I keep re-reading the latest Glasswing document at the end of each day, in light of everything being measured by the hours, and the revelations still sit in Anthropic’s own numbers.

Glasswing is NOT confidently reporting tens of thousands of real bugs, as everyone has expected. Instead, like any tool, they are reporting tens of thousands of findings, of which a confident count of real bugs is much smaller. Their update says so plainly if you lay out which number is which.

• 23,019 total found. That’s the eyeball-seeking number, the model’s own ungraded output. Call it dirty.
• 6,202 were estimated high or critical. Still dirty. It’s the model’s estimate. Mythos grading Mythos, the way Anthropic likes it.
• 1,752 actually checked by a human or a security firm. That’s 28% of the high-crit pile and about 8% of the total. A little water, a little soap.
• Of those checked, 90.6% true positive. That rate exists only because humans checked. It is a statement about the 1,752, not the 23,019.
• 530 disclosed. 75 patched.

That last bullet is the one that gets me every time. 75 patched. What?

Anthropic gives us three excuses:

1. Early in the 90-day disclosure window.
2. Some patches land without public advisories so they undercount.
3. Mythos is flooding an already-overloaded ecosystem.

Fine. Every one of those explains why a patch lands late.

None explains why the patch isn’t generated and attached to the disclosure in the first place. And here is the part that really doesn’t fit: these models find bugs by knowing what the fix looks like. They train on the public corpus of code and its patches, so a vulnerability, to the model, is the gap between your code and the patched form it already carries. The fix is not a downstream step the model can’t reach. The fix is what located the bug in the first place. Finding without proposing the patch seems scandalous.

That is why 75 is damning when the 530-disclosed is not. They apparently are withholding fixes used to derive findings. It sounds weird until you see the proof they can ship the fix is in the same document: the public model, Opus 4.7, patched over 2,100 vulnerabilities for enterprise customers in three weeks. They boast that patch generation exists, runs in production, and was pointed at paying customers while the commons got reports generating a predictable request to slow down. 75 isn’t a capability limit. It looks like pressure to pay for protection.

The math is thus tens of thousands floated, around 1,750 a human actually touched, 1,587 confirmed real, 1,094 of them high or critical, and only 75 fixes teased. Mythos pumped tens of thousands, a much smaller number was verified, and the press conflated the two because the document (once again) seems to push low fidelity low integrity readings.

The confidence of 1,750 is literally a number that means human-touched. Everything prior is the model’s own say-so, some of it confident confabulation pointing at the wrong line, etc. and can’t be trusted without humans in the loop. The 90.6% exists because expensive humans stepped in: six firms, a triage pipeline, Anthropic staff. Strip them out and then what? The model’s raw output is overconfident confabulations, like pointing at the wrong line until someone checks. Verification cost is one thing. The patch number is worse because it is the half that the model can automate, and they proved it 2,100 times on code from those who pay. The findings are being directed to Anthropic, while the fixes land on a maintainer’s weekend, or dinner with the family.

75 out of 23,019 is what we should be all talking about.

A for-profit vendor built a proprietary national biometric database by extracting iris scans from public county jail booking rooms, one intake at a time, then turned around and sold federal access to the biometrics of prisoners.

Plymouth County Correctional Facility is operated by the Sheriff’s Department, and Bi2 Technologies (Biometric Intelligence and Identification Technologies) developed technology with sheriffs for use in jails and prisons. One co-founder, Peter Flynn, is a retired sheriff. Sheriffs were paid with taxpayer money to run the jails, book inmates, but also scan irises into his private database. More than five million records have been drawn from 247 agencies, with every figure now paywalled for profit.

ICE has paid for access twice. First in September for $4.6 million and 200 devices. Now for $25.1 million and 1,570, awarded May 22 without competition because the agency has declared Bi2 the only firm capable of the work.

The justification for all this rushed work is a false “border emergency”. The new ICE contract even sends the system into the field before FedRAMP. The records will reach ERO agents by late June. Since FedRAMP exists to assess whether a vendor can secure the data properly, Bi2 will be running without answers to baseline questions before the data is exposed. Live biometrics of more than a million people will move through field devices without safety baselines established, during a war with Iran.

So the news is that public jails with public money built a biometrics database that a private company fenced, which is being sold to the public for more public money to run unsafely based on an emergency that doesn’t seem to exist.

Microsoft wants to call its EU commitment a “contractually binding court-fight clause.” Apparently that means Brad Smith pledges to the EU customers he will sue the US government rather than suspend EU operations.

From where I’m sitting, that pledge sure looks hollow, and Microsoft’s own documents are the proof.

First, there’s an unnatural split. The US reaches across the ocean for EU-hosted data in two ways. A CLOUD Act warrant compels Microsoft to transfer the data, or a sanctions order compels Microsoft to cut the customer off. I’m not a lawyer but these different laws mean different commands. Smith’s pledge says nothing about the first, which makes me wonder wny he’s only talking about the second.

Next, looking at the first, the promise seems to be only for the wrong door. Microsoft’s own transparency report shows 115 warrants in six months for content stored outside the US. Those are production orders being executed. The data gets handed over. That door is in constant use, and Smith’s pledge skips it entirely. The scenario he does pledge to fight, a company-wide order to suspend EU operations, has hit a hyperscaler at that scale essentially never. His promise is this to guard an already shut door while ignoring the other one swinging on its hinges.

The two doors aren’t the same scale. A single customer can be cut off, which is what happened famously to Karim Khan. A continental shutdown of all EU operations is the thing Smith promises to litigate, and that has not occurred. I can see there’s different magnitudes, so maybe he pledges against something that’s never happened because it’s never happened.

Three, where’s the revocability control of Smith’s post? The usual fear with any EU-US data deal is that an executive order can’t be trusted, because any president can revoke it. Smith’s pledge on a blog post seems many levels below that. “Contractually binding” can be deleted on a patch Tuesday.

None of this should surprise anyone. Microsoft did its thing already. When EO 14203 designated Karim Khan, the ICC chief prosecutor, his Microsoft email stopped working. Microsoft says it wasn’t them. That denial goes to who acted, not to whether the service was permitted. The order text says it bars US persons from providing services to a blocked person, email included, which makes Microsoft’s denial beside the point. And the ICC moved to openDesk either way. The actual point is that after a US designation landed, an EU Microsoft customer was no longer a customer.

Then a year later a pledge came, on a blog, addressing the warrant door, while the thing that actually failed for Khan got nothing. Hello, is this thing on? I am no lawyer, but the pledge is a contract, and the IEEPA order starts blocking “notwithstanding” any contract entered into before it. Microsoft offers the EU the exact thing that will suffer an override, on a thing that isn’t the other thing. So how does the pledge really help anyone?