Today’s issue: Fixing my own car with CSS, getting jumped by the Bun team, and solving the third hardest problem in computer science.
Welcome to #488.
The Main Thing
POV: you just walked into your first Project Glasswing meeting
What Claude Mythos showed Cloudflare
Remember last month when Chief Fearmongering Officer, Dario Amodei told the world that Claude Mythos was too dangerous for public consumption?
This was because it was (allegedly) so powerful that it had (allegedly) discovered thousands of high-severity vulnerabilities across critical software infrastructure. So instead of releasing the model where bad actors could abuse it, they formed Project Glasswing: a group of large companies that would use Mythos Preview as part of their defensive security work and continue to fund each other in a big tech circle jerk share their learnings publicly.
Thankfully, one of these companies is Cloudflare, who has a good writing culture and lots of smart engineers who have mostly avoided Dario’s psychosis-based marketing strategy.
Their CSO just published their first blog post yesterday about what Mythos has shown them so far. Here are the highlights:
-
Exploit chain construction. Mythos can chain several small primitives into a working exploit like a senior researcher or attacker would. It can take a use-after-free bug, turn it into an arbitrary read/write primitive, hijack control flow, and use ROP chains to take full control of a system. More advanced than just an automated scanner.
-
Proof generation. Mythos can prove bugs are actually exploitable by writing code to trigger the suspected bug, compiling it in a scratch environment, and running it. If the run fails, it reads the error, adjusts its hypothesis, and tries again.
-
Adversarial review. Cloudflare’s harness runs a second agent whose only job is to disprove the first agent’s findings. It uses a different prompt, different model, no ability to generate its own findings. They found that putting two agents in deliberate disagreement is way more effective than just telling one agent to “make no mistakes.”
My take: Nothing in the blog post suggests that we’re 6 months away from ransomware Armageddon, but Dario might disagree by quoting one of America’s greatest philosophers: “I don’t see how you can hate from outside the club when you can’t even get in.”
Fair enough.
   
|
Our Friends
(With Benefits)
Just when I swore off tech conferences forever, Convex pulls me back in
Convex is hosting Abstract Conf
And it’s not just another snooze-fest about how LLMs are “disrupting the industry.”
Abstract Conf is about principled design, for people who care about engineering, simplicity, elegance, and good abstractions.
Here are 3 reasons to consider going:
-
You’ll share ideas on engineering principles, managing large codebases, and the other areas of software dev where LLMs still fall short
-
Talks will go beyond software, with speakers who are experts on physical products, games, and education
-
There are no paid sponsors, so the most interesting ideas and people will be featured without bias
Register here to get more info. It’s happening on Sept 2nd in SF.
Pop Quiz
Sponsored by Datadog
Their Front-end Developer Kit comes with multiple resources to help you better understand user activity on your site and troubleshoot front-end issues more efficiently.
What is this code doing?
const friends = ['Aliyah', 'Alex', 'Ben', 'Cassidy', 'Carlos']
const { length, 0: first, [length - 1]: last } = friends
Cool Bits
-
317 npm packages were just compromised in a series of new mini Shai-Hulud attacks. Just another Tuesday.
-
Artem Loenko wrote about the limits of native code and now Jarred Sumner wants to fight him after school.
-
Vandana Verma Sehgal from Snyk is hosting a live workshop on Securing the new trust boundary for agentic AI on June 4th. You’ll walk away with real-world MCP attack scenarios, threat modeling guidance, and practical controls for safer AI adoption. [sponsored]
-
Julia Evans detailed everything she learned by moving away from Tailwind and structuring her own CSS. Is this how it feels to change your own motor oil?
-
Redux maintainer, Mark Erikson started writing a Thoughts on AI series, where he shares his opinions, tools, workflow and more.
-
Clerk’s new API keys let your users create credentials that delegate access to your application’s API on their behalf. [sponsored]
-
The legend, Dr. Axel had to take his blog and his books offline because of all the AI bot traffic. You can support him by buying one of his books or attacking your local data center.
-
Ahmad Shadeed showed how to achieve better fluid sizing with
round(). -
agent-device is a verification and automation tool designed for agents developing mobile apps. It gives you everything necessary to verify your own work: token-optimized accessibility snapshots, gestures, screenshots, recordings, and replays, but it also lets you debug any mobile app, especially React Native/Expo. [sponsored]
-
The godfather of vibe-coding, Andrej Karpathy joined Anthropic. Someone check on Theo.
-
Den Odell explained why some browsers render big sites differently based on their domain.
-
Roman Kashitsyn wrote a deep dive on tree mapping, which he argues is “the third hard problem” of Computer Science. Thinking back to my CS labs in college, I remember that the first hard problem is naming things and the second one is remembering to put on deodorant.
const friends = ['Aliyah', 'Alex', 'Ben', 'Cassidy', 'Carlos']
const { length, 0: first, [length - 1]: last } = friends
console.log(first) // Aliyah
console.log(last) // Carlos
Since arrays are just objects with numeric keys and a length property, we can use destructuring and computed property names in order to grab the first and last elements in any array. Kind of worthless, but kind of cool.
50 W Broadway Ste 333 PMB 51647 Salt Lake City, Utah 84101