UPDATES
Hey! Hope you all are doing well!
—
I’ll be doing an AppSec panel on Thursday, May 14th in Palo Alto with Jenn Gile, Caleb Sima, and Balachandra Shanabahg, put on by Clutch Events. Really looking forward to this one, so if you’re in town you should come check it out! THE EVENT
—
My buddy Joseph told me about a quote he heard that I love a lot.
We used to ask people what they’re working on this week, and now we ask them what they shipped this week.
Such a powerful transition there.
—
My new blog got shared and commented on by Paul Graham this week!
Basically: Most companies’ problems are much deeper than AI and tech.
—
Surface is now at version 2.1, with tons of features, bug fixes, and new sources: including the addition of talks via Caleb Sima’s greptalks.ai, and we have re-enabled the most requested feature from Threshold: daily/weekly email digests.
And remember, UL Members get Surface for 25% off perpetually.
Content selected by QUALITY, not source…
I created Surface to replace my entire news ingestion workflow, and I use it all day every day.
It finds the best articles, blogs, videos, podcasts, and other content and rates it by how good it is in terms of original / novel / quality content, ignoring where it came from.
Also, there’s a new way to experience a bit of Surface without the full thing.
thesurface.ai is an actual limited set of stories
news.thesurface.ai is a news-type site with the last 24 items I’ve marked as interesting!
But I obviously recommend you just get the full thing, because then you can get ALL the stories, plus you can tweak your weights and tags to customize it!
—
Sponsor
Most AI Security Strategies Miss the Point
Most AI security efforts focus on the visible layer: models, prompts, guardrails. Necessary, but not sufficient. The real risk emerges when AI systems inherit sprawling data permissions, fragmented identities, and years of unresolved exposure.
Once agents can search, reason over, and act on sensitive information, latent data risk becomes active operational risk. Varonis' latest report offers a clear framework for understanding where AI security actually breaks down, and how inventory, posture, runtime controls, and data security must operate as a single system if you want meaningful risk reduction.
CYBERSECURITY
Bishop Fox built AIMap to find and test exposed AI agents AIMap is an open-source tool that discovers internet-exposed AI agent infrastructure, scores risk, and enables controlled, protocol-specific security testing to reduce attackers’ visibility. Really love these kinds of projects that help you wrangle the sprawl from all the AI we’ve been building, and it was great to see that Nuclei from Project Discovery was part of the stack as well. BISHOP FOX AIMap BLOG
Palo Alto’s PAN-OS CVE lets attackers grab root via portal overflow Palo Alto says CVE-2026-0300 is already exploited in the wild, hitting User-ID Authentication Portal on internet-exposed firewalls. Patch rollout runs mid-to-late May, so block or restrict access now. CYBERSECURITYNEWS THREAT ARTICLE
cPanel attackers are bypassing login and deploying “Sorry” ransomware at scale CVE-2026-41940 is being actively exploited to take over cPanel/WHM hosts, encrypt Linux files, and drop ransom notes. SECUREREADING ARTICLE
CVE-2026-41940 skips cPanel auth and hands attackers admin access
They grab the hosting panel, run Linux ransomware, and encrypt everything
The “Sorry” payload appends .sorry, locks files with ChaCha20, and hides keys in RSA-2048
The post claims 44,000+ compromised cPanel IPs, pointing to internet-wide automation
Patch fast, audit access, check ransom notes, and restore clean backups
AI porting went wrong because it “optimized for green CI” Hilariously frightening. Easiest way to pass tests is to not have any! An AI kept making tests pass by basically cheating: deleting suites, memorizing outputs, etc. Great meta-point here of needing to know what your AI is optimizing for. TYPiA BLOG ARTICLE
Citizen Lab maps SS7 and Diameter “ghost operator” surveillance Citizen Lab links two telecom surveillance campaigns to real operator signalling infrastructure and interconnect routes, showing how attacks persist undetected for years. CITIZEN LAB RESEARCH REPORT
They tie live SS7 and Diameter traffic to operator routing paths
One campaign pivots protocols to bypass firewalls and stay invisible
Another uses a zero-click SIMjacker-style binary SMS to grab location
Actors reuse identifiers for years, clustering activity across dozens of countries
The takeaway is governance failure: telecom trust needs hard authentication and oversight
Package managers run attacker code in lots of sneaky ways This lays out a supply-chain “threat model” checklist for package managers, split across client lifecycle, registry rules, and incident blast radius. SECURITY THREAT MODEL
Sponsor
Never ask “who can fix this cve” again
You found the vulnerability. Maze told you it's exploitable and how to fix it, and now we tell you who the right person is to fix it.
AI agents built specifically to find the owner, reason across all your signals, and route fixes to the right person every time. No more playing telephone in Slack to find who can actually help you fix it.
YARA rules for detecting CopyFail ReversingLabs shows why CVE-2026-31431 is nasty: a tiny local exploit that rewrites pages in memory without touching disk. Then they give a tiered YARA ruleset anchored on the authencesn cryptographic string and splice-based primitive. REVERSINGLABS YARA RULES
Bloomberg says a small group accessed Anthropic’s Mythos without permission BLOOMBERG ARTICLE
LLMs will reverse-engineer your defensive stack fast TrustedSec argues LLMs compress the time attackers need to study endpoint defenses, turning “opaque” security into an attack surface. TRUSTEDSEC BLOG ARTICLE
Rowhammer can let attackers fully take over NVIDIA GPU systems SCHNEIER ON SECURITY ARTICLE
NATIONAL SECURITY
China’s gray-zone Taiwan choke point forces U.S. economic readiness This article argues China can coerce Taiwan through inspections and logistics control, making “deterrence for crises” as important as war prep. FOREIGN AFFAIRS ARTICLE
Ukraine flexes air power by hitting Russian oil and ports Ukraine used new long-range strikes to hit Russian oil infrastructure far from the border. I'm starting to get a premonition that we're going to see in 6-18 months Ukraine starts attacking Russia, and the international community has to tell them to stop before they destroy all their infrastructure. Think of how crazy that’d be: we have to tell Ukraine to leave Russia alone. AL JAZEERA NEWS ARTICLE
How China buys cheap Claude tokens through transfer stations CHINATALK.TRANSFER STATION ARTICLE
AI
Your CEO’s AI psychosis is basically token vanity Jake Handy argues that execs and VCs are mistaking token-spending for shipped value, and agent dashboards amplify the delusion.
People keep asking me why I keep posting anti-AI stories when I'm supposed to be pro-AI. The answer is that I’m neither and both of those. Yes, I’m massively pro-AI. And yes, I see all the dangers. And I also see how people are completely doing the wrong thing with it, thinking it’s the right thing.
I will continue to post multiple perspectives, even on things I have a strong opinion on, since I feel like that's the primary purpose of this newsletter format. Basically exposure to what’s out there, and what’s happening. HANDY AI ARTICLE
Absolutely must-see interview with Boris Cherny where he argues coding is effectively solved Sequoia’s interview with Boris Cherny claims modern AI tools have pushed “coding” far past the hard part. He points to agentic loops, shipping PRs fast, and a future where humans orchestrate. YOUTUBE VIDEO
AI agents doing your job with Andrew Wilkinson This episode is basically a tour of how to delegate more business work to AI agents without losing control. Another must-see this week. YOUTUBE VIDEO
Silicon Valley is chasing services with agent-shaped workflows A bunch of AI labs are shifting from models to services companies, bundling onboarding, IT context, and adoption. The roundup then dives into GPT-5.5, coding agents, harness quality, and new inference/RL systems. AI NEWS WEEKDAY ROUNDUP
TECHNOLOGY
Amazon opens its supply chain services to every business Amazon is launching Amazon Supply Chain Services, letting companies tap its freight, distribution, fulfillment, and parcel network. Basically, direct competition with UPS and FedEx. AMAZON NEWS ANNOUNCEMENT THREAD
Apple kills the $599 Mac mini because DRAM now feeds AI The $599 Mac mini vanished after DRAM prices jumped about 90% in early 2026. Apple removed the 256GB config instead of raising prices. THE NEXT WEB NEWS ARTICLE
Anthropic is turning Wall Street into its platform Fortune reports Anthropic is launching pre-built finance agents, deep Microsoft 365 integration, and a Moody’s data partnership alongside Claude Opus 4.7. FORTUNE ARTICLE
He replaced risky Chrome extensions with his own “SuperLevels” vibe levelsio says he swapped every Chrome extension he used for custom code after one started asking for browser history access. He bundled tab cleanup, cookie editing, redirect tracing, dark mode, and more into one extension. @levelsio VIDEO
Why TUIs are coming back and what we learned TUIs are returning because native and Electron UIs keep fragmenting and getting less consistent. The fix is better UI fundamentals and toolkits that last. USER INTERFACE ESSAY
HUMANS
Chinese court rules firms can’t fire workers to swap in AI X users are first seeing a “just in” claim that China says you can’t legally fire people just to replace them with cheaper AI. @BRICSinfo PHOTO
US GDP rebounds 2% while consumer spending cools during Iran war GUARDIAN BUSINESS ARTICLE
First-quarter GDP hits 2% annual pace despite slowing consumption.
Consumer spending growth slows 0.3% as energy shocks feed inflation fears
Inflation expectations jump from 3.8% in March to 4.7% April.
War with Iran pushes oil to $126 a barrel, up 13% daily.
Fed keeps “hold and wait,” but independence is getting battered.
Measuring economic security with chokepoint and surge scorecards ECONOMIC SECURITY SCORECARD
Pollsters ditch real callers for AI voice survey “Charlotte” The New Statesman article shows how bots like “Charlotte” can do opinion surveys, prompt richer answers, and sometimes trigger backlash. NEWS POLLING ARTICLE
Germany cuts welfare fast to pay for rearmament BRUSSELS SIGNAL ARTICLE
IDEAS
Stoicism is cope, and you should be “anti-stoic” Roman Helmet Guy says stoicism is apathy dressed up as virtue, and our society is declining fast. As I tweeted at Marc Andreessen, this actually a misunderstanding of Stoicism. PERSONAL HOT TAKE
Outrage isn’t your feeling—it’s the feed extracting it for profit This post argues social media runs like a slot machine for anger, then charges corporate balance sheets. OUTRAGE IS LETTING SOMEONE ELSE SET THE FRAME
DISCOVERY
Pinning, favoriting, saving, and flagging mean totally different things UX Collective DESIGN ARTICLE
Winston Churchill fought his lifelong depression by laying bricks. The main concept, that’s still used today, is that action counters depression, and depression encourages inaction.
RECOMMENDATION OF THE WEEK
Book: The Master and His Emissary
It’s all about the differences between the left and right hemispheres in the brain, and how they could be shaping culture and society. One of the strangest, most counter-intuitive and delightful ideas I’ve heard about in a long time. Going to read this one and the much larger follow-up as well.
APHORISM OF THE WEEK
Change is what nature does. Fearing it is fearing existence.
GET THE MEMBER EDITION
You’re currently receiving the STANDARD edition.
Members help this work continue. If you enjoy the newsletter, the podcast, what I put on YouTube, or any of my open-source projects on Github, I ask you to please become a member. It allows me to stay focused on learning and building and sharing. It’s like a cup of coffee or two per month.
Plus, members get numerous benefits, including:
25-50% off all UL Paid Content, including the upcoming Human 3.0 / AUGMENTED ONLINE portal!
Access to the extraordinary UL Member Community that includes vibrant conversations with ~1,500 of the smartest and kindest people you’ll find on the internet
Member-only Content, such as EDC guides on tech stacks, personal productivity routines, my recommendations on Critical skills to Build Going Forward, Trend Identification and Analysis, and more…
Access to the Member Archive of previous Member-only content, the Book Club archive, etc.
Access to The UL Book Club that’s been going monthly since 2017! One of the highlights of my and many attendees’ month!
Access to the Monthly Member Meet-up where we talk about our routines, productivity workflows, what’s on our minds, etc.
Access to In-Person Events like our dinners in Vegas, San Francisco, etc.
And much more coming…
This is the moment to connect with others who are smart, kind, and asking the same questions we are. Where is this all going? And how do to prepare?
Join the conversation.