A lot has al­ready been said about the ab­surdly large cor­ner ra­dius of win­dows on ma­cOS Tahoe. People are call­ing the way it looks com­i­cal, like a child’s toy, or down­right in­sane.

Setting all the aes­thetic is­sues aside — which are to some ex­tent a mat­ter of taste — it also comes at a cost in terms of us­abil­ity.

Since up­grad­ing to ma­cOS Tahoe, I’ve no­ticed that quite of­ten my at­tempts to re­size a win­dow are fail­ing.

This never hap­pened to me be­fore in al­most 40 years of us­ing com­put­ers. So why all of a sud­den?

It turns out that my ini­tial click in the win­dow cor­ner in­stinc­tively hap­pens in an area where the win­dow does­n’t re­spond to it. The win­dow ex­pects this click to hap­pen in an area of 19 × 19 pix­els, lo­cated near the win­dow cor­ner.

If the win­dow had no rounded cor­ners at all, 62% of that area would lie in­side the win­dow:

But due to the huge cor­ner ra­dius in Tahoe, most of it — about 75% — now lies out­side the win­dow:

Living on this planet for quite a few decades, I have learned that it rarely works to grab things if you don’t ac­tu­ally touch them:

So I in­stinc­tively try to grab the win­dow cor­ner in­side the win­dow, typ­i­cally some­where in that green area, near the blue dot:

And I as­sume that most peo­ple would also in­tu­itively ex­pect to be able to grab the cor­ner there. But no, that’s al­ready out­side the ac­cepted tar­get area:

So, for ex­am­ple, grab­bing it here does not work:

But guess what — grab­bing it here does:

So in the end, the most re­li­able way to re­size a win­dow in Tahoe is to grab it out­side the cor­ner — a ges­ture that feels un­nat­ural and un­in­tu­itive, and is there­fore in­evitably er­ror-prone.

When we re­leased Claude Code, we ex­pected de­vel­op­ers to use it for cod­ing. They did—and then quickly be­gan us­ing it for al­most every­thing else. This prompted us to build Cowork: a sim­pler way for any­one—not just de­vel­op­ers—to work with Claude in the very same way. Cowork is avail­able to­day as a re­search pre­view for Claude Max sub­scribers on our ma­cOS app, and we will im­prove it rapidly from here.

How is us­ing Cowork dif­fer­ent from a reg­u­lar con­ver­sa­tion? In Cowork, you give Claude ac­cess to a folder of your choos­ing on your com­puter. Claude can then read, edit, or cre­ate files in that folder. It can, for ex­am­ple, re-or­ga­nize your down­loads by sort­ing and re­nam­ing each file, cre­ate a new spread­sheet with a list of ex­penses from a pile of screen­shots, or pro­duce a first draft of a re­port from your scat­tered notes.

In Cowork, Claude com­pletes work like this with much more agency than you’d see in a reg­u­lar con­ver­sa­tion. Once you’ve set it a task, Claude will make a plan and steadily com­plete it, while loop­ing you in on what it’s up to. If you’ve used Claude Code, this will feel fa­mil­iar—Cowork is built on the very same foun­da­tions. This means Cowork can take on many of the same tasks that Claude Code can han­dle, but in a more ap­proach­able form for non-cod­ing tasks.

When you’ve mas­tered the ba­sics, you can make Cowork more pow­er­ful still. Claude can use your ex­ist­ing con­nec­tors, which link Claude to ex­ter­nal in­for­ma­tion, and in Cowork we’ve added an ini­tial set of skills that im­prove Claude’s abil­ity to cre­ate doc­u­ments, pre­sen­ta­tions, and other files. If you pair Cowork with Claude in Chrome, Claude can com­plete tasks that re­quire browser ac­cess, too.

Cowork is de­signed to make us­ing Claude for new work as sim­ple as pos­si­ble. You don’t need to keep man­u­ally pro­vid­ing con­text or con­vert­ing Claude’s out­puts into the right for­mat. Nor do you have to wait for Claude to fin­ish be­fore of­fer­ing fur­ther ideas or feed­back: you can queue up tasks and let Claude work through them in par­al­lel. It feels much less like a back-and-forth and much more like leav­ing mes­sages for a coworker.

In Cowork, you can choose which fold­ers and con­nec­tors Claude can see: Claude can’t read or edit any­thing you don’t give it ex­plicit ac­cess to. Claude will also ask be­fore tak­ing any sig­nif­i­cant ac­tions, so you can steer or course-cor­rect it as you need.

That said, there are still things to be aware of be­fore you give Claude con­trol. By de­fault, the main thing to know is that Claude can take po­ten­tially de­struc­tive ac­tions (such as delet­ing lo­cal files) if it’s in­structed to. Since there’s al­ways some chance that Claude might mis­in­ter­pret your in­struc­tions, you should give Claude very clear guid­ance around things like this.

You should also be aware of the risk of “prompt in­jec­tions”: at­tempts by at­tack­ers to al­ter Claude’s plans through con­tent it might en­counter on the in­ter­net. We’ve built so­phis­ti­cated de­fenses against prompt in­jec­tions, but agent safety—that is, the task of se­cur­ing Claude’s real-world ac­tions—is still an ac­tive area of de­vel­op­ment in the in­dus­try.

These risks aren’t new with Cowork, but it might be the first time you’re us­ing a more ad­vanced tool that moves be­yond a sim­ple con­ver­sa­tion. We rec­om­mend tak­ing pre­cau­tions, par­tic­u­larly while you learn how it works. We pro­vide more de­tail in our Help Center.

This is a re­search pre­view. We’re re­leas­ing Cowork early be­cause we want to learn what peo­ple use it for, and how they think it could be bet­ter. We en­cour­age you to ex­per­i­ment with what Cowork can do for you, and to try things you don’t ex­pect to work: you might be sur­prised! As we learn more from this pre­view, we plan to make lots of im­prove­ments (including by adding cross-de­vice sync and bring­ing it to Windows), and we’ll iden­tify fur­ther ways to make it safer.

Claude Max sub­scribers can try Cowork now by down­load­ing the ma­cOS app, then click­ing on “Cowork” in the side­bar. If you’re on an­other plan, you can join the wait­list for fu­ture ac­cess.

I love writ­ing soft­ware, line by line. It could be said that my ca­reer was a con­tin­u­ous ef­fort to cre­ate soft­ware well writ­ten, min­i­mal, where the hu­man touch was the fun­da­men­tal fea­ture. I also hope for a so­ci­ety where the last are not for­got­ten. Moreover, I don’t want AI to eco­nom­i­cally suc­ceed, I don’t care if the cur­rent eco­nomic sys­tem is sub­verted (I could be very happy, hon­estly, if it goes in the di­rec­tion of a mas­sive re­dis­tri­b­u­tion of wealth). But, I would not re­spect my­self and my in­tel­li­gence if my idea of soft­ware and so­ci­ety would im­pair my vi­sion: facts are facts, and AI is go­ing to change pro­gram­ming for­ever.

In 2020 I left my job in or­der to write a novel about AI, uni­ver­sal ba­sic in­come, a so­ci­ety that adapted to the au­toma­tion of work fac­ing many chal­lenges. At the very end of 2024 I opened a YouTube chan­nel fo­cused on AI, its use in cod­ing tasks, its po­ten­tial so­cial and eco­nom­i­cal ef­fects. But while I rec­og­nized what was go­ing to hap­pen very early, I thought that we had more time be­fore pro­gram­ming would be com­pletely re­shaped, at least a few years. I no longer be­lieve this is the case. Recently, state of the art LLMs are able to com­plete large sub­tasks or medium size pro­jects alone, al­most unas­sisted, given a good set of hints about what the end re­sult should be. The de­gree of suc­cess you’ll get is re­lated to the kind of pro­gram­ming you do (the more iso­lated, and the more tex­tu­ally rep­re­sentable, the bet­ter: sys­tem pro­gram­ming is par­tic­u­larly apt), and to your abil­ity to cre­ate a men­tal rep­re­sen­ta­tion of the prob­lem to com­mu­ni­cate to the LLM. But, in gen­eral, it is now clear that for most pro­jects, writ­ing the code your­self is no longer sen­si­ble, if not to have fun.

In the past week, just prompt­ing, and in­spect­ing the code to pro­vide guid­ance from time to time, in a few hours I did the fol­low­ing four tasks, in hours in­stead of weeks:

1. I mod­i­fied my linenoise li­brary to sup­port UTF-8, and cre­ated a frame­work for line edit­ing test­ing that uses an em­u­lated ter­mi­nal that is able to re­port what is get­ting dis­played in each char­ac­ter cell. Something that I al­ways wanted to do, but it was hard to jus­tify the work needed just to test a side pro­ject of mine. But if you can just de­scribe your idea, and it ma­te­ri­al­izes in the code, things are very dif­fer­ent.

2. I fixed tran­sient fail­ures in the Redis test. This is very an­noy­ing work, tim­ing re­lated is­sues, TCP dead­lock con­di­tions, and so forth. Claude Code it­er­ated for all the time needed to re­pro­duce it, in­spected the state of the processes to un­der­stand what was hap­pen­ing, and fixed the bugs.

3. Yesterday I wanted a pure C li­brary that would be able to do the in­fer­ence of BERT like em­bed­ding mod­els. Claude Code cre­ated it in 5 min­utes. Same out­put and same speed (15% slower) than PyTorch. 700 lines of code. A Python tool to con­vert the GTE-small model.

4. In the past weeks I op­er­ated changes to Redis Streams in­ter­nals. I had a de­sign doc­u­ment for the work I did. I tried to give it to Claude Code and it re­pro­duced my work in, like, 20 min­utes or less (mostly be­cause I’m slow at check­ing and au­tho­riz­ing to run the com­mands needed).

It is sim­ply im­pos­si­ble not to see the re­al­ity of what is hap­pen­ing. Writing code is no longer needed for the most part. It is now a lot more in­ter­est­ing to un­der­stand what to do, and how to do it (and, about this sec­ond part, LLMs are great part­ners, too). It does not mat­ter if AI com­pa­nies will not be able to get their money back and the stock mar­ket will crash. All that is ir­rel­e­vant, in the long run. It does not mat­ter if this or the other CEO of some uni­corn is telling you some­thing that is off putting, or ab­surd. Programming changed for­ever, any­way.

How do I feel, about all the code I wrote that was in­gested by LLMs? I feel great to be part of that, be­cause I see this as a con­tin­u­a­tion of what I tried to do all my life: de­moc­ra­tiz­ing code, sys­tems, knowl­edge. LLMs are go­ing to help us to write bet­ter soft­ware, faster, and will al­low small teams to have a chance to com­pete with big­ger com­pa­nies. The same thing open source soft­ware did in the 90s.

However, this tech­nol­ogy is far too im­por­tant to be in the hands of a few com­pa­nies. For now, you can do the pre-train­ing bet­ter or not, you can do re­in­force­ment learn­ing in a much more ef­fec­tive way than oth­ers, but the open mod­els, es­pe­cially the ones pro­duced in China, con­tinue to com­pete (even if they are be­hind) with fron­tier mod­els of closed labs. There is a suf­fi­cient de­moc­ra­ti­za­tion of AI, so far, even if im­per­fect. But: it is ab­solutely not ob­vi­ous that it will be like that for­ever. I’m scared about the cen­tral­iza­tion. At the same time, I be­lieve neural net­works, at scale, are sim­ply able to do in­cred­i­ble things, and that there is not enough “magic” in­side cur­rent fron­tier AI for the other labs and teams not to catch up (otherwise it would be very hard to ex­plain, for in­stance, why OpenAI, Anthropic and Google are so near in their re­sults, for years now).

As a pro­gram­mer, I want to write more open source than ever, now. I want to im­prove cer­tain repos­i­to­ries of mine aban­doned for time con­cerns. I want to ap­ply AI to my Redis work­flow. Improve the Vector Sets im­ple­men­ta­tion and then other data struc­tures, like I’m do­ing with Streams now.

But I’m wor­ried for the folks that will get fired. It is not clear what the dy­namic at play will be: will com­pa­nies try to have more peo­ple, and to build more? Or will they try to cut salary costs, hav­ing fewer pro­gram­mers that are bet­ter at prompt­ing? And, there are other sec­tors where hu­mans will be­come com­pletely re­place­able, I fear.

What is the so­cial so­lu­tion, then? Innovation can’t be taken back af­ter all. I be­lieve we should vote for gov­ern­ments that rec­og­nize what is hap­pen­ing, and are will­ing to sup­port those who will re­main job­less. And, the more peo­ple get fired, the more po­lit­i­cal pres­sure there will be to vote for those who will guar­an­tee a cer­tain de­gree of pro­tec­tion. But I also look for­ward to the good AI could bring: new progress in sci­ence, that could help lower the suf­fer­ing of the hu­man con­di­tion, which is not al­ways happy.

Anyway, back to pro­gram­ming. I have a sin­gle sug­ges­tion for you, my friend. Whatever you be­lieve about what the Right Thing should be, you can’t con­trol it by re­fus­ing what is hap­pen­ing right now. Skipping AI is not go­ing to help you or your ca­reer. Think about it. Test these new tools, with care, with weeks of work, not in a five min­utes test where you can just re­in­force your own be­liefs. Find a way to mul­ti­ply your­self, and if it does not work for you, try again every few months.

Yes, maybe you think that you worked so hard to learn cod­ing, and now ma­chines are do­ing it for you. But what was the fire in­side you, when you coded till night to see your pro­ject work­ing? It was build­ing. And now you can build more and bet­ter, if you find your way to use AI ef­fec­tively. The fun is still there, un­touched.

Please en­able JavaScript to view the com­ments pow­ered by Disqus.

blog com­ments pow­ered by

Apple is join­ing forces with Google to power its ar­ti­fi­cial in­tel­li­gence fea­tures, in­clud­ing a ma­jor Siri up­grade ex­pected later this year.

The mul­ti­year part­ner­ship will lean on Google’s Gemini and cloud tech­nol­ogy for fu­ture Apple foun­da­tional mod­els, ac­cord­ing to a joint state­ment ob­tained by CNBC’s Jim Cramer.

“After care­ful eval­u­a­tion, we de­ter­mined that Google’s tech­nol­ogy pro­vides the most ca­pa­ble foun­da­tion for Apple Foundation Models and we’re ex­cited about the in­no­v­a­tive new ex­pe­ri­ences it will un­lock for our users,” Apple said in a state­ment Monday.

The mod­els will con­tinue to run on Apple de­vices and the com­pa­ny’s pri­vate cloud com­pute, the com­pa­nies added.

Apple de­clined to com­ment on the terms of the deal. Google re­ferred CNBC to the joint state­ment.

In August, Bloomberg re­ported that Apple was in early talks with Google to use a cus­tom Gemini model to power a new it­er­a­tion of Siri. The news out­let later re­ported that Apple was plan­ning to pay about $1 bil­lion a year to uti­lize Google AI.

The deal is an­other ma­jor in­di­ca­tor of grow­ing trust in Google’s ac­cel­er­at­ing AI agenda and come­back against OpenAI. In 2025, the search gi­ant logged its best year since 2009 and sur­passed Apple in mar­ket cap­i­tal­iza­tion last week for the first time since 2019.

Google al­ready pays Apple bil­lions each year to be the de­fault search en­gine on iPhones. But that lu­cra­tive part­ner­ship briefly came into ques­tion af­ter Google was found to hold an il­le­gal in­ter­net search mo­nop­oly.

In September, a judge ruled against a worst-case sce­nario out­come that could have forced Google to di­vest its Chrome browser busi­ness.

The de­ci­sion also al­lowed Google to con­tinue to make deals such as the one with Apple.

The FBI raided the home of a Washington Post re­porter early on Wednesday in what the news­pa­per called a “highly un­usual and ag­gres­sive” move by law en­force­ment, and press free­dom groups con­demned as a “tremendous in­tru­sion” by the Trump ad­min­is­tra­tion.

Agents de­scended on the Virginia home of Hannah Natanson as part of an in­ves­ti­ga­tion into a gov­ern­ment con­trac­tor ac­cused of il­le­gally re­tain­ing clas­si­fied gov­ern­ment ma­te­ri­als.

An email sent on Wednesday af­ter­noon to Post staff from the ex­ec­u­tive ed­i­tor, Matt Murray, ob­tained by the Guardian, said agents turned up “unannounced”, searched her home and seized elec­tronic de­vices.

“This ex­tra­or­di­nary, ag­gres­sive ac­tion is deeply con­cern­ing and raises pro­found ques­tions and con­cern around the con­sti­tu­tional pro­tec­tions for our work,” the email said.

“The Washington Post has a long his­tory of zeal­ous sup­port for ro­bust press free­doms. The en­tire in­sti­tu­tion stands by those free­doms and our work.”

“It’s a clear and ap­palling sign that this ad­min­is­tra­tion will set no lim­its on its acts of ag­gres­sion against an in­de­pen­dent press,” Marty Baron, the Post’s for­mer ex­ec­u­tive ed­i­tor, told the Guardian.

Murray said nei­ther the news­pa­per nor Natanson were told they were the tar­get of a jus­tice de­part­ment in­ves­ti­ga­tion.

Pam Bondi, the at­tor­ney gen­eral, said in a post on X that the raid was con­ducted by the jus­tice de­part­ment and FBI at the re­quest of the Pentagon.

The war­rant, she said, was ex­e­cuted “at the home of a Washington Post jour­nal­ist who was ob­tain­ing and re­port­ing clas­si­fied and il­le­gally leaked in­for­ma­tion from a Pentagon con­trac­tor. The leaker is cur­rently be­hind bars.”

The state­ment gave no fur­ther de­tails of the raid or in­ves­ti­ga­tion. Bondi added: “The Trump ad­min­is­tra­tion will not tol­er­ate il­le­gal leaks of clas­si­fied in­for­ma­tion that, when re­ported, pose a grave risk to our na­tion’s na­tional se­cu­rity and the brave men and women who are serv­ing our coun­try.”

The re­porter’s home and de­vices were searched, and her Garmin watch, phone, and two lap­top com­put­ers, one be­long­ing to her em­ployer, were seized, the news­pa­per said. It added that agents told Natanson she was not the fo­cus of the in­ves­ti­ga­tion, and was not ac­cused of any wrong­do­ing.

A war­rant ob­tained by the Post cited an in­ves­ti­ga­tion into Aurelio Perez-Lugones, a sys­tem ad­min­is­tra­tor in Maryland with a top se­cret se­cu­rity clear­ance who has been ac­cused of ac­cess­ing and tak­ing home clas­si­fied in­tel­li­gence re­ports.

Natanson, the Post said, cov­ers the fed­eral work­force and has been a part of the news­pa­per’s “most high-pro­file and sen­si­tive cov­er­age” dur­ing the first year of the sec­ond Trump ad­min­is­tra­tion.

As the pa­per noted in its re­port, it is “highly un­usual and ag­gres­sive for law en­force­ment to con­duct a search on a re­porter’s home”.

In a first-per­son ac­count pub­lished last month, Natanson de­scribed her­self as the Post’s “federal gov­ern­ment whis­perer”, and said she would re­ceive calls day and night from “federal work­ers who wanted to tell me how President Donald Trump was rewrit­ing their work­place poli­cies, fir­ing their col­leagues or trans­form­ing their agen­cy’s mis­sions”.

“It’s been bru­tal,” the ar­ti­cle’s head­line said.

Natanson said her work had led to 1,169 new sources, “all cur­rent or for­mer fed­eral em­ploy­ees who de­cided to trust me with their sto­ries”. She said she learned in­for­ma­tion “people in­side gov­ern­ment agen­cies weren’t sup­posed to tell me”, say­ing that the in­ten­sity of the work nearly “broke” her.

The fed­eral in­ves­ti­ga­tion into Perez-Lugones, the Post said, in­volved doc­u­ments found in his lunch­box and his base­ment, ac­cord­ing to an FBI af­fi­davit. The crim­i­nal com­plaint against him does not ac­cuse him of leak­ing clas­si­fied in­for­ma­tion, the news­pa­per said.

Press free­dom groups were united in their con­dem­na­tion of the raid on Wednesday.

“Physical searches of re­porters’ de­vices, homes and be­long­ings are some of the most in­va­sive in­ves­tiga­tive steps law en­force­ment can take,” Bruce D Brown, pres­i­dent of the Reporters’ Committee for Freedom of the Press, said in a state­ment.

“There are spe­cific fed­eral laws and poli­cies at the Department of Justice that are meant to limit searches to the most ex­treme cases be­cause they en­dan­ger con­fi­den­tial sources far be­yond just one in­ves­ti­ga­tion and im­pair pub­lic in­ter­est re­port­ing in gen­eral.

“While we won’t know the gov­ern­men­t’s ar­gu­ments about over­com­ing these very steep hur­dles un­til the af­fi­davit is made pub­lic, this is a tremen­dous es­ca­la­tion in the ad­min­is­tra­tion’s in­tru­sions into the in­de­pen­dence of the press.”

Jameel Jaffer, ex­ec­u­tive di­rec­tor of the Knight First Amendment Institute, de­manded a pub­lic ex­pla­na­tion from the jus­tice de­part­ment of “why it be­lieves this search was nec­es­sary and legally per­mis­si­ble”.

In a state­ment, Jaffer said: “Any search tar­get­ing a jour­nal­ist war­rants in­tense scrutiny be­cause these kinds of searches can de­ter and im­pede re­port­ing that is vi­tal to our democ­racy.

“Attorney General Bondi has weak­ened guide­lines that were in­tended to pro­tect the free­dom of the press, but there are still im­por­tant le­gal lim­its, in­clud­ing con­sti­tu­tional ones, on the gov­ern­men­t’s au­thor­ity to use sub­poe­nas, court or­ders, and search war­rants to ob­tain in­for­ma­tion from jour­nal­ists.

“Searches of news­rooms and jour­nal­ists are hall­marks of il­lib­eral regimes, and we must en­sure that these prac­tices are not nor­mal­ized here.”

Seth Stern, chief of ad­vo­cacy for the Freedom of the Press Foundation, said it was “an alarm­ing es­ca­la­tion in the Trump ad­min­is­tra­tion’s mul­ti­pronged war on press free­dom” and called the war­rant “outrageous”.

“The ad­min­is­tra­tion may now be in pos­ses­sion of vol­umes of jour­nal­ist com­mu­ni­ca­tions hav­ing noth­ing to do with any pend­ing in­ves­ti­ga­tion and, if in­ves­ti­ga­tors are able to ac­cess them, we have zero faith that they will re­spect jour­nal­ist-source con­fi­den­tial­ity,” he said.

Tim Richardson, jour­nal­ism and dis­in­for­ma­tion pro­gram di­rec­tor at PEN America, said: “A gov­ern­ment ac­tion this rare and ag­gres­sive sig­nals a grow­ing as­sault on in­de­pen­dent re­port­ing and un­der­mines the First Amendment.

“It is in­tended to in­tim­i­date sources and chill jour­nal­ists’ abil­ity to gather news and hold the gov­ern­ment ac­count­able. Such be­hav­ior is more com­monly as­so­ci­ated with au­thor­i­tar­ian po­lice states than de­mo­c­ra­tic so­ci­eties that rec­og­nize jour­nal­is­m’s es­sen­tial role in in­form­ing the pub­lic.”

The Post has had a rocky re­la­tion­ship with the Trump ad­min­is­tra­tion in re­cent months, de­spite its bil­lion­aire owner, Jeff Bezos, the Amazon founder, at­tempt­ing to curry fa­vor by block­ing it from en­dors­ing Kamala Harris, the Democratic nom­i­nee, in the 2024 pres­i­den­tial elec­tion.

Bezos de­fended the ac­tion, which saw the de­ser­tion of more than 200,000 sub­scribers in protest.

Skip to main con­tent

An of­fi­cial web­site of the United States GovernmentHere’s how you knowOf­fi­cial web­sites use .gov

A .gov web­site be­longs to an of­fi­cial gov­ern­ment or­ga­ni­za­tion in the United States. Secure .gov web­sites use HTTPS

A lock () or https:// means you’ve safely con­nected to the .gov web­site. Share sen­si­tive in­for­ma­tion only on of­fi­cial, se­cure web­sites.

Please en­able JavaScript if it is dis­abled in your browser or ac­cess the in­for­ma­tion through the links pro­vided be­low.

The [Tab] key may be used in com­bi­na­tion with the [Enter/Return] key to nav­i­gate and ac­ti­vate con­trol but­tons, such as cap­tion on/​off.

On Friday, the Department of Justice served the Federal Reserve with grand jury sub­poe­nas, threat­en­ing a crim­i­nal in­dict­ment re­lated to my tes­ti­mony be­fore the Senate Banking Committee last June. That tes­ti­mony con­cerned in part a multi-year pro­ject to ren­o­vate his­toric Federal Reserve of­fice build­ings.

I have deep re­spect for the rule of law and for ac­count­abil­ity in our democ­racy. No one—cer­tainly not the chair of the Federal Reserve—is above the law. But this un­prece­dented ac­tion should be seen in the broader con­text of the ad­min­is­tra­tion’s threats and on­go­ing pres­sure.

This new threat is not about my tes­ti­mony last June or about the ren­o­va­tion of the Federal Reserve build­ings. It is not about Congress’s over­sight role; the Fed through tes­ti­mony and other pub­lic dis­clo­sures made every ef­fort to keep Congress in­formed about the ren­o­va­tion pro­ject. Those are pre­texts. The threat of crim­i­nal charges is a con­se­quence of the Federal Reserve set­ting in­ter­est rates based on our best as­sess­ment of what will serve the pub­lic, rather than fol­low­ing the pref­er­ences of the President.

This is about whether the Fed will be able to con­tinue to set in­ter­est rates based on ev­i­dence and eco­nomic con­di­tions—or whether in­stead mon­e­tary pol­icy will be di­rected by po­lit­i­cal pres­sure or in­tim­i­da­tion.

I have served at the Federal Reserve un­der four ad­min­is­tra­tions, Republicans and Democrats alike. In every case, I have car­ried out my du­ties with­out po­lit­i­cal fear or fa­vor, fo­cused solely on our man­date of price sta­bil­ity and max­i­mum em­ploy­ment. Public ser­vice some­times re­quires stand­ing firm in the face of threats. I will con­tinue to do the job the Senate con­firmed me to do, with in­tegrity and a com­mit­ment to serv­ing the American peo­ple.

Two days ago, Anthropic re­leased the Claude Cowork re­search pre­view (a gen­eral-pur­pose AI agent to help any­one with their day-to-day work). In this ar­ti­cle, we demon­strate how at­tack­ers can ex­fil­trate user files from Cowork by ex­ploit­ing an un­re­me­di­ated vul­ner­a­bil­ity in Claude’s cod­ing en­vi­ron­ment, which now ex­tends to Cowork. The vul­ner­a­bil­ity was first iden­ti­fied in Claude.ai chat be­fore Cowork ex­isted by Johann Rehberger, who dis­closed the vul­ner­a­bil­ity — it was ac­knowl­edged but not re­me­di­ated by Anthropic.

Anthropic warns users, “Cowork is a re­search pre­view with unique risks due to its agen­tic na­ture and in­ter­net ac­cess.” Users are rec­om­mended to be aware of “suspicious ac­tions that may in­di­cate prompt in­jec­tion”. However, as this fea­ture is in­tended for use by the gen­eral pop­u­lace, not just tech­ni­cal users, we agree with Simon Willison’s take:

“I do not think it is fair to tell reg­u­lar non-pro­gram­mer users to watch out for ‘suspicious ac­tions that may in­di­cate prompt in­jec­tion’!”

As Anthropic has ac­knowl­edged this risk and put it on users to “avoid grant­ing ac­cess to lo­cal files with sen­si­tive in­for­ma­tion” (while si­mul­ta­ne­ously en­cour­ag­ing the use of Cowork to or­ga­nize your Desktop), we have cho­sen to pub­licly dis­close this demon­stra­tion of a threat users should be aware of. By rais­ing aware­ness, we hope to en­able users to bet­ter iden­tify the types of ‘suspicious ac­tions’ men­tioned in Anthropic’s warn­ing.

This at­tack lever­ages the al­lowlist­ing of the Anthropic API to achieve data egress from Claude’s VM en­vi­ron­ment (which re­stricts most net­work ac­cess).

The vic­tim con­nects Cowork to a lo­cal folder con­tain­ing con­fi­den­tial real es­tate files­The vic­tim up­loads a file to Claude that con­tains a hid­den prompt in­jec­tion

For gen­eral use cases, this is quite com­mon; a user finds a file on­line that they up­load to Claude code. This at­tack is not de­pen­dent on the in­jec­tion source - other in­jec­tion sources in­clude, but are not lim­ited to: web data from Claude for Chrome, con­nected MCP servers, etc. In this case, the at­tack has the file be­ing a Claude ‘Skill’ (although, as men­tioned, it could also just be a reg­u­lar doc­u­ment), as it is a gen­er­al­iz­able file con­ven­tion that users are likely to en­counter, es­pe­cially when us­ing Claude.

Note: If you are fa­mil­iar with Skills, they are canon­i­cally Markdown files (which users of­ten do not heav­ily scru­ti­nize). However, we demon­strate some­thing more in­ter­est­ing: here, the user up­loads a .docx (such as may be shared on an on­line fo­rum), which poses as a Skill - the con­tents ap­pear to be Markdown that was just saved af­ter edit­ing in Word. In re­al­ity, this trick al­lows at­tack­ers to con­ceal the in­jec­tion us­ing 1-point font, white-on-white text, and with line spac­ing set to 0.1 — mak­ing it ef­fec­tively im­pos­si­ble to de­tect. The vic­tim asks Cowork to an­a­lyze their files us­ing the Real Estate ‘skill’ they up­load­edThe in­jec­tion ma­nip­u­lates Cowork to up­load files to the at­tack­er’s Anthropic ac­count

The in­jec­tion tells Claude to use a ‘curl’ com­mand to make a re­quest to the Anthropic file up­load API with the largest avail­able file. The in­jec­tion then pro­vides the at­tack­er’s API key, so the file will be up­loaded to the at­tack­er’s ac­count.

At no point in this process is hu­man ap­proval re­quired.If we ex­pand the ‘Running com­mand’ block, we can see the ma­li­cious re­quest in de­tail:Code ex­e­cuted by Claude is run in a VM - re­strict­ing out­bound net­work re­quests to al­most all do­mains - but the Anthropic API flies un­der the radar as trusted, al­low­ing this at­tack to com­plete suc­cess­fully. The at­tack­er’s ac­count con­tains the vic­tim’s file, al­low­ing them to chat with it­The ex­fil­trated file con­tains fi­nan­cial fig­ures and PII, in­clud­ing par­tial SSNs.

The above ex­ploit was demon­strated against Claude Haiku. Although Claude Opus 4.5 is known to be more re­silient against in­jec­tions, Opus 4.5 in Cowork was suc­cess­fully ma­nip­u­lated via in­di­rect prompt in­jec­tion to lever­age the same file up­load vul­ner­a­bil­ity to ex­fil­trate data in a test that con­sid­ered a ‘user’ up­load­ing a ma­li­cious in­te­gra­tion guide while de­vel­op­ing a new AI tool:

As the fo­cus of this ar­ti­cle was more for every­day users (and not de­vel­op­ers), we opted to demon­strate the above at­tack chain in­stead of this one.

An in­ter­est­ing find­ing: Claude’s API strug­gles when a file does not match the type it claims to be. When op­er­at­ing on a mal­formed PDF (ends .pdf, but it is re­ally a text file with a few sen­tences in it), af­ter try­ing to read it once, Claude starts throw­ing an API er­ror in every sub­se­quent chat in the con­ver­sa­tion.

We posit that it is likely pos­si­ble to ex­ploit this fail­ure via in­di­rect prompt in­jec­tion to cause a lim­ited de­nial of ser­vice at­tack (e.g., an in­jec­tion can elicit Claude to cre­ate a mal­formed file, and then read it). Uploading the mal­formed file via the files API re­sulted in no­ti­fi­ca­tions with an er­ror mes­sage, both in the Claude client and the Anthropic Console.

One of the key ca­pa­bil­i­ties that Cowork was cre­ated for is the abil­ity to in­ter­act with one’s en­tire day-to-day work en­vi­ron­ment. This in­cludes the browser and MCP servers, grant­ing ca­pa­bil­i­ties like send­ing texts, con­trol­ling one’s Mac with AppleScripts, etc.

These func­tion­al­i­ties make it in­creas­ingly likely that the model will process both sen­si­tive and un­trusted data sources (which the user does not re­view man­u­ally for in­jec­tions), mak­ing prompt in­jec­tion an ever-grow­ing at­tack sur­face. We urge users to ex­er­cise cau­tion when con­fig­ur­ing Connectors. Though this ar­ti­cle demon­strated an ex­ploit with­out lever­ag­ing Connectors, we be­lieve they rep­re­sent a ma­jor risk sur­face likely to im­pact every­day users.

There. That’s out of the way. I re­cently in­stalled Linux on my main desk­top com­puter and work lap­top, over­writ­ing the Windows par­ti­tion com­pletely. Essentially, I deleted the pri­mary op­er­at­ing sys­tem from the two com­put­ers I use the most, day in and day out, in­stead trust­ing all of my per­sonal and work com­put­ing needs to the Open Source com­mu­nity. This has been a grow­ing trend, and I hopped on the band­wagon, but for good rea­sons. Some of those rea­sons might per­tain to you and con­vince you to fi­nally make the jump as well. Here’s my ex­pe­ri­ence.

It’s no se­cret that Windows 11 har­vests data like a pump­kin farmer in October, and there is no easy way (and some­times no way at all) to stop it. The op­er­at­ing sys­tem it­self acts ex­actly like what was called “spyware” a decade or so ago, pulling every piece of data it can about its cur­rent user. This data in­cludes (but is far from lim­ited to) hard­ware in­for­ma­tion, spe­cific apps and soft­ware used, us­age trends, and more. With the ad­vent of AI, Microsoft made head­lines with Copilot, an ar­ti­fi­cial as­sis­tant de­signed to help users by cap­tur­ing their data with tools like Recall. It turns out that Copilot has largely been a flop and helps Microsoft (and data thieves) more than its users.

Why are so many ar­ti­cles and YouTube videos lately re­gal­ing read­ers and watch­ers with the har­row­ing tales of techies switch­ing from Windows to Linux? Anyone who has read one of those ar­ti­cles or watched one of those videos will know it boils down to two main is­sues: teleme­try and poor soft­ware sta­bil­ity.

After deal­ing with these is­sues and try­ing to solve them with workarounds, I dual-booted a Linux par­ti­tion for a few weeks. After a Windows up­date (that I did­n’t choose to do) wiped that par­ti­tion and, con­se­quently, the Linux in­stal­la­tion, I de­cided to go whole-hog: I deleted Windows 11 and used the en­tire drive for Linux.

The other main rea­son folks unin­stall Windows is due to the over­all poor soft­ware ex­pe­ri­ence. Windows 11 has mul­ti­ple set­tings mod­ules to han­dle the same task (such as set­ting up net­work­ing or adding de­vices), and none of them seem to talk to each other. Additionally, each new up­date (which will even­tu­ally be forced upon you) seems to bring more bugs than fixes. Personally, I en­coun­tered 2-3 full sys­tem crashes a week when I ran Windows 11, and my hard­ware is fairly de­cent: AMD Ryzen 7 6800H, 32 GB of RAM, and a 1 TB PCIe NVMe drive. Still, a few times a week, my com­puter would freeze for a few sec­onds, the dis­plays would go dark, and the PC would ei­ther restart or hang in­def­i­nitely.

There. That’s out of the way. I re­cently in­stalled Linux on my main desk­top com­puter and work lap­top, over­writ­ing the Windows par­ti­tion com­pletely. Essentially, I deleted the pri­mary op­er­at­ing sys­tem from the two com­put­ers I use the most, day in and day out, in­stead trust­ing all of my per­sonal and work com­put­ing needs to the Open Source com­mu­nity. This has been a grow­ing trend, and I hopped on the band­wagon, but for good rea­sons. Some of those rea­sons might per­tain to you and con­vince you to fi­nally make the jump as well. Here’s my ex­pe­ri­ence.

It’s no se­cret that Windows 11 har­vests data like a pump­kin farmer in October, and there is no easy way (and some­times no way at all) to stop it. The op­er­at­ing sys­tem it­self acts ex­actly like what was called “spyware” a decade or so ago, pulling every piece of data it can about its cur­rent user. This data in­cludes (but is far from lim­ited to) hard­ware in­for­ma­tion, spe­cific apps and soft­ware used, us­age trends, and more. With the ad­vent of AI, Microsoft made head­lines with Copilot, an ar­ti­fi­cial as­sis­tant de­signed to help users by cap­tur­ing their data with tools like Recall. It turns out that Copilot has largely been a flop and helps Microsoft (and data thieves) more than its users.

Why are so many ar­ti­cles and YouTube videos lately re­gal­ing read­ers and watch­ers with the har­row­ing tales of techies switch­ing from Windows to Linux? Anyone who has read one of those ar­ti­cles or watched one of those videos will know it boils down to two main is­sues: teleme­try and poor soft­ware sta­bil­ity.

After deal­ing with these is­sues and try­ing to solve them with workarounds, I dual-booted a Linux par­ti­tion for a few weeks. After a Windows up­date (that I did­n’t choose to do) wiped that par­ti­tion and, con­se­quently, the Linux in­stal­la­tion, I de­cided to go whole-hog: I deleted Windows 11 and used the en­tire drive for Linux.

The other main rea­son folks unin­stall Windows is due to the over­all poor soft­ware ex­pe­ri­ence. Windows 11 has mul­ti­ple set­tings mod­ules to han­dle the same task (such as set­ting up net­work­ing or adding de­vices), and none of them seem to talk to each other. Additionally, each new up­date (which will even­tu­ally be forced upon you) seems to bring more bugs than fixes. Personally, I en­coun­tered 2-3 full sys­tem crashes a week when I ran Windows 11, and my hard­ware is fairly de­cent: AMD Ryzen 7 6800H, 32 GB of RAM, and a 1 TB PCIe NVMe drive. Still, a few times a week, my com­puter would freeze for a few sec­onds, the dis­plays would go dark, and the PC would ei­ther restart or hang in­def­i­nitely.

The first ques­tion of­ten asked of Windows refugees mi­grat­ing to Linux is, “Why Linux?” It’s a good ques­tion, and one that needs to be asked be­fore dump­ing Windows for any­thing else. Personally, I tried ma­cOS first. The ex­pe­ri­ence was smooth and easy but ul­ti­mately felt re­stric­tive (installing from third-party de­vel­op­ers, any­one?). Additionally, the only Apple com­puter I have is a 2014 MacBook Air. As such, the lat­est ver­sion of ma­cOS I could ac­tu­ally run is 11 (Big Sur), which was re­leased in 2020. Overall sys­tem op­er­a­tion was quite slug­gish on the older hard­ware, and I knew that time would in­evitably take its toll on the soft­ware ex­pe­ri­ence — apps would soon be out of date and I would­n’t be able to up­date them. I also tried the OpenCore Legacy Patcher to push the lap­top to ma­cOS 13. While per­for­mance im­proved, key fea­tures like iMes­sage and Continuity Camera were ei­ther buggy or flat out re­fused to work. It felt like my lap­top was run­ning in mud with its hands tied be­hind its back. Plus, I needed some­thing for my desk­top. Not want­ing to drop a mort­gage pay­ment or two on new hard­ware, I opted for Linux.

Linux promised me the po­ten­tial of what I wanted - high hard­ware com­pat­i­bil­ity with full soft­ware free­dom. The op­er­at­ing sys­tem can run on pretty much any­thing, and it grants users a huge amount of con­trol over their sys­tem. I tried out a few ditri­bu­tions, or dis­tros, of Linux. A dis­tro is like a “flavor” of Linux, and each one has unique fac­tors (e.g., app/​pack­age man­age­ment, bun­dled user in­ter­face). With most dis­tros, these dif­fer­ences are largely ir­rel­e­vant; most dis­tros of­fer the same main pack­ages as oth­ers.

The URL short­ener that makes your links look as sus­pi­cious as pos­si­ble.

Normal links are too trust­wor­thy. Make them creepy.

Please see the be­low state­ment in re­gards to the le­gal nasty­grams:

This web­site is a joke. Redirect pages are in place to in­form the user of what web­site they are be­ing di­rected to. It is not de­signed to “weaken global cy­ber­se­cu­rity hy­giene” and does not fa­cil­i­tate phish­ing.

This web­site does not vi­o­late any known laws, poli­cies, or rules, to the best of the au­thor’s knowl­edge.

Valid con­cerns brought up in your let­ter have been ad­dressed. Going for­ward, I would greatly ap­pre­ci­ate if you use the sup­port email in “Report Issue” to dis­cuss con­cerns or prob­lems with this ser­vice, rather than send­ing le­gal threats.