Howard Oakley (Hacker News):
Thus, access to a protected folder by user intent, such as through the Open and Save Panel, changes the sandboxing applied to the caller by removing its constraint to that specific protected folder. As the sandboxing isn’t controlled by or reflected in Privacy & Security settings, that allows TCC, in Files & Folders, to continue showing access restrictions that aren’t applied because the sandbox isn’t applied.
[…]
It’s possible for an app to have unrestricted access to one or more protected folders while its listing in Files & Folders shows it being blocked from access, or for it to have no entry at all in that list.
[…]
Most concerning is the apparent permanence of the access granted, requiring an arcane command in Terminal and a restart in order to reset the app’s privacy settings.
I was aware that access could be granted in this way, but I think I assumed that it only lasted until the app quit. Oakley says that it actually persists until you run tccutil reset All and restart. (I guess the specific TCC identifier is undocumented; clearly it’s not SystemPolicyDocumentsFolder.)
I generally have the opposite problem, with access not lasting as long as expected:
- I keep getting prompts to allow the same apps to access my Documents folder. I’m not resetting anything, but TCC seems to keep forgetting that I’ve granted access.
- Sandboxed apps try to save access to certain folders using security-scoped bookmarks, which keep breaking and needing to be refreshed.
Previously:
Update (2026-04-16): Howard Oakley:
Obtaining a definitive list of locations that are subject to privacy protection in macOS Tahoe 26.4 hasn’t been easy, and I’ve previously relied on information given piecemeal in WWDC sessions. This article reports the results of formal testing using a new version of my test app Insent, and brings some surprises.
Update (2026-04-27): Howard Oakley:
Even using a known and simple app like Insent, behaviours aren’t always consistent, and are susceptible to order effects and maybe even cosmic rays! There are also subtle differences between protected locations that can make generalisation unreliable. However, after extensive checks with Insent the following table gives an overview of protected locations in macOS 26.4.
The three common local folders ~/Desktop, ~/Documents and ~/Downloads are most consistent, with controlled read access, GUI controls in Files & Folders, and can be overridden by intent using MACL xattrs. Network volumes also appear to protect write access.
External volumes that are mounted automatically during startup don’t appear to count as being removable, but any that are mounted later have similar protection for both read and write, and can be overridden by intent using MACLs.
iCloud Drive and third-party cloud storage using the FileProvider API are more difficult to investigate, as I’ve still been unable to find any GUI control. It also doesn’t appear to be overridden by intent using MACLs, although its directories can still have com.apple.macl xattrs attached to them.
Extended Attributes Mac macOS Tahoe 26 Privacy Security Security Scoped Bookmarks System Preferences Transparency Consent and Control (TCC)
Joseph Cox:
The FBI was able to forensically extract copies of incoming Signal messages from a defendant’s iPhone, even after the app was deleted, because copies of the content were saved in the device’s push notification database, multiple people present for FBI testimony in a recent trial told 404 Media.
Rosyna Keller:
Push Notifications can be sent encrypted (server controls the encryption) and decrypted locally with a UNNotificationServiceExtension running on the device. Signal and other E2EE apps do this.
But then the decrypted notification gets saved to the database.
Rosyna Keller:
So iOS should probably delete an app’s entries from the notifications database when said app is deleted…
More than that, you may not want certain notifications to even be posted. As I discussed back in 2015, the Notification Center settings only control what’s displayed; turning notifications off there does not prevent the notifications from being generated and stored in the database. These days, the database is protected by TCC, but the information is still written to disk. For more privacy, apps should have their own settings that prevent the information from being sent to the system in the first place.
Marcus Mendes (Hacker News):
Signal’s settings include an option that prevents the actual message content from being previewed in notifications. However, it appears the defendant did not have that setting enabled, which, in turn, seemingly allowed the system to store the content in the database.
Patrick Wardle:
AuRevoir (French for ‘goodbye’) is a simple utility to view and remove notifications from Apple’s Notification Database.
Previously:
Update (2026-04-27): Bruce Schneier:
Apple has patched this vulnerability.
Previously:
AuRevoir Federal Bureau of Investigation (FBI) iOS iOS 26 Mac Mac App macOS Tahoe 26 Notification Center Privacy Push Notifications Signal Transparency Consent and Control (TCC)
Rich Mogull:
Anthropic, the company behind the Claude AI chatbot, made two security announcements that were shocking for many but seen as inevitable by those of us working in AI security. First, it announced Mythos Preview, a new, non-public AI model that turns out to be startlingly good at finding security flaws in software. The second was Project Glasswing, Anthropic’s program for getting that capability into the hands of the companies best positioned to fix those flaws before anyone else can exploit them. Apple is one of those companies.
As much as I’d like to downplay the announcements, Mythos and Project Glasswing are very big deals on their own, and harbingers for the future of digital security. Mythos was able to find and exploit new vulnerabilities in every major operating system, including a bug in OpenBSD, an operating system famous for its security, that had been sitting there unnoticed for 27 years.
[…]
We are at the start of a period in which finding software flaws that affect everyday users will become dramatically easier for both attackers and defenders. […] However, over the long run, I believe using AI to identify security vulnerabilities favors defenders, because developers can find and fix many more bugs before shipping software to the public.
Anthropic has a habit of making wild and scary public statements that seem designed to generate headlines and funding but sort of fall apart upon scrutiny. I initially dismissed this as more of the same, but people seem to be taking it seriously.
Paul Haddad:
Our model is so good, it’s not safe to release, yet. Has to be one of the greatest AI marketing stunts ever.
Ben Thompson:
There’s reason for cynicism, given Anthropic’s history, but the part of the “Boy Cries Wolf” myth everyone forgets is that the wolf did come in the end.
Daniel Jalkut:
If Anthropic has really developed an LLM that can suss out security weaknesses better than any other AI, the US government would be foolish to continue shunning them.
Or, rather, if the government believes the marketing, it may want to take control of the company and its technology, like how it restricted restricted civilian nuclear research.
Ben Thompson:
In fact, Amodei already answered the question: if nuclear weapons were developed by a private company, and that private company sought to dictate terms to the U.S. military, the U.S. would absolutely be incentivized to destroy that company.
Previously:
Update (2026-04-13): Martin Alderson (Hacker News):
For nearly 20 years the deal has been simple: you click a link, arbitrary code runs on your device, and a stack of sandboxes keeps that code from doing anything nasty. Browser sandboxes for untrusted JavaScript, VM sandboxes for multi-tenant cloud, ad iframes so banner creatives can't take over your phone or laptop - the modern internet is built on the assumption that those sandboxes hold. Anthropic just shipped a research preview that generates working exploits for one of them 72.4% of the time, up from under 1% a few months ago. That deal might be breaking.
[…]
If an LLM can find exploits in sandboxes - which are some of the most well secured pieces of software on the planet - then suddenly every website you aimlessly browse through could contain malicious code which can 'escape' the sandbox and theoretically take control of your device - and all the data on your phone could be sent to someone nasty.
[…]
Equally, sandboxes (and virtualisation) are fundamental to allowing cloud computing to operate at scale.
Jon Martindale:
That’s the pitch in Anthropic’s blog and verbose 250-page report on the model — which includes over 20 pages of Anthropic staff waxing lyrically about their novel impressions of the new model and its “fondness for particular philosophers.”
Alongside the repeated suggestions from Anthropic and its staff that we should be concerned, nay, terrified, of what AI like Claude Mythos can do, they repeatedly suggest they’re unsure if this new AI is conscious.
For the record, it is not. It might be good at finding vulnerabilities in software, but many of them aren’t as potentially damaging as Anthropic wants us all to believe.
[…]
Under the subheading, “and several thousand more,” Anthropic also states that it can’t actually confirm that all of the thousands of bugs Mythos claims to have found are actually critical security vulnerabilities. It’s just extrapolated that number from having found in around 90% of the “198 manually reviewed vulnerability reports, [Anthropic’s] expert contractors agreed with Claude’s severity assessment exactly.”
Colin Cornaby:
When I read about Mythos one thing stood out to me: It didn’t matter if the modal was aligned or safe. You couldn’t afford to run it anyway, and they can’t afford to serve it to you. And that’s a better explanation for why they’ve limited access to Mythos.
[…]
If Mythos is only affordable by the very largest companies – I think cybersecurity is a very shrewd focus by Anthropic. But for reasons that concern me.
[…]
I think this is Anthropic’s next big play. Scare everyone with some security theater. And sell big tech some tiger rocks. And everyone will be too terrified to ever stop paying for Mythos. Big tech might even be willing to pay billions for multiple models.
Ben Thompson:
In other words, Anthropic isn’t facing a marginal cost problem, but an opportunity cost problem: where to allocate its compute.
[…]
The key to handling those costs will be to charge more for Claude going forward; that, by extension, means maintaining pricing power, which leads to a second benefit of not releasing Mythos broadly. Anthropic certainly faces competition from OpenAI; for both frontier labs, however, the real competition in the long run are open source models.
Stefan Esser:
One thing I have not seen discussed about #Mythos. Will
@apple
really give Claude and therefore potentially the whole world access to their private source code?
Bruce Schneier:
This is very much a PR play by Anthropic—and it worked.
[…]
These models do demonstrate an increased sophistication in their cyberattack capabilities. They write effective exploits—taking the vulnerabilities they find and operationalizing them—without human involvement.
[…]
The security company Aisle was able to replicate the vulnerabilities that Anthropic found, using older, cheaper, public models. But there is a difference between finding a vulnerability and turning it into an attack. This points to a current advantage to the defender.
[…]
A couple of weeks ago, I wrote about security in what I called “the age of instant software,” where AIs are superhumanly good at finding, exploiting, and patching vulnerabilities. I stand by everything I wrote there. The urgency is now greater than ever.
Previously:
Update (2026-04-17): Bruce Schneier:
This is, in many respects, exactly the kind of responsible disclosure that security researchers have long urged. And yet the public has been given remarkably little with which to evaluate Anthropic’s decision. We have been shown a highlight reel of spectacular successes. However, we can’t tell if we have a blockbuster until they let us see the whole movie.
For example, we don’t know how many times Mythos mistakenly flagged code as vulnerable. Anthropic said security contractors agreed with the AI’s severity rating 198 times, with an 89 per cent severity agreement. That’s impressive, but incomplete. Independent researchers examining similar models have found that AI that detects nearly every real bug also hallucinates plausible-sounding vulnerabilities in patched, correct code.
This matters. A model that autonomously finds and exploits hundreds of vulnerabilities with inhuman precision is a game changer, but a model that generates thousands of false alarms and non-working attacks still needs skilled and knowledgeable humans.
Update (2026-04-27): John Gruber:
So on the one hand, Anthropic itself is the one describing Mythos as a dangerous national security threat. On the other hand, their own security is so sloppy that rando hooligans on Discord have had access to Mythos since the day it was announced, and regularly access other unreleased Claude models. This, just weeks after Anthropic screwed up and accidentally exposed the entire source code to Claude Code.
Update (2026-04-29): Bruce Schneier:
We see Mythos as a real but incremental step, one in a long line of incremental steps. But even incremental steps can be important when we look at the big picture.
[…]
So we must separate the patchable from the unpatchable, and the easy to verify from the hard to verify. This taxonomy also provides us guidance for how to protect such systems in an era of powerful AI vulnerability-finding tools.
[…]
This also raises the salience of best practices in software engineering. Automated, thorough, and continuous testing was always important. Now we can take this practice a step further and use defensive AI agents to test exploits against a real stack, over and over, until the false positives have been weeded out and the real vulnerabilities and fixes are confirmed. This kind of VulnOps is likely to become a standard part of the development process.
Update (2026-05-18): Julie Bort (Hacker News):
After Sam Altman trash-talked Anthropic for gatekeeping its cybersecurity tool Mythos by only releasing it to select users, he confirmed that OpenAI would be doing the same with its competing tool, Cyber.
Update (2026-05-25): Anthropic (Hacker News):
Since then, we and our approximately 50 partners have used Claude Mythos Preview to find more than ten thousand high- or critical-severity vulnerabilities across the most systemically important software in the world. Progress on software security used to be limited by how quickly we could find new vulnerabilities. Now it’s limited by how quickly we can verify, disclose, and patch the large numbers of vulnerabilities found by AI.
Anthropic Artificial Intelligence Claude iOS iOS 26 Mac macOS Tahoe 26 Marketing Mythos Open-source Software OpenBSD Security
