Hanso Heartbeat Hanso Heartbeat
Cal.com closes source and Discourse pushes back. Google handed ICE account data with no notice. Anthropic ships Opus 4.7 and Claude Design. Qwen makes open-weight coding cheap again. AISLE complicates the Mythos story. OpenAI broadens Codex. Aphyr writes the long AI-trust essay.

Issue 16

17 April 2026

Hi there,

"AI got stronger again" is the easy read on the week. True, but it skips the more useful part: what happened around the models. One company closed its source. Another explained why that’s the wrong bet. Security researchers kept finding that the model is one piece of a larger system.

The shift is at the boundary. Who can inspect the code, who verifies the output, who gets told before data leaves the building.

Industry

1. Cal.com closes source, Discourse answers

Cal.com is going closed source, framed as a response to AI-assisted vulnerability discovery. Cal.diy stays MIT; the production codebase moves behind a wall. Discourse then published the counter: if AI makes vulnerability discovery cheaper, hiding source mostly reduces the number of defenders who can read it.

I’m team Discourse.

2. EFF says Google handed ICE account data without notice

EFF published Amandla Thomas-Johnson’s account of Google disclosing his account data to ICE after an administrative subpoena, with no chance to challenge it. EFF says Google’s usual notice exceptions didn’t apply, and filed complaints with the California and New York AGs. A notification policy that gets bypassed at the moment it matters was mostly vibes.

Artificial Intelligence

3. Anthropic ships Opus 4.7 and Claude Design

Anthropic released Claude Opus 4.7 with stronger claims on software engineering, long-running tasks, higher-resolution vision, and a new xhigh effort level. A day later: Claude Design, a research-preview product for prototypes, slides, one-pagers, visual assets, and handoff bundles into Claude Code. Design, code and presentation artefacts on one agentic rail. Marcus and I have been pushing the Hanso team to consolidate pitch-deck tooling onto something that ingests Claude Code context cleanly – this is why.

4. Qwen makes open-weight coding cheaper again

Alibaba’s Qwen team open-sourced Qwen3.6-35B-A3B – a sparse MoE with 35B total parameters, around 3B active per token. Pitched at agentic coding and multimodal reasoning. Available via Qwen Studio, the API, Hugging Face and ModelScope. Treat the benchmarks as vendor-reported. The architecture is the part to watch: good-enough coding models keep sliding down the cost curve, which moves local inference into the normal dev stack.

The first BYTE

The Internet Archive has the first issue of BYTE magazine. September 1975, Altair-adjacent, full of assembly language, power supplies, serial interfaces, clubs, newsletters, and the feeling that personal computing was still being assembled on a workbench.

MITS Altair 8800 at the Deutsches Museum

Maksym Kozlenko

The cover title: The World's Greatest Toy. Charming and accidentally accurate. Half a century later the toy ate the office, the factory, the camera, the map, the phone, the bank, the school, and most of the Friday newsletter.

Have you ever typed in the source code of a game you wanted to play?

5. Small models complicate the Mythos story

AISLE published a careful read after Anthropic’s Mythos announcement: cybersecurity capability is jagged, not smoothly proportional to model size. In their tests, small cheap open models recovered much of the analysis around several showcase vulnerabilities once the code path was isolated. That doesn’t mean a tiny model autonomously finds and weaponises bugs end-to-end. It does mean the moat sits in orchestration, target selection, validation and maintainer trust – not one huge model. Read this before buying the magic-box version of AI AppSec.

6. OpenAI turns Codex into a broader work agent

OpenAI announced a major Codex update that pushes it beyond coding into computer use, tool integrations, memory, image generation, repeatable work, SSH devboxes, PR review, multiple files and terminals, and an in-app browser. Codex is becoming a development operating surface, not just a code generator. The harder enterprise question sits one layer below: which permissions, memories, browsers and connected apps belong inside one agent session, and who governs that session when it touches production data.

7. Aphyr writes the long version of the AI-trust problem

Kyle Kingsbury published the closing essay in The Future of Everything is Lies, I Guess, asking what happens to the shape of systems when synthetic text, code, images, support, work and evidence become cheap. No product announcement attached. The post refuses the "is the tool convenient?" framing and looks downstream: search results, customer service, generated PRs, moderation queues, human skill, trust. Some weeks need one big annoyed essay. This was one.

Side note: I do have some of the lights mentioned in the article, and yes, I asked an LLM to write a Home Assistant integration for them. :-)

Infrastructure

The internet is still a pile of routing, policy, CDN, registry and addressing assumptions. Touch one in the wrong place and somebody’s CI runner starts speaking Spanish copyright law.

8. IPv6 crosses the halfway line

Google’s public IPv6 stats show IPv6 traffic crossing 50% of user traffic. A boring milestone in the best possible way: no launch event, just the slow replacement of an addressing system that ran out of room a long time ago. "Global" hides huge country and network variance, so IPv4 pain isn’t over. IPv6 has just stopped being the future tense.

Sadly, I’m writing this from an IPv4-only connection.

Cola, by syringe

Blinry's DIY soft drinks log got a fresh update. Tiny quantities of orange oil, lime oil, nutmeg oil, cassia oil, coriander oil, lavender oil, gum arabic, citric acid, sweetener – and the recurring problem that oils don't dissolve in water just because the human would like them to.

Sebastian Morr measuring out cola flavour compounds with a syringe and precision scale

Sebastian Morr

Lovely hacker-cookbook energy. Not recipe-blog filler, not "life-changing homemade cola." Just a person reverse-engineering taste with a 1 ml syringe and a high-precision scale.

I don't even drink cola. I want to try this anyway, to see if I can.

9. La Liga’s Cloudflare blocks break Docker pulls in Spain

A Spanish developer’s HN post described docker pull failures caused by La Liga IP blocking against Cloudflare – the failed request hit a Cloudflare R2 host used for image delivery. The thread is worth reading: the symptom was a generic TLS error in a GitLab runner and a local machine that suddenly couldn’t pull images. Nothing that looked like copyright enforcement. The pirate stream is the target; the blast radius is CI, smart-home devices, and whatever else shares the blocked infrastructure.

Microsoft

10. Azure Blob Storage gets automatic smart tiering

Microsoft made smart tier generally available for Azure Blob Storage and Azure Data Lake Storage. It evaluates access patterns and moves objects between hot, cool and cold tiers – no lifecycle rules, no retrieval fees, no early-deletion fees, no manual retuning. There’s a monitoring fee, and it doesn’t apply to every storage account shape. For the large, messy object estates we manage for several mid-size German manufacturing clients, this removes a surprising amount of operational theatre.

11. GitHub starts previewing native stacked PRs

GitHub published gh-stack, a CLI extension for stacked branches and PRs. Still private preview – the CLI won’t work unless the repo has the feature enabled. The shape: chain small PRs, keep base branches correct, rebase the stack, push it, submit the chain from the terminal. Stacked diffs have been normal in some engineering cultures for years. If GitHub makes them native enough, a lot of large-change review pain stops being performative.

12. April Patch Tuesday is unusually heavy

CrowdStrike’s April analysis says Microsoft addressed 164 vulnerabilities, including one exploited zero-day, one previously disclosed zero-day, and eight criticals. Exploited: CVE-2026-32201 in SharePoint Server. Disclosed: CVE-2026-33825 in Microsoft Defender. Counts vary across secondary write-ups depending on how CVEs are grouped. Not a sleepy patch cycle. SharePoint exposed to the internet deserves calendar time before the next maintenance window.

Development

13. Servo arrives on crates.io

The Servo team released v0.1.0 of the servo crate – its first crates.io release for using Servo as a library. Not a 1.0; the project is still discussing what 1.0 should mean. There’s now an LTS track for embedders who don’t want monthly breaking changes. The web needs more embeddable engines, and not all of them should be Chromium-flavoured.

Information Security

14. A WordPress plugin portfolio becomes a supply-chain attack

Austin Ginder documented how someone bought a portfolio of 30-plus WordPress plugins and planted backdoors across them. The code sat dormant for months, then fetched payloads, injected spam into wp-config.php, cloaked content from site owners, and used an Ethereum smart contract for part of its C2 path. WordPress.org force-updated the plugins, but the forced update didn’t clean already-modified wp-config.php files. If WordPress is in the fleet, treat "plugin ownership changed" as a security event.

The taper guy

AP's story about Aadam Jacobs and the 10,000 concert recordings now being digitised for the Internet Archive is a wholesome read. One person, cassette recorders, decades of Chicago shows: early Nirvana, R.E.M., The Cure, The Pixies, Depeche Mode, Stereolab, Sonic Youth, Björk. Volunteers slowly turning analogue boxes into public memory.

A wall of cassette tapes

Scott Schiller

The detail that makes it sing: Brian Emerick runs ten cassette decks at once, because the transfer has to happen in real time. There is no "upload the archive" button for magnetic tape.

Different scale, but a couple of years ago I digitised the analogue photos I found in my own and my ancestors' picture albums. A lot of work, and I still enjoy looking at them today.

15. Lawfare makes the geolocation-data ban argument

Tom Uren used Citizen Lab’s Webloc reporting to argue it’s time to ban the sale of precise geolocation, not add another warrant-shaped wrapper around it. Webloc describes access to records from up to 500 million mobile devices – identifiers, coordinates, app-derived profile data – sold into law-enforcement and intelligence workflows. Virginia just enacted a state-level ban on selling precise geolocation, which makes the timing practical. The same data that locates a suspect locates a journalist, an executive, a soldier, a client, or you.

Coming up

23 April: Ubuntu 26.04 LTS lands. Read the release notes before treating it as the next boring base image.

1 May: GitHub Universe 2026 Call for Sessions closes at 11:59 p.m. Worth noting if an open-source or dev-tools story belongs on a bigger stage.

6 May: AWS Summit Singapore at Sands Expo, with livestream registration for the keynote and sessions.

11–14 May: Red Hat Summit in Atlanta. OpenShift, hybrid cloud, virtualisation pressure, enterprise AI.

19–20 May: Google I/O at Shoreline and online. Gemini and Android are the obvious watch points.

I hope you enjoyed this week’s issue. If you need me, just hit reply.

All best,
Julian

How this is made

Throughout the week I stumble across a mildly unreasonable number of interesting things, and I forward them instantly to the friend or colleague I think might care – sometimes to their delight, sometimes to their annoyance, and often with no context at all. Heartbeat is the attempt to do that a little better.

Every Friday a small agent I built, Honoka, looks through the places where those links tend to leak out: my private email, work email, Matrix, Mastodon, WhatsApp, Apple Messages, Signal, and the faint imprints on the platen of my Olympia typewriter (still not an API, tragically). It sorts, filters, groups and summarises the week, then hands me a draft.

Honoka is guided by a private corpus of things I have written over the last fifteen years, so it can get closer to how I sound in more-or-less official emails and public notes. I still take a pass by hand: remove things, change sentences, check links, argue with the judgement. Whether that is enough is, frankly, the experiment. Every issue has one item written entirely by hand. If you can reliably spot it, hit reply and judge.
Hanso Hanso
Hanso Pte Ltd · 1 Phillip Street #08-00, Singapore 048692
www.hanso.group