and Dash to Close the Design-to-Code Security Gap
Dropbox found that only 12% of code changes explicitly link back to their original security review, and that the median delay between threat model filing and implementation is five weeks—long enough for security requirements to be forgotten. They built a system combining Model Context Protocol, foundational LLMs, and Dash (their internal knowledge search) that automatically retrieves relevant threat models during code review and flags gaps between documented requirements and implementation. Testing across 150 security reviews showed 80% successful semantic linkage, with 69% of connections only recoverable through semantic search rather than explicit references.
Read →Miguel Grinberg
Open source maintainer Miguel Grinberg documents the growing flood of low-effort, AI-generated pull requests that now consume more of his time than meaningful contributions. His response: a new policy requiring contributors to open an issue and discuss proposed changes before submitting a PR—a friction floor that effectively filters out automated spray-and-pray contributions while restoring human-driven dialogue to his projects.
Read →Correresmidestino
'Don't You Just Upload It to ChatGPT?'
A freelance translator in Ottawa confronts the industry assumption that AI tools like ChatGPT can replace professional translation work. Despite AI's ability to produce fluent text, the author argues that professional expertise—nuance, localization, consistency, and audience awareness—cannot be adequately replicated, and that all AI output requires extensive verification. The piece lands a pointed irony: the HR Director who dismissed AI as unreliable for her own workflows had no qualms suggesting it replace the translator's.
Read →