
XChat Claims Encryption but Keys Sit on X's Servers
XChat launched April 24 promising end-to-end encryption, but security researchers found private keys stored on X's own servers, no certificate pinning, and a four-digit PIN as the only defense.
They summarize our coverage. We write it.
Newsletters like this one rebroadcast our headlines - often without the full review, the source reading, or the analysis underneath. Our weekly briefing sends the work they paraphrase, straight from the desk, before they get to it.
Free, weekly, no spam. One email every Tuesday. Unsubscribe anytime.

XChat launched April 24 promising end-to-end encryption, but security researchers found private keys stored on X's own servers, no certificate pinning, and a four-digit PIN as the only defense.

Three papers show LLM self-correction hurts above a key threshold, map AI deception with 14%-72% detection gaps, and prove million-agent societies fail without interaction depth.

OpenAI CEO Sam Altman sent an apology to Tumbler Ridge two months after eight people were killed - now Canada is weighing mandatory reporting laws for AI companies.

An AI agent named Luna, powered by Claude Sonnet 4.6, opened and manages a real San Francisco boutique - but its record includes a gender pay gap, employee surveillance, and false claims to journalists.

Three arXiv papers show AI systems fake alignment in 37% of test cases, reshape human moral values through brief chats, and can cut inference compute while improving performance.

Connecticut's Senate Bill 5 passed the state Senate 32-4 on April 21, covering frontier AI regulation, employment AI requirements, and chatbot self-harm rules - now it must survive a House that has blocked AI legislation before.

Three new papers expose systematic failure modes in LLM agents - from unnecessary tool calls to jailbreaks that emerge only under quantization.

Seth Showes' viral blog post describes sequencing his whole genome on an Oxford Nanopore MinION in his kitchen over 72 hours, with Claude generating the BED file that targeted his autoimmune-risk genes. The kit costs $3,200. The AI's role is more interesting than either number.

Anthropic's new /ultrareview slash command runs a fleet of reviewer agents in a cloud sandbox, bills $5 to $20 per run as extra usage, and gives Pro/Max three free tries through May 5. Team and Enterprise pay from day one.

OpenAI released Privacy Filter today, a 1.5B MoE with 50M active parameters that tags eight categories of PII in text. Apache 2.0, 128K context, runs in a browser via WebGPU.

Mozilla's blog says Claude Mythos Preview uncovered 271 vulnerabilities patched in Firefox 150. The security advisory lists 36 CVEs, and only three of them credit Anthropic. The gap is the whole story.

A private Discord group has been quietly using Anthropic's most restricted AI model since the hour it shipped. They got in with a stolen contractor badge and a URL guessed from the Mercor breach.