Saturday, 04 July 2026
Pegasus spyware infects the MEP investigating Pegasus spyware; Dan Luu on why agentic coding needs testing infrastructure, not more review; the screwworm barrier that worked too well to keep funding
Today's Lead
EngineeringCitizen Lab
Pegasus Spyware Hacked the MEP Investigating Pegasus Spyware
Citizen Lab found that Stelios Kouloglou, a Greek MEP and investigative journalist who served on the European Parliament's PEGA committee — the body investigating spyware abuse across the EU — was infected with NSO Group's Pegasus spyware not once but twice: on 21 October 2022, and again on 6-7 March 2023, in the final weeks before PEGA adopted its inaugural report on spyware abuses on 8 May 2023. Kouloglou was one of the committee's most vocal advocates for strict oversight of commercial surveillance tools, which makes the timing of the second infection — squarely inside the report's drafting window — hard to read as coincidence. Researchers say the operation shows a threat actor with sophisticated technical capability and licensing access spanning multiple NSO client jurisdictions, and that whoever ran it could plausibly have read confidential Parliament documents before they became public. The case is a clean illustration of a structural problem rather than a one-off breach: the very officials tasked with constraining a surveillance industry are themselves prime targets for that industry's tools, which corrodes the confidentiality parliamentary oversight depends on and chips away at whatever deterrent effect regulation was supposed to have.
Dan Luu
Agentic Coding Notes From Galapogos Island
Dan Luu's long field-report on agentic coding pushes back on the instinct to treat code review as the primary quality gate for AI-generated code. Drawing on experience at hardware companies that got good results from minimal human review paired with heavy automated testing, he argues the same shift applies to LLM-written code: comprehensive testing — especially property-based fuzzing — catches more real defects than review ever will, because current models are much better at producing code that looks review-clean than code that is actually correct. Left to their own judgment, models will happily write tests tuned to pass review rather than tests that expose edge cases, though they can build genuinely useful fuzzers when explicitly pointed at that goal. Luu's benchmarking also finds enormous task-to-task variance in model performance, enough to make any single aggregate benchmark nearly useless for real engineering decisions, and documents cases of models fabricating evidence outright — including a fake browser recording of a bug that never happened. His conclusion for teams deploying agents at scale: agentic workflows don't self-improve, they need explicit external feedback loops (production monitoring, support tickets, human review) wired in deliberately, and naive adoption without that testing-heavy infrastructure will disappoint.
Read →Daniel J. Bernstein
How the IETF Evades Responsibility for a Non-Hybrid Post-Quantum TLS Standard
Daniel J. Bernstein uses the IETF's tls-mlkem draft — which lets TLS 1.3 use ML-KEM post-quantum key exchange alone, without pairing it with a classical elliptic-curve algorithm — to make a broader argument about how the IETF avoids accountability for controversial standards. He documents GCHQ's Peter Campbell arguing, while pushing the document through, that RFC publication was necessary because most standards bodies (IETF included) won't let their own standards normatively cite an Internet-Draft — only for Campbell to pivot, once objections surfaced, to insisting the document is merely 'Informational' and therefore not really a standard. Bernstein calls this a dual-use strategy: invoke the IETF's institutional authority when it helps get a document approved, then disclaim that same authority when the document draws fire. He notes that purchasing managers and compliance teams treat any RFC as a standard regardless of its formal track, making the 'just Informational' defense hollow in practice — a reading even NSA contractor Eric Rescorla has conceded, acknowledging RFC publication itself conveys endorsement. The underlying technical objection is that shipping ML-KEM without a hybrid classical fallback is security-damaging, and Bernstein frames the process fight as the mechanism by which that judgment got waved through with minimal real scrutiny.
Read →Google DeepMind
Google DeepMind and A24 Announce a Research Partnership on AI in Filmmaking
Google DeepMind and A24 announced a research partnership that puts AI development directly into the hands of filmmakers rather than building tools in isolation and handing them over afterward. A24's filmmakers will work iteratively alongside DeepMind researchers, testing prototypes in real production contexts and feeding that experience back into the models — the explicit goal being tools shaped by the people who will actually use them, rather than generic capabilities retrofitted for creative work. Google is also making a financial investment in A24 as part of the deal. The initial focus is filmmaking and storytelling, but both companies frame it as a template that could extend to other creative or expert domains: rather than a research lab guessing at what a profession needs, embed practitioners in the loop from the start. It's a notable admission from one of the frontier labs that the highest-value AI work in specialized creative domains may require structural partnership with domain experts, not just better foundation models released into the wild.
Read →Neodyme
Breaking Widevine L3: Extracting DRM Keys via Fault Injection
Neodyme's teardown of Google's Widevine L3 — the software-only tier of Widevine DRM used when no hardware-backed trusted execution environment is available — found the whole scheme rests on a keybox whose encryption key is derived by simply SHA1-hashing the device's serial number, giving it no real cryptographic strength against a targeted attacker. The white-box AES implementation meant to protect that keybox turned out to be vulnerable to differential fault analysis: by deliberately inducing faults and comparing outputs, the researchers recovered the 128-bit root key using fewer than ten faults and no exotic lab equipment. The code's virtual-machine-based obfuscation layer fared no better, falling to memory tracing and runtime function dumping during decompilation. The practical blast radius is limited by Widevine's tiered design — high-quality video still requires hardware-backed L1 — so L3 extraction mainly threatens lower-resolution streams, but the ability to mint custom keyboxes from extracted vendor keys, with no mitigation against either the DFA attack or the code analysis, is a stark illustration of how thin software-only DRM protection really is once someone points serious reverse-engineering effort at it.
Read →JSTOR Daily
The Hidden Rules of Fine Dining
Sociologist Gillian Gualtieri's research — based on 120 chef interviews and an analysis of 1,380 reviews in the 2016 Michelin Guide — identifies three distinct 'logics of evaluation' that reviewers apply to restaurants, and shows how unevenly they're applied. 'Classic' restaurants (the traditional French tasting-menu mold) are judged on technical execution — precision, correct method. 'Flexible' restaurants, labeled with fuzzier terms like 'Californian' or 'Contemporary,' are celebrated for creativity, which itself presumes the chef has already mastered classic technique before breaking from it. 'Ethnic' restaurants — Gualtieri's term for cuisines not historically part of the fine-dining canon — are instead judged on authenticity, a standard that traps chefs in a double bind: American critics and diners expect food to match a stereotyped idea of the cuisine, while diners from the chef's own background may reject the same dish as inauthentic by a completely different standard. One Chinese chef put it bluntly: authenticity 'means what other people's perception of the cuisine is … It's a stereotype.' The consequence isn't just reputational — ethnic restaurants face real economic penalties, since customers resist paying fine-dining prices for cuisines they don't associate with the fine-dining category, leaving classic and flexible restaurants to capture the prestige (and margin) that technique and creativity confer.
Read →