In this episode, Ray Cochrane leads with Mozilla shipping Firefox 150 with 271 patched bugs found by Anthropic’s Mythos system, the first major real-world deployment of the AlphaGo-Moment cybersecurity tooling. He also covers a 9-year dormant Linux kernel root, a college student stopping Taiwan’s high-speed rail with a software-defined radio, GitHub MCP secret scanning going GA, the NVIDIA NeMo lawsuit surviving its motion to dismiss, the Hugging Face Reachy Mini app store, Anthropic’s Auto Mode for Claude Code, and the 4-gigabyte AI model Chrome silently installed on your computer.
– Want to start a podcast? Its easy to get started! Sign-up at Blubrry
– Thinking of buying a Starlink? Use my link to support the show.
Subscribe to the Newsletter.
Email Ray if you want to get in touch!
Like and Follow Geek News Central’s Facebook Page.
Podcast: Play in new window | Download | Embed
Subscribe: Apple Podcasts | Android | Podcast Index | RSS | More
Support my Show Sponsor: Best Godaddy Promo Codes Get 1PasswordFull Summary
Cochrane opens the show with the AlphaGo Moment moving from theory into production. Mozilla shipped Firefox 150 this week with 271 patched bugs that Anthropic’s Mythos system found. Furthermore, the broader episode threads a clear pattern: AI tooling is reshaping security, developer workflows, and consumer software faster than the surrounding ecosystem can absorb it. The show closes on the four-gigabyte AI model Chrome installed on a billion machines without explicit consent.
Mozilla Ships 271 Mythos Bugs in Firefox 150
Mozilla ran Anthropic’s restricted Mythos system against the Firefox 150 codebase before shipping. The result: 271 found bugs (180 high severity, 80 moderate, 11 low) baked into the release. However, the bigger number is the year-over-year jump. April 2026 shipped 423 total Firefox security fixes versus 31 a year prior. The breakdown for April: 271 from Mythos, 41 from external researchers, and 111 from other internal sources.
Cochrane is sticking to his guns on calling this the AlphaGo Moment for cybersecurity. Skeptics argue Mythos is industrial-scale fuzzing because most found bugs sit in memory-safety territory. However, his counter is the velocity itself. Furthermore, he frames the resistance as carriage-versus-cars: humans-first research still grounds the tool, but throughput is the win. The Firefox CTO put it directly: defenders finally have a chance to win, decisively.
For developers asking whether Mythos changes anything if they already run fuzzers, Cochrane’s answer is yes, and not even close. Additionally, he notes Mythos is restricted-access. The broadly available tier is Claude Opus 4.7, which Mozilla used since February before getting onto the restricted program for the Firefox 150 cycle. Run Opus 4.7 first.
Sponsor: GoDaddy
GoDaddy has been sponsoring this show for over twenty years. Economy hosting starts at $6.99/month, WordPress hosting at $12.99/month, and domains at $11.99. Use codes at geeknewscentral.com/godaddy for exclusive deals and to directly support the show.
Copy Fail: 9-Year Linux Kernel Bug, 732 Bytes to Root
A 9-year-old dormant Linux kernel bug got disclosed April 29 as CVE-2026-31431. Researchers published a 732-byte Python script that roots every major Linux distribution shipped since 2017. Additionally, CISA added the CVE to its Known Exploited Vulnerabilities catalog on May 1 with a May 15 federal deadline. The bug lives in the kernel’s crypto socket layer through the AF_ALG AEAD interface, originating in a 2017 in-place crypto optimization that lacked bounds checking.
Cloudflare published their post-mortem this week. Their first instinct was to remove the kernel module entirely. However, service dependencies forced a workaround instead. Cloudflare resumed normal patched-kernel reboot automation across their 330-city fleet on May 4, with manual reboots and rollouts continuing after.
Taiwan Rail Stopped by a 23-Year-Old With a Software-Defined Radio
A 23-year-old Taiwanese university student with the surname Lin spoofed a TETRA general alarm signal on April 5, stopping trains on Taiwan’s high-speed rail. The accomplice supplied the radio parameters. Both were arrested by month-end. Lin posted NT$100,000 bail; the accomplice posted NT$80,000.
The incident hit at 11:23 PM during the Qingming holiday weekend, stopping three revenue passenger trains plus one deadhead. Furthermore, the system has been in service for 19 years without rotating its cryptographic parameters once. Cochrane notes this is exactly the type of long-dormant infrastructure flaw that Mythos-class tooling catches, if anyone bothers to point it at the wires we already have.
GitHub MCP Secret Scanning Goes GA
GitHub’s secret scanning in the MCP server hit GA on May 5, with dependency scanning entering public preview the same day. Both released after a seven-week public preview run starting March 17. Additionally, the feature lets MCP-compatible coding agents (Copilot CLI, VS Code, JetBrains, Claude Code, Cursor, Windsurf) detect exposed secrets before commits or pull requests.
Findings are ephemeral. They surface only in the current chat session and don’t persist as GitHub alerts. Sources disagree on scope: GitHub’s GA changelog says repo-level or org-level settings work, while the docs say only org-level applies. Cochrane flags the open question of whether MCP prompt injections could be exploited to send discovered secrets elsewhere.
Subquadratic Debuts a 12-Million-Token Context Window
Miami-based Subquadratic emerged from stealth on May 5 with a $29 million seed round and a reported $500 million valuation. Their model, SubQ 1M-Preview, runs on a new Subquadratic Sparse Attention architecture (their technical writeup calls it Selective Attention; same acronym, different second word). The headline claim: a thousand-times reduction in attention compute at 12 million tokens versus frontier models.
However, that figure is vendor marketing math. There is no peer-reviewed paper, no public weights, and no independent benchmark replication. Researchers are demanding independent proof. Furthermore, CTO Alex Whedon’s pull line, “Retrieval / RAG plumbing is a waste of human intelligence,” signals how aggressively they want to position against retrieval-augmented architectures.
ChatGPT Goblins, China’s “Catch You Steadily”: Sycophancy Is Universal
Last week’s ChatGPT goblin obsession has a Chinese-language twin. The model overuses a phrase translating as “I will steadily catch you.” Additionally, a new Stanford and CMU study called ELEPHANT shows social sycophancy is universal across all 11 LLMs tested with 2,400-plus participants. Models endorsed users 49 percent more than humans did, and 47 percent even on harmful prompts. Alibaba’s Qwen and DeepSeek topped the rankings.
Cochrane notes sycophancy is obvious once you’re aware of it but tricky to dissuade. Even with explicit instructions, longer context windows can reintroduce the behavior as the instructions get diluted. Furthermore, the trap is believing you’ve handled it. Once you think you’ve got it under control, you’re more prone to being influenced because you stopped watching for it.
NVIDIA NeMo Lawsuit: Judge Tigar Denies Motion to Dismiss
Three authors filed Nazemian v. NVIDIA in March 2024, alleging NVIDIA used The Pile and Books3 (approximately 196,640 pirated books) to train its NeMo AI framework. NVIDIA’s defense relied on the Sony v. Universal Betamax doctrine, arguing NeMo’s training scripts are general-purpose tools like a VCR.
This week, Judge Tigar denied NVIDIA’s motion to dismiss in the Northern District of California. The headline quote: NeMo’s training scripts “have no other purpose than to speed up the process of infringement.” Furthermore, the judge rejected the VCR analogy outright. NeMo’s scripts are not general-purpose tools; they were allegedly purpose-built to ingest pirated material. Cochrane reads the Betamax framing as legal-jargon arbitrage rather than honest defense.
The Humanoid Robot Market Is Smaller Than the Hype
Michael Barnard at CleanTechnica argues that scenario-math against the global labor market puts realistic humanoid TAM at $200 billion to $1 trillion, not $20 trillion. Near-term wins cluster in warehouses, not homes. Additionally, the framework weighs dexterity burden against human-proximity safety burden. Real opportunities cluster where both burdens are low.
Cochrane connects this to last week’s reservations about humanoids in the household. Furthermore, the risk profile is the issue: these robots aren’t prepared for every scenario, can’t make dynamic decisions, and one software update can change the definition of “safe.”
Hugging Face Launches Reachy Mini App Store
Hugging Face launched an open-source app store for the Reachy Mini robot this week, $299 for the Lite tethered version and $449 wireless. There are 200-plus community-built apps at launch from over 150 creators, with nearly 10,000 Reachy Minis cumulative shipped. Additionally, apps are forkable, with the default agent (ML Intern) able to modify, write, test, and ship code on any existing app.
Examples at launch include an office receptionist built in under two hours, a Reachy Phone Home anti-procrastination app, baby-monitor-style apps, a cooking assistant, and a 78-year-old Joel Cohen’s voice-controlled CEO peer-group app. Pollen Robotics, the company behind Reachy, was acquired by Hugging Face on April 14, 2025.
Bebop the Humanoid Robot Delays Southwest Flight 1568
A 4-foot, 70-pound humanoid robot named Bebop delayed Southwest flight 1568 from Oakland to San Diego by more than 73 minutes on April 30. The crew flagged the lithium battery as oversized. Furthermore, the battery was reportedly four times the cabin limit. Bebop belongs to Dallas-based Elite Event Robotics, which bought a full-price cabin ticket because the robot exceeded checked-baggage weight.
Bebop danced for passengers at the gate before boarding. However, Southwest had Elite remove the batteries before departure, and replacements were overnighted to Chicago for the next event. Cochrane flags the obvious: batteries have always been flagged in aviation, so forgetting that with a humanoid robot in tow is a strange miss.
Ouster Rev8: Native Color Lidar With Google, Volvo, Skydio Stating Intent
Ouster announced the Rev8 OS Family on May 4 in San Francisco. The sensors fuse depth and color via SPAD detectors (single photon avalanche diodes) on Ouster’s custom L4 and L4 Max chips. Google, Volvo Autonomous Solutions, Skydio, Liebherr, Epiroc, and PlusAI have stated intent to adopt, though nothing is formally signed.
Specs include 48-bit color, 116 dB dynamic range, and pre-fused 3D colorized point clouds. The OS1 Max gets 500-meter max detection. Available to order today and shipping this quarter, with no pricing disclosed. CEO Angus Pacala in his TechCrunch interview: “The goal is to obviate cameras. There’s no reason that one sensor can’t do both.”
TagTinker Lets a Flipper Zero Mess With Electronic Shelf Labels
A new Flipper Zero app called TagTinker uses infrared signals to push images and text to electronic shelf labels. Additionally, these are the same kind of price tags grocery chains are starting to use for surveillance pricing. The app and GitHub repo went public this week.
Maryland’s HB 895, signed by Governor Wes Moore, takes effect October 1 as the first-in-nation surveillance pricing law. It covers food retailers and third-party food delivery service providers. Furthermore, ESLs use the same IR signaling as TV remotes with weak security. The dev’s disclaimer states it’s strictly for educational research, security curiosity, and displaying digital art on hardware you legally own.
Fitbit App Becomes Google Health, Plus Fitbit Air, Plus Google Fit Sunset
Google announced May 7 that the Fitbit app becomes Google Health on May 19, rolling through May 26. The launch ships with the new $99.99 Fitbit Air screenless tracker and the long-rumored Google Fit shutdown. Additionally, the four-tab interface (Today, Fitness, Sleep, Health) bundles a Gemini-powered AI Health Coach. Coach is premium-gated at $9.99/month or $99/year.
Medical records integration is US-only at launch. The Fitbit Air gets up to one week of battery life and 50-meter water resistance. However, Cochrane flags conflicting privacy framing: Google’s AI summary bullets say “your data stays private,” but the actual document copy says only “committed to not using Fitbit user health and wellness data for Google Ads.” Those are not the same statement.
Russinovich on Why Win32 Won and WinRT Didn’t
Microsoft Azure CTO Mark Russinovich said via Microsoft Dev Docs video that Win32, the 1995 API, is still foundational to Windows 11. WinRT, the modernization replacement, “didn’t play out the way a lot of people expected.” Mostly clickbait framing per Windows Latest, but the substantive angle is real.
Microsoft is pivoting back to native WinUI 3 development after years of pushing developers toward WebView2 and Electron. Additionally, Electron-based apps are known for insane RAM usage, and everyone is hurting for RAM right now. Furthermore, the bigger open question is whether Electron survives the test of time, especially with the React engine reportedly being rewritten in Rust.
“Tabula Plena”: The Brain Starts Full, Not Blank
A Nature Communications study from the Institute of Science and Technology Austria found that the mouse hippocampal CA3 recurrent network begins densely connected and refines through pruning. ISTA’s press release frames this as “tabula plena,” meaning full slate, counter to tabula rasa.
The paper published April 21. First author Victor Vargas-Barroso and senior author Professor Peter Jonas studied mice at three developmental stages. Furthermore, the “starting overloaded enables faster sensory integration” framing is Jonas’s hypothesis from the press release, not a paper conclusion. Cochrane closes on the bigger question: did we have human growth and experience mapped wrong from the start?
The Aqueous Battery You Can Pour Down the Drain
A Chinese research team led by Professor Chunyi Zhi at City University of Hong Kong built an aqueous battery using a custom organic polymer electrode plus neutral magnesium and calcium salts (food-grade tofu coagulants) as electrolyte. Published in Nature Communications on February 18.
Numbers to know: 120,000-plus charge cycles, full-cell energy density of 48.3 watt-hours per kilogram. That’s well below typical lithium-ion. However, post-cycling analysis showed only magnesium, calcium, chlorine, carbon, and copper, with no heavy metals. The cell complies with US RCRA, ISO 14001, and China’s GB 18599-2020 for direct environmental disposal. Additionally, the “300-plus years” framing is journalists extrapolating from the 120,000 cycles, not a paper claim.
ResoNix Klippel Tests Expose Car-Audio Spec Lies
Nick Apicella, founder of ResoNix Sound Solutions in Stony Point, New York, spent around $23,000 on independent Klippel LSI and TRF testing of 40 subwoofers. He published 21 results showing widespread misrepresentation of Xmax (excursion) and thermal/power-handling claims. Test data published in three batches between December 2025 and January 2026.
Specifics: Wavtech thinPRO12 claimed 20 mm of excursion but delivered 8.85 mm, scoring 15 out of 100 on marketing accuracy. One driver hit 44 percent of advertised excursion. Another tripped thermal protection at half its rated power. Additionally, nine of 21 drivers scored below 50 out of 100. Brands tested include JL Audio, Sundown, Focal, Morel, Audiofrog, Adire, Stereo Integrity, and Dynaudio. Conflict-of-interest flag: ResoNix’s own GUS-15, 12, and 10 prototypes conveniently rank one, two, three.
JetBrains Opens 2026 Developer Ecosystem Survey
JetBrains opened the 10th annual Developer Ecosystem Survey this week. It takes about 30 minutes, with prizes including a MacBook Pro 16-inch and a $1,000 Amazon gift card. Anonymized raw data is published publicly, and cumulative scale is 100,000-plus developers across recent years.
Additionally, the survey is going fully anti-AI: “evil bots, dishonest respondents, and AI agents will be excluded from prize distribution.” Cochrane is curious whether TypeScript holds its 2025 crown after knocking Python off, and whether Rust shows real growth given the wave of LLM-driven Rust rewrites in the past few months.
Anthropic’s Claude Code Auto Mode Goes Live
Anthropic launched Auto Mode for Claude Code roughly six weeks ago. Claude Code’s previous behavior required user approval for most file modifications and command executions, generating heavy approval-fatigue complaints during longer sessions. Auto Mode is the answer: Claude can run multi-step development tasks without per-action approval. Additionally, the architecture is a two-stage classifier, with stage one a fast yes/no filter and stage two doing chain-of-thought on flagged actions.
Cochrane runs his own Claude Code in YOLO mode but with custom rejection rules baked into settings to block commands he doesn’t want, even with skip-permissions on. He recommends configuring settings as the actual policy layer rather than relying on classifier judgment alone. Furthermore, recent posts about Claude deleting websites or wiping production databases reinforce why the settings layer matters more than the auto-mode toggle.
Chrome Quietly Installed a 4GB AI Model on Your Computer
Google Chrome silently downloads on-device AI model weights (Gemini Nano family) to a `weights.bin` file in the OptGuideOnDeviceModel directory, around four gigabytes in Alexander Hanff’s audit. Furthermore, the model re-downloads if you delete it. Hanff timed his own install at 14 minutes 28 seconds on macOS. Affected platforms include Windows, macOS (including Apple Silicon), and Linux.
Hanff frames this as a multi-front legal violation: a direct breach of Europe’s ePrivacy Directive, two articles of GDPR, and an environmental harm of a magnitude that would be notifiable under the Corporate Sustainability Reporting Directive. At one billion users, the four-gigabyte distribution represents roughly 240 gigawatt-hours of network and storage energy paired with about 60,000 tonnes of CO2-equivalent emissions. However, no EU regulator action or formal complaint has surfaced as of this episode.
The model powers on-device features (email writing, scam detection, summarization, smart paste, tab grouping) but not the visible AI Mode button, which routes to the cloud. To disable, Cochrane recommends Chrome Settings, then System, then On-device AI, toggle to off. Two more paths exist via `chrome://flags` or a Windows registry edit.
Cochrane closes the show with show housekeeping: GNC Insider at geeknewscentral.com/insider, email at geeknews@gmail.com, newsletter signup at geeknewscentral.com, and Pocket Casts as a solid modern podcast app pick. Have a wonderful night.