Canadian election databases use “canary traps”—and they work
In a world awash in high-tech security tools like passkeys, quantum-safe algorithms, and public-key cryptography, it can be refreshing to get back to the simple things… like a good old-fashioned canary trap.
The canary trap is a simple tool often used to identify leakers or double agents. To make one, you simply share a document, image, or database but make tiny changes that are unique to each recipient. That way, if those changes show up verbatim in any leak of the information, you know immediately which recipient was behind the leak.
You don’t often see canary traps in the news, though they have long been a staple of spy fiction (and practice), so an account out of Canada last week caught my eye.
The Canadian province of Alberta has been the site of recent drama around its electoral list, a database that contains information such as names, addresses, and voting districts for millions of citizens. Political parties can legally get access to the electoral list, though they operate under significant restrictions on how they can use the data. They cannot, for instance, share the list with a third party.
Despite this, The Centurion Project, described by the CBC as a “separatist group,” used the list to power an online database of voters. Elections Alberta, which maintains the list, went to court last week and obtained an order to shut down the Centurion site.
But how had Centurion obtained the data?
Elections Alberta quickly investigated and announced that the list used by Centurion was a copy of one legitimately released to the Republican Party of Alberta. Election officials were confident in their claim because, whenever they release a copy of the electoral list, they salt it with additional but bogus entries. The fake entries inserted in the Republican Party version of the list showed up in Centurion’s online tool, too.
Exactly how the data had passed from the Republican Party to Centurion remains unclear, but the canary trap enabled Elections Alberta to lean quickly on both groups. Each publicly pledged to respect the law, and Centurion took down its tool.
Canaries—from Clancy to AI
The canary trap has been used by companies ranging from Tesla to Apple; it was even used to stop the leak of Star Trek film scripts. Though the concept comes from the world of espionage, the actual term appears to stem from Tom Clancy’s 1980s thriller, Patriot Games. The idea is to find out which “canary” did the “singing.”
Ars Technica’s own Clancy aficionado, Lee Hutchinson, tracked down his copy of the book and found the passage in which protagonist Jack Ryan explains the term after an admiral asks him, “What the devil is this Canary Trap?” Ryan says:
“Well, you know about all the problems CIA has with leaks. When I was finishing off the first draft of the report, I came up with an idea to make each one unique…
“Each summary paragraph has six different versions, and the mixture of those paragraphs is unique to each numbered copy of the paper. There are over a thousand possible permutations, but only ninety-six numbered copies of the actual document. The reason the summary paragraphs are so—well, lurid, I guess—is to entice a reporter to quote them verbatim in the public media. If he quotes something from two or three of those paragraphs, we know which copy he saw and, therefore, who leaked it. They’ve got an even more refined version of the trap working now. You can do it by computer. You use a thesaurus program to shuffle through synonyms, and you can make every copy of the document totally unique.”
Thesaurus program? We can do better than that, Jack Ryan; this is the age of artificial intelligence!
Indeed, as far back as 2021, Dartmouth professor V.S. Subrahmanian built an AI tool called (really) WE-FORGE that “automatically creates false documents to protect intellectual property such as drug design and military technology.” The goal was to create “documents that are sufficiently similar to the original to be plausible, but sufficiently different to be incorrect,” said Subrahmanian at the time.
However it’s done, this old system continues to work pretty well. Just ask Elections Alberta.
UK set to enter talks to join the European Union’s $105.9 billion Ukraine loan
Britain is set to enter talks to join the European Union’s 78 billion pound loan ($106 billion) to Ukraine, the government said, in a further sign of deepening European defence ties under rising U.S. pressure. Prime Minister Keir Starmer is expected on Monday to tell a summit in Armenia’s capital Yerevan of the European Political Community – a discussion forum set up after Russia’s invasion in 2022 – that Britain wants to work with the EU to support Ukraine in getting vital military equipment, his office said. The loan, approved by the EU last month, is set to cover two-thirds of Ukraine’s needs for the next two years, with the bulk of that amount earmarked for military spending as Kyiv defends itself against Russia’s four-year war. The extra funding could also unlock opportunities for British businesses to meet Ukraine’s urgent needs, particularly in the defence sector, the government said in a statement.
FURTHER SANCTIONS ON RUSSIAN COMPANIES Britain, which has imposed wide-ranging sanctions on Russia since the war began in 2022, will also announce another tranche of “stinging sanctions” on Russian companies this week to disrupt military supply chains, it said. Starmer’s visit, the first by a British leader to Armenia since former Prime Minister Margaret Thatcher in 1990, comes as the Trump administration pushes Europe to take more responsibility for the continent’s defence. European countries, including Germany, France and Britain, have recently come under further pressure from Washington after refusing to join the U.S. and Israel’s war on Iran. “When the UK and the European Union work together, we all reap the benefits — and in these volatile times we need to go further and faster on defence to keep people safe,” Starmer said in the statement. He has previously called for stronger defence integration within the continent to cut NATO’s over-reliance on the U.S., hinting at further alignment with the EU’s single market and deeper economic integration, six years after Brexit.
Dolly Parton Reveals Health Battle After Body ‘Went Haywire’
Country legend Dolly Parton is finally opening up about the mysterious health issues that had fans worried — and it’s more serious than she first let on.
In a candid video message, the 80-year-old icon admitted her body has been struggling behind the scenes, revealing her immune and digestive systems “got all out of whack” over the past few years. The shocking confession comes as she officially pulls the plug on her highly anticipated Las Vegas residency.
Still, in true Dolly fashion, she’s not backing down.
“I’m responding really well to meds and treatments, and I’m improving every day,” she told fans, offering a dose of optimism after months of speculation about her condition.
But there’s a catch.
The “Jolene” superstar says the treatments have left her feeling “a little bit swimmy headed,” making it impossible to deliver the high-energy, over-the-top performances fans expect. Rather than risk anything less than perfection, she made the tough call to step away from the stage.
And for Dolly, that’s no small thing.
She’s built a career on dazzling crowds with sky-high heels, glittering outfits, and that unmistakable larger-than-life personality. “I don’t want to compromise the whole Dolly Parton fantasy,” she explained.
Fans first grew concerned last year when the country queen quietly canceled appearances, including an event at her beloved Dollywood. At the time, she cited kidney stones, but things quickly escalated as more shows were scrapped and her family hinted at deeper worries.
Behind it all, Dolly revealed, was not just physical strain — but emotional heartbreak.
The loss of her husband, Carl Dean, in 2025 hit her hard. The famously private couple had been together for decades, and she admitted the grief took a toll on her health.
“When I finally went to the doctor, they said, ‘We need to take care of this, we need to take care of that,’” she recalled.
Now, she’s focused on healing — and she’s using a metaphor only Dolly could pull off.
Comparing herself to a classic car, she joked that she just needs a little tune-up. “My spark plugs need to be changed,” she said with a smile. “I can’t lose my spark.”
Despite the setbacks, she made one thing crystal clear: she’s not going anywhere.
“I’m not ready to die yet,” she said bluntly.
And while Vegas may be off the table for now, Dolly isn’t slowing down completely. She’s still pouring energy into major projects, including new developments tied to Dollywood, a Nashville museum and hotel, and her upcoming Broadway show, Dolly: A True Original Musical.
Even in the middle of health struggles and heartbreak, she’s keeping her signature humor intact. Recalling a conversation with her late husband, she joked that as long as plastic surgeons exist, aging isn’t something she plans to worry about.
But she quickly turned serious again, reminding fans that what’s happening inside the body matters most.
“The outside’s one thing,” she said. “But it’s serious business when you’re talking about internal medicine.”
For now, Dolly says she’s in good hands with doctors who believe everything she’s facing is treatable — and she’s leaning on the love from fans to get her through.
“You have been a big part of my healing,” she told them.
And if history proves anything, it’s this: counting Dolly Parton out has never been a safe bet.
“Notepad++ for Mac” release is disavowed by the creator of the original
As its name implies, the venerable Notepad++ text editor began as a more capable version of the classic Windows Notepad, with features such as line numbering and syntax highlighting. It was created in 2003 by Don Ho, who continues to be its primary author and maintainer, and it has been a Windows-exclusive app throughout its existence (older Notepad++ versions support OSes as old as Windows 95; the current version officially supports everything going back to Windows 7).
I’m not a devoted user of the app, but I was aware of its history, which is why I was surprised to see news of a “Notepad++ for Mac” port making the rounds last week, as though it were a port of the original available from the Notepad++ website.
Apparently, this news surprised Ho as well, who claims that the Mac version and its author, Andrey Letov, are “using the Notepad++ trademark (the name) without permission.”
“This is misleading, inappropriate, and frankly disrespectful to both the project and its users,” Ho wrote. “It has already fooled people—including tech media—into believing this is an official release. To be crystal clear: Notepad++ has never released a macOS version. Anyone claiming otherwise is simply riding on the Notepad++ name.”
An escalating back-and-forth
Further communication between Ho and Letov can be found in a Notepad++ GitHub thread, where Ho said he had been contacted by Letov before the Notepad++ for Mac app had launched, but that he hadn’t had time to reply.
“The problem is that using the official name Notepad++ and its logo gives the impression that your project is an official macOS version maintained or endorsed by the Notepad++ team, which is not the case,” wrote Ho in an email to Letov that he reposted to GitHub. “This create [sic] confusion for users and exposes both you and the project to trademark issues.”
Letov responded two days later, saying he hadn’t meant to insinuate that Ho was involved with the Notepad++ for Mac project. But he did insist that his port “actually expands notepad++ brand to mac” and expressed hope that Ho would allow him to continue to use the name. Ho responded, again asking Letov to stop using the Notepad++ name and logo and to change the project’s URL so that users would not mistake the project for an official Notepad++ port and contact Ho looking for support.
“I will prep for the site and some naming changes,” wrote Letov. “Give me a couple of weeks. My intention was to expand your brand. I really hope that at some point in the future you change your mind and see this as a positive growth for your brand.”
At this point, Ho seemed to lose patience with Letov’s responses, particularly with being asked to allow Letov to continue using the Notepad++ name for “a couple of weeks.” Ho reported the use of the Notepad++ trademark to Cloudflare, the CDN of the Notepad++ for Mac site, and asked Letov to take it down.
“Every day that website remains active, you are in further violation of the law,” Ho wrote earlier today. “I cannot authorize a ‘week or two’ of continued trademark infringement.”
Letov began changing the website two days ago, though at first he claimed to be making these changes “in coordination with Don Ho.” This drew further accusations from other GitHub users that he was trying to misrepresent the port’s relationship to the original project.
Those changes continue and have ramped up over the last few hours; the app will now be called “NextPad++,” an homage to NeXT Computer, and uses a frog icon rather than the Notepad++ lizard. The original version, along with the authors page that lists Ho beneath Letove, is available via Internet Archive snapshots.
Letov claims that the app’s name will change in version 1.0.6. Version 1.0.5, with the Notepad++ logo and branding intact, is available for download. The project’s URL also hasn’t changed.
A seemingly thoughtful but low-effort port
The “Notepad++ for Mac” app looks right, but there are reasons to prefer an “official” port when you can get one.
Credit: NextPad++
The “Notepad++ for Mac” app looks right, but there are reasons to prefer an “official” port when you can get one. Credit: NextPad++
I had considered writing about Notepad++ for Mac last week, but lost a bit of interest after discovering it was “an independent community port” rather than an official release—independent ports and forks are all well and good, but an official release implies ongoing updates and support, where an “independent community port” might fade away or vanish entirely as soon as its creator gets bored and/or moves on.
But I continued to dig because, at a glance, it seemed like an exceptionally thoughtful community port. It supported macOS versions dating back to 11.0 Big Sur on both Intel and Apple Silicon processors. It was a native macOS app with a Cocoa user interface that replaces the original Win32 interface rather than translating it or using a wrapper. The app seemed to be lightweight and clean, as promised. And it was properly notarized so that users could download and launch it relatively easily—not a given, for many independent and/or open source Mac software projects.
But I paused when I hit Letov’s About page, which mentioned being “deep in multi-agent AI” and showed a flurry of GitHub commits that happened exclusively in March and April 2026. The Notepad++ for Mac page made no mention of the project being AI-coded, but when contacted for comment, Letov confirmed that both the Notepad++ for Mac app and the website were created at least partially using Anthropic’s Claude CLI.
“I primarily use Claude CLI with some customizations to run multiple agents and also Codex plugin for VSS. I also use Beads,” Letov told Ars. “Website is also partly managed using Claude CLI plus some manual work on graphics.”
“I run some agents that scan for Issues and general issues reported, list/create options to implement features and fixes. I usually review most and decide on the path,” Letov continued when asked how much human oversight the project had. “Also UIs are not as easily tested by AI as backend code and some things have to be thought through and build iteratively.”
It’s not that I think the use of AI coding tools should be disqualifying in and of itself. AI coding tools do have real utility, and many companies and projects are making at least some use of them; you likely are running or will eventually run an app containing AI-generated code whether you want to or not. But the port being both “independent” and AI-generated heightens my existing concerns about ongoing support and the developer’s capability to address bug reports and merge upstream code.
And, as Ho and other users warned in the GitHub thread, downloading an unvetted unofficial port of a project can increase your risk of downloading malware.
Have any lessons been learned from US failures in the Iran war?
While the US military has had many achievements in the Iran conflict, it’s been far from cost free. Iran conducted extensive retaliatory strikes targeting high-value US bases.
In all, 16 US military sites in eight countries across the Middle East were hit, and some of them sustained enough damage to be unusable.
Did the US learn any lessons as much from the failures as from the successes?
The US clearly made some major blunders, despite far superior air defenses and sophisticated command and control systems. Most spectacularly, the US lost two AWACS aircraft, one totally destroyed and the other possibly unrepairable, and three F-15 fighter jets, downed by “friendly” fire. The US also “missed” an Iranian jet that did substantial damage to Camp Buehring in Kuwait.
AN/TPY-2 THAAD radar at Muwaffaq As-Salti Airbase in Jordan
The AWACS Story
The airborne warning and control system is one of the most important US systems for the long range detection of enemy aircraft, missiles and ships. The US fields two versions: the E-3 Sentry and the E-2 Hawkeye.
The E-3 is a land-based four engine jet that is built on the old Boeing 707 narrow-body airframe. The last Boeing 707 was retired from commercial service in the United States in 1983.
The E-3 is a true battle management system. It features a large 30 foot radome mounted on the rear section of the aircraft body. By contrast, the E-2, which can be both land and sea based, is a twin engine turboprop and a tactical early warning aircraft. It has a crew of 5, compared with the E-3 which has a crew of between 17 and 33 (13 to 29 specialists), depending on the mission.
The E-2 is operated by the US Navy and mostly provides early warning and control for the US fleet.
E-3 at Prince Sultan Air Base
The E-3 is operated by the US Air Force. The first production of the E-3 was in 1975 and production ended in 1992. The aircraft that was totally destroyed in Saudi Arabia, unit 81-0005, was manufactured in 1981.
The size of the US E-3 fleet has been rapidly declining as many of the jets are no longer repairable. By the time of the start of the recent conflict with Iran, the US had around 10 AWACS planes that were deployable, although keeping them functioning is a major challenge. On February 28, the US moved six AWACS to Prince Sultan air base in Saudi Arabia and two to al Dhafra air base in the UAE. Another four were stationed in Europe, at Mildenhall in the UK and Ramstein in Germany.
The decision to move the better part of the functioning E-3 AWACS fleet to Saudi Arabia and the UAE was a major blunder, one that the Pentagon should have understood but chose to ignore.
The Russian AWACS fleet
The US operating through NATO played a major role in destroying a significant part of Russia’s AWACS fleet in the Ukraine war.
Russia operates an AWACS platform directly copied from the US E-3, called the Beriev A-50 (NATO name, Mainstay). In 2024 two were shot down by Ukrainian air defenses and in 2025 two more were either damaged or destroyed by drone attacks on Russian air bases. Like the US AWACS, the Russian A-50 fleet has been contracting as airframes wear out, leaving between 8 and 15 operational. The losses in the Ukraine war (over Ukrainian territory, the Sea of Azov, and at bases in Russia) significantly impact Russian warfighting operations.
The Russians’ exposure of their A-50s, especially at forward bases on Russian territory, was a military error that was avoidable.
The US role was in tracking the Russian AWACS platforms and in assisting Ukraine in locating them.
The Iranians needed little encouragement to go after the US-deployed AWACS, and they got targeting information from Russian and Chinese satellites, including a Chinese “commercial” satellite. These assets provided hard information on the precise location of the US AWACS aircraft.
The TEE-01B Chinese satellite is made and operated by the Chinese company Earth Eye. This model satellite features a resolution of half a meter (1.6 feet). Log files show that the IRGC used this satellite to target the Prince Sultan Air Base on March 13, 14, and 15, exactly when the first wave of strikes began.
At least two of the AWACS aircraft were parked on the tarmac at Prince Sultan. There were no hardened shelters for the E-3s, as the aircraft’s radome is too high to fit into any existing shelters.
The reason given for the forward deployment is that it allowed the E-3s to operate for longer periods on station than if they were deployed further back.
The alternative would have been to use air to air refueling for the AWACS. Whether refueling tankers were available is uncertain, as tankers were heavily used to support fighter aircraft, bombers and other command and control assets.
Prince Sultan has sophisticated air defenses including Patriot PAC-2 and PAC-3 MSE and THAAD (including the An-TPY-2 radar, similar to the one Iran destroyed in Jordan) plus CRAM. Even so, the base was hit by swarm attacks and the E-3s were not repositioned or cleared from the facility. How much early warning the US force had, if any, isn’t known.
The destroyed E-3 suffered a precision strike that targeted the radome on the aircraft. Some say it was hit by a missile, possibly the solid-fueled Khaibar-Shekan, a third generation IRGC missile that is maneuverable in its terminal phase. This medium range ballistic missile features a 550 kg (2,205 lbs.) warhead. It is also possible the AWACS was hit by a modified Shahed drone, since the blast size (as shown in photos) appears smaller than the damage likely caused by a 2,000 pound warhead.
Khaibar-Shekan missiles.
In the background of the Iranian strike there is a strong sense that the attack was a Russian revenge operation as much as it was important to Iran’s war objectives.
f it was a drone, it may have been like some of the modified Russian Gerans with a Starlink terminal, because Starlink terminals are not banned in Iran as they are in Russia. Alternatively, either the drone or a missile could have been equipped with pattern matching technology, enabling it to accurately strike the E-3.
Iran has proven in the past it can accurately target fixed sites with drones and cruise missiles, as it did in the Abqaiq and Khurais attack in eastern Saudi Arabia in 2019.
The F-15 shootdowns
One of the heaviest losses in the war has been the destruction of three US F-15s that were shot down over Kuwait on March 2nd. Initial reports suggested they were hit by Kuwaiti operated Patriot missiles, but it became clear that in fact a single Kuwaiti F-18 aircraft downed all three F-15s in a 30 second engagement using Aim-9M missiles.
One of three F-15s shot down over Kuwait,
The Aim-9M is a short range “all aspect” air-to-air missile with an advanced infrared (heat seeking) sensor. The F-15E is not equipped with Missile Warning Sensors (MWS) for infrared threats and therefore the aircrews received no cockpit warning that a missile was in flight. One of the missiles hit the right engine of one F-15 and another hit the rear section of another F-15 from the side.
It is debatable that the F-15s could have evaded the Aim-9s even if they received a warning. All three pilots ejected and were rescued.
Kuwait operates both the F-18 (legacy and newer models) and the Eurofighter. The legacy F-18 (F/A-18C/D) is the model that knocked out the three F-15s. It appears the Kuwaiti operator thought the F-15s were Iranian F-5s or partially home built Iranian F-5s called Kowsar. This is the aircraft that got past air defenses on March 1st and bombed Camp Buehring in Kuwait, causing extensive damage.
If the pilot was looking for F-5 Kowsars on March 2nd, then it is possible both pilots and air defense operators understood that the F-5 Kowsars could get through and cause significant damage.
The US and Kuwaiti aircraft and air defenses use advanced IFF (identification friend or foe) systems (specifically Mode 5 IFF). IFF when operating properly should lock out a friendly aircraft from an attack. Mode 5 uses codes that are shared daily and encryption so the codes can’t be compromised. Some have suggested that the IFF was turned off in the Kuwaiti F-18, possibly because heavy jamming made it unreliable. Or IFF frequencies could have been jammed. Even so, the F-18 radar should have registered the F-15s as “green” or friendly, but apparently did not. Instead the F-15s may have shown up as “red” on the F-18’s radar screen.
Modern radars use threat libraries to identify aircraft, missiles and drones. The libraries match the radar image and related information to the library listed threats.
One thing is clear, the Kuwaiti pilot did not request ground clearance to fire his missiles. He had time to do so, and it is far from clear the pilot was following established procedures.
The F-5 Kowsar incident
Camp Buehring is a critical US Army installation located in the Udairi Desert in northwestern Kuwait, approximately 25 miles from the Iraqi border. On March 1, 2026, at 4:15 am an Iranian F-5 or modified F-5 Kowsar took off from a base in southwestern Iran, crossing the Persian Gulf at very low altitude to avoid radar detection. Less than half an hour later it entered Kuwait’s airspace and less than ten minutes later reached Camp Buehring.
It was not intercepted by air defenses and it carried out a bombing attack. The strike caused massive damage to the base’s command center and warehouses. Six US soldiers were killed, and nearly 60 others were wounded. Confirmed damage included multiple structures housing equipment from Army Prepositioned Stocks-5 (APS-5), a CH-47 Chinook destroyed on the ground, and several other tactical vehicles damaged; craters on the main airstrip and satellite communications (SATCOM) nodes degraded or knocked out.
Kowsar production line in Iran.
It isn’t clear why the F-5 was not detected or intercepted. It successfully returned to Iran. One contributing factor possibly was radar ducting, an atmospheric phenomenon in which radar waves are trapped and guided along the Earth’s surface due to sharp temperature inversions or moisture gradients. That’s a problem over Persian Gulf waters.
During the March 2026 strikes on Prince Sultan Air Base, Iranian Kowsar jets and drones utilized “ducting holes.” By flying at specific low altitudes during intense ducting periods, they stayed within blind zones where ground-based Patriot radars could not “see” them, despite being technically within the radar’s range. It isn’t known if this was a factor in the Camp Buehring attack.
While it isn’t clear if radar ducting contributed to the Camp Buehring strike, the US had the technological capability to “find” the Iranian strike aircraft.
The US has many aircraft with look down, shoot down radars. Look down, shoot down radars can “see” aircraft and drones from above.
Until the early 1980s this was not possible because radars would encounter heavy ground clutter when trying to look down. However, the US Air Force designed a special computer capable of sorting out radar ground clutter from moving objects using a mathematical radar processor (utilizing fast Fourier transform computing). American fighter jets such as the F-15 and F-16 and F-35 have look down, shoot down computers, as do AWACS aircraft.
Exactly why the F-5 Kowsar was not detected remains a mystery. While it may have been able to sneak across the Persian Gulf, exactly how it evaded air and ground based systems is concerning. Did Iran find a hole or gap in US and allied defense systems?
It should be remembered that the US designed the Tomahawk cruise missile to fly nap of the earth treetop level to get under Russian radar coverage. Iran was certainly familiar with US Tomahawks. The US fired 850 Tomahawks at Iranian targets over a four week period.
The US rushed a number of systems to Gulf bases after the F-5 incident and related drone and missile attacks. The most noteworthy were M-SHORAD systems (Stryker-based) to provide mobile, 360-degree protection. M-Shorad uses Stinger missiles and is supposed to be capable of knocking out low flying aircraft like the F-5 Kowsar, assuming it can detect the aircraft.
By May, Iran’s Kowsar aircraft were mostly destroyed on the ground by US B-2 bombers and F-35s. Until then, the Kowser served as Iran’s Tomahawk.
Lessons not necessarily learned
There is no perfect war and losses are inevitable. In the big picture, the US has done very well in the Iran conflict, but inevitably mistakes and oversights have happened.
One feature that may have escaped notice is that Iran, despite its limitations, has been very resourceful and has carried out effective strikes against US bases, destroying important equipment and costing lives.
Iran also has had important outside help from China and Russia. Both countries have provided intelligence, command and control support and important equipment (even during the conflict). Both continue to do so with supplies arriving by ship, aircraft and overland.
Stephen Bryen is a former US deputy under secretary of defense. You can find this article and many more on his Weapons and Strategy site, from which this article is republished with permission.
ProPublica and The Connecticut Mirror Win Pulitzer Prize for Local Reporting
ProPublica and Local Reporting Network partner The Connecticut Mirror won the Pulitzer Prize for local reporting for what judges described as “an impressive series exposing how the state’s unique towing laws favored unscrupulous companies that overcharged residents, prompting swift and meaningful consumer protections.” It is the ninth Pulitzer for ProPublica.
A series about how the Food and Drug Administration has for years allowed risky drugs to enter the United States was named a finalist in the investigative reporting category, and a series about the fallout from the destruction of the U.S. Agency for International Development was named a finalist in the explanatory reporting category. They are the 13th and 14th Pulitzer finalists in 18 years.
In “On the Hook,” CT Mirror reporters Dave Altimari and Ginny Monk exposed a wide range of abuses committed by towing companies across the state — due in part to a lack of oversight from the Department of Motor Vehicles — and how Connecticut’s laws had come to favor the companies at the expense of low-income residents. Towing companies could start the process to sell people’s cars in as little as 15 days if the company deemed the car to be worth less than $1,500. The window was one of the shortest in the country, CT Mirror and ProPublica found, and meant many people who couldn’t afford to quickly pay the towing fees frequently lost their cars.
Through a long public records battle, complex data analysis by Sophie Chou and Haru Coryne, and innovative engagement reporting, the reporters discovered that tow truck companies were drastically undervaluing cars compared with the book value, allowing them to sell vehicles more quickly. They revealed that towing companies often held on to people’s belongings, including work equipment and mementos that had sentimental value, as leverage to get them to pay exorbitant fees. The companies were also not abiding by a law that requires them to hold onto the profits of sold cars and turn them over to the state so owners can claim the money — because the DMV never set up a system to collect it.
Within 24 hours of the first story, Connecticut DMV leadership announced it was reviewing towing practices, and lawmakers quickly proposed a bill overhauling the state’s century-old towing statutes. Nearly every issue Altimari and Monk wrote about was included in the bill, which passed in May 2025 with nearly unanimous bipartisan support. Towing companies must now give people warning before removing vehicles from apartment parking lots unless there’s a safety issue, accept credit cards for fees, let people claim their belongings and wait at least 30 days before selling cars. A DMV task force created by the legislature to study how towing companies handle profits has expanded its scope to other parts of the law, and just last week, the state Senate passed a bill that would create an online portal so Connecticut drivers can track their towed cars and require towing companies to consider the age of towed vehicles before they’re sold.
From left: deputy data editor Hannah Fresques, assistant managing editor Sarah Blustain, senior editor Michael Grabell and managing editor, local, Charles Ornstein. ProPublica and Local Reporting Network partner The Connecticut Mirror won the Pulitzer Prize for local reporting for a series that exposed a wide range of abuses committed by towing companies.Zaydee Sanchez/ProPublica
“Our investigation of Connecticut towing companies is exactly what we envisioned when we created the Local Reporting Network,” said Charles Ornstein, ProPublica’s managing editor for local. “Start with strong local journalists who have good ideas, give them the time and resources to pursue them to their fullest potential, add to the mix ProPublica’s top-notch editing and specialty teams and watch what happens.” Since the Local Reporting Network’s launch in 2018, ProPublica has partnered with nearly 100 newsrooms supporting in-depth reporting in communities across the United States.
In “Rx Roulette,” reporters Debbie Cenziper, Megan Rose and Brandon Roberts uncovered how a secret group inside the FDA has quietly allowed dangerous drugmakers to continue selling generic medications from known substandard overseas factories that have been banned from the U.S. market. The agency failed to warn doctors or patients about the exempted drugs and did not routinely test these drugs for safety or quality, putting the public at risk.
The series also revealed that basic information about where generic drugs are made is fragmented, obscured and effectively inaccessible to consumers — making it impossible for people to see if their medications are made at troubled factories — even though generics account for about 90% of U.S. prescriptions. The team, which included members of ProPublica’s data and news apps teams and over a dozen students from Northwestern University’s Medill Investigative Lab, interviewed more than 300 people, filed almost 40 Freedom of Information Act requests and sued the FDA to obtain records, ultimately constructing a publicly available database of 40,000 generic medications and their factory inspection histories — the first comprehensive list of drugs shipped from banned factories.
Citing ProPublica’s investigation, the Senate Special Committee on Aging has demanded the FDA conduct more drug testing and alert hospitals and other purchasers when manufacturers with safety failures are given exemptions from import bans. Senators are also calling for an immediate accounting of the exemptions. A bipartisan group of senators introduced legislation in February that requires drug labels to identify where the medication was made, bringing more transparency and accountability to the generic drug industry.
As the Trump administration dismantled the nation’s long-standing foreign aid system, USAID, ProPublica reporters Anna Maria Barry-Jester and Brett Murphy documented the deadly global fallout and identified the Trump officials directly responsible in “The End of Aid.” They connected the resulting harm, including deaths of people who depended on the aid, to the U.S. policymakers and political appointees responsible for the cuts. The reporters then traveled to war-torn South Sudan to document the return of cholera after essential services stopped and to Kenya’s Kakuma refugee camp, where more than 300,000 people saw their food rations cut after the U.S. severed funding for the World Food Program.
The stories sparked immediate outcry. Experts, attorneys, nonprofits and lawmakers asked the Trump administration to change course, and ProPublica’s reporting was cited in legal filings and congressional inquiries challenging the dismantling of USAID. Rep. Gregory Meeks, ranking member of the House Foreign Affairs Committee, sent multiple letters to Secretary of State Marco Rubio, citing the coverage and pressing him to explain his claim before Congress that no deaths had resulted from the administration’s actions.
After Barry-Jester and Murphy discovered that USAID staff were told to shred and burn classified documents, legal experts filed complaints with the National Archives, and Democracy Forward and the Public Citizen Litigation Group filed a motion for an emergency temporary restraining order to stop the destruction of federal records. And after ProPublica raised questions about an Agent Orange cleanup in Vietnam that had stalled due to USAID funding cuts, putting hundreds of thousands at risk for poisoning, the project received some U.S. funds to continue operating.
“We are proud to be doing work that brings accountability at the state, national and international level,” said Stephen Engelberg, ProPublica’s editor in chief. “Our two finalists and winning entry with The Connecticut Mirror demonstrate yet again the power of investigative reporting to expose wrongs and spur changes in the lives of ordinary people.”
From left: journalists Megan Rose, Debbie Cenziper, Brandon Roberts and Anna Maria Barry-Jester, alongside Fresques and Grabell. Two ProPublica investigations, on the Food and Drug Administration and on the U.S. Agency for International Development, were named Pulitzer finalists.Zaydee Sanchez/ProPublica
“On the Hook”: Shahrzad Rasekh, José Luis Martínez, Asia Fields, Elizabeth Hamilton, Michael Grabell, Shoshana Gordon, Peter DiCampo, Rachel Molenda, Sarah Blustain, Charles Ornstein, Ken B. Morales, Agnel Philip, Ryan Little, Hannah Fresques, Alissandra Calderon, Olivia Walton, Ariana Tobin, Stephen Busemeyer, Andrew Brown, Anuj Shrestha, Julia Rothman, Grace Palmieri, Kristine Malicse, Gabby DeBenedictis, Diego Sorbara, Emily Goldstein, Colleen Barry, Jack Putterman, Roman Broszkowski and Ryanne Mena contributed to the series.
“Rx Roulette”: Kevin Uhrmacher, Ruth Talbot, Alison Kodjak, Nick Varchaver, Alexandra Zayas, Tracy Weber, Caitlin Kelly, Ken Schwenke, Lucas Waldron, Ashley Clarke, Nick McMillan, Carissa Quiambao, Haley Clark, Joanna Shan, Diego Sorbara, Colleen Barry, Emily Goldstein, Lisa Larson-Walker, Anna Donlan, Grace Palmieri, Kassie Navarro, Sam Cooney, Chris Morran, Isabelle Yan, Jeff Frankl, Pratheek Rebala, Andrea Suozzo, Al Shaw, Alec Glassford, Irena Hwang, Nat Lash, Aaron Brezel, Melody Kramer, Alice Crites, Vidya Krishnan and Andrea Wise contributed to the series.
Students from the Medill Investigative Lab in Washington, D.C., also contributed: Haajrah Gilani, Emma McNamee, Julian Andreone, Isabela Lisco, Aidan Johnstone, Megija Medne, Yiqing Wang, Phillip Powell, Gideon Pardo, Casey He, Lindsey Byman, Josh Sukoff, Kunjal Bastola, Shae Lake, Alyce Brown, Katherine Dailey, Anavi Prakash, Jessie Nguyen, Sinyi Au, Zhiyu Solstice Luo, Kate McQuarrie, Sadie Leite, Victoria Malis, Tianyi Wang, Gabby Shell, Zara Norman and Naisha Roy.
“The End of Aid”: Sarah Childress, Jesse Eisinger, Tracy Weber, Stephen Engelberg, Lisa Larson-Walker, Boyzell Hosey, Alex Bandoni, Peter DiCampo, Lena Groeger, Chris Alcantara, Chris Morran, Alexis Stephens, Alex Mierjeski, Molly Redden, Maryam Jameel, Ashley Clarke, Pratheek Rebala, Emily Goldstein, Olivia Walton, Diego Sorbara, Colleen Barry, Brian Otieno, Phoebe Ouma, Le Van, Yiel Awat and Ngoc Nguyen contributed to the series. The ProPublica tips truck was a key component for generating sources.
1 in 5 amputees in Gaza is a child, UN warns amid prosthetic care crisis
12 years old Palestinian Mohammed al-Mubayyid, who lost a leg in an Israeli attack on Gaza’s Al-Zeitoun neighborhood, is seen on a wheelchair in Gaza Strip on December 03, 2025. [Saeed M. M. T. Jaras – Anadolu Agency]
The UN on Monday warned that one in five amputees in the Gaza Strip is a child, as a critical shortage of prosthetic specialists and restricted entry of materials leave thousands without adequate care, Anadolu reports.
“On health, concerns remain over skin diseases and other medical issues linked to the presence of pests and rodents,” said UN spokesperson Stephane Dujarric at a news conference, adding that more than 6,600 people need prosthetic and rehabilitation care.
“That includes thousands of people who have received amputations since October 2023, yet only eight prosthetic technicians are available to respond,” he said.
Warning that “with severe shortages of specialists and restricted entry of prosthetic materials, it could take five years or more to meet today’s needs,” Dujarric stressed that “one in five amputees is a child.”
Dujarric stressed that “international prosthetic technicians are urgently needed, as well as the unimpeded entry of prosthetic materials, which remain restricted by the Israeli authorities.”
Israel has imposed a crippling blockade on the Gaza Strip since 2007, leaving the territory’s 2.4 million people on the verge of starvation.
It launched a brutal two-year offensive on Gaza in October 2023, killing more than 72,000 people, injuring over 172,000, and causing massive destruction across the besieged territory.
Unofficial vibe-coded “Notepad++ for Mac” draws objections from original author
As its name implies, the venerable Notepad++ text editor began as a more capable version of the classic Windows Notepad, with features such as line numbering and syntax highlighting. It was created in 2003 by Don Ho, who continues to be its primary author and maintainer, and it has been a Windows-exclusive app throughout its existence (older Notepad++ versions support OSes as old as Windows 95; the current version officially supports everything going back to Windows 7).
I’m not a devoted user of the app, but I was aware of its history, which is why I was surprised to see news of a “Notepad++ for Mac” port making the rounds last week, as though it were a port of the original available from the Notepad++ website.
Apparently, this news surprised Ho as well, who claims that the Mac version and its author, Andrey Letov, are “using the Notepad++ trademark (the name) without permission.”
“This is misleading, inappropriate, and frankly disrespectful to both the project and its users,” Ho wrote. “It has already fooled people—including tech media—into believing this is an official release. To be crystal clear: Notepad++ has never released a macOS version. Anyone claiming otherwise is simply riding on the Notepad++ name.”
An escalating back-and-forth
Further communication between Ho and Letov can be found in a Notepad++ GitHub thread, where Ho said he had been contacted by Letov before the Notepad++ for Mac app had launched, but that he hadn’t had time to reply.
“The problem is that using the official name Notepad++ and its logo gives the impression that your project is an official macOS version maintained or endorsed by the Notepad++ team, which is not the case,” wrote Ho in an email to Letov that he reposted to GitHub. “This create [sic] confusion for users and exposes both you and the project to trademark issues.”
Letov responded two days later, saying he hadn’t meant to insinuate that Ho was involved with the Notepad++ for Mac project. But he did insist that his port “actually expands notepad++ brand to mac” and expressed hope that Ho would allow him to continue to use the name. Ho responded, again asking Letov to stop using the Notepad++ name and logo and to change the project’s URL so that users would not mistake the project for an official Notepad++ port and contact Ho looking for support.
“I will prep for the site and some naming changes,” wrote Letov. “Give me a couple of weeks. My intention was to expand your brand. I really hope that at some point in the future you change your mind and see this as a positive growth for your brand.”
At this point, Ho seemed to lose patience with Letov’s responses, particularly with being asked to allow Letov to continue using the Notepad++ name for “a couple of weeks.” Ho reported the use of the Notepad++ trademark to Cloudflare, the CDN of the Notepad++ for Mac site, and asked Letov to take it down.
“Every day that website remains active, you are in further violation of the law,” Ho wrote earlier today. “I cannot authorize a ‘week or two’ of continued trademark infringement.”
Letov began changing the website two days ago, though at first he claimed to be making these changes “in coordination with Don Ho.” This drew further accusations from other GitHub users that he was trying to misrepresent the port’s relationship to the original project.
Those changes continue and have ramped up over the last few hours; the app will now be called “NextPad++,” an homage to NeXT Computer, and uses a frog icon rather than the Notepad++ lizard. The original version, along with the authors page that lists Ho beneath Letove, is available via Internet Archive snapshots.
Letov claims that the app’s name will change in version 1.0.6. Version 1.0.5, with the Notepad++ logo and branding intact, is available for download. The project’s URL also hasn’t changed.
A seemingly thoughtful but low-effort port
The “Notepad++ for Mac” app looks right, but there are reasons to prefer an “official” port when you can get one.
Credit: NextPad++
The “Notepad++ for Mac” app looks right, but there are reasons to prefer an “official” port when you can get one. Credit: NextPad++
I had considered writing about Notepad++ for Mac last week, but lost a bit of interest after discovering it was “an independent community port” rather than an official release—independent ports and forks are all well and good, but an official release implies ongoing updates and support, where an “independent community port” might fade away or vanish entirely as soon as its creator gets bored and/or moves on.
But I continued to dig because, at a glance, it seemed like an exceptionally thoughtful community port. It supported macOS versions dating back to 11.0 Big Sur on both Intel and Apple Silicon processors. It was a native macOS app with a Cocoa user interface that replaces the original Win32 interface rather than translating it or using a wrapper. The app seemed to be lightweight and clean, as promised. And it was properly notarized so that users could download and launch it relatively easily—not a given, for many independent and/or open source Mac software projects.
But I paused when I hit Letov’s About page, which mentioned being “deep in multi-agent AI” and showed a flurry of GitHub commits that happened exclusively in March and April 2026. The Notepad++ for Mac page made no mention of the project being AI-coded, but when contacted for comment, Letov confirmed that both the Notepad++ for Mac app and the website were created at least partially using Anthropic’s Claude CLI.
“I primarily use Claude CLI with some customizations to run multiple agents and also Codex plugin for VSS. I also use Beads,” Letov told Ars. “Website is also partly managed using Claude CLI plus some manual work on graphics.”
“I run some agents that scan for Issues and general issues reported, list/create options to implement features and fixes. I usually review most and decide on the path,” Letov continued when asked how much human oversight the project had. “Also UIs are not as easily tested by AI as backend code and some things have to be thought through and build iteratively.”
It’s not that I think the use of AI coding tools should be disqualifying in and of itself. AI coding tools do have real utility, and many companies and projects are making at least some use of them; you likely are running or will eventually run an app containing AI-generated code whether you want to or not. But the port being both “independent” and AI-generated heightens my existing concerns about ongoing support and the developer’s capability to address bug reports and merge upstream code.
And, as Ho and other users warned in the GitHub thread, downloading an unvetted unofficial port of a project can increase your risk of downloading malware.
NATO’s Rutte says Europeans have ‘gotten message’ from Trump
European nations have “gotten the message” from U.S. President Donald Trump and are now ensuring that agreements on the use of military bases are being implemented, NATO Secretary General Mark Rutte said on Monday.
Trump has accused some NATO nations of not doing enough to support the United States in the Iran war. In a further sign of his discontent with European allies, the U.S. announced on Friday plans to withdraw 5,000 troops from Germany.
“Yes, there has been some disappointment from the U.S. side, but Europeans have listened,” Rutte told reporters at a European Political Community summit in Armenia.
“They are now making sure that all the bilateral basing agreements are being implemented,” he said.
NATO member Spain has said that military bases on its territory cannot be used for the war with Iran. But Rutte said other NATO countries such as Montenegro, Croatia, Romania, Portugal, Greece, Italy, Britain, France and Germany were implementing requests for the use of bases and other logistical support.
Rutte also said “more and more” European nations were pre-positioning assets such as minehunters and minesweepers close to the Gulf to be ready for a “next phase”.
Multiple European nations have said they are willing to take part in a mission to help ensure freedom of navigation through the Strait of Hormuz once the war is over.
China invokes rules to blunt US sanctions on ‘teapot’ refiners
China has invoked a five-year-old legal instrument for the first time to block the enforcement of United States sanctions on five mainland “teapot” oil refiners, including the newly sanctioned Hengli Petrochemical (Dalian) Refinery, which was accused of buying Iranian crude despite US restrictions.
Citing the Rules on Counteracting Unjustified Extraterritorial Application of Foreign Legislation and Other Measures or the “Blocking Rules,” the Chinese Ministry of Commerce said on May 2 that US sanctions placing the five Chinese petrochemical firms on the Specially Designated Nationals (SDN) list, along with asset freezes and transaction bans, “shall not be recognized, enforced or complied with” in China.
It said Chinese companies and banks must not participate in such sanctions, but did not clarify whether the prohibition extends to Hong Kong, where a significant share of China-Iran oil transactions is settled.
The five US-sanctioned Chinese oil refiners and the dates of the US measures are:
“Since March 2025, OFAC has designated multiple China-based teapot refineries that have collectively processed billions of dollars’ worth of Iranian-origin oil, ultimately benefitting the Iranian regime,” the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) said on April 28.
“Financial institutions should be on notice that the department is leveraging the full range of available tools and authorities and is prepared to deploy secondary sanctions against foreign financial institutions that continue to support Iran’s activities,” it said.
Chinese commentators and state media said the first use of the Blocking Rules, which were passed five years ago, reflects Beijing’s “measured and justified” approach to handling foreign-related legal disputes, marking a shift from keeping legal tools in reserve to deploying them in practice against unilateral sanctions.
“The Blocking Rules were invoked because the US has frequently abused unilateral sanctions and long arm jurisdiction, acting as a ‘world police’ and using sanctions to restrict the normal economic and trade activities of Chinese companies,” Liu Chunsheng, an associate professor at the School of International Trade and Economics at Central University of Finance and Economics, told the Hong Kong China News Agency. “In essence, this is a form of economic and trade bullying aimed at forcing other countries to comply.”
“The rules are one such legal tool to counter unreasonable external sanctions, protect the legitimate overseas business rights of Chinese companies, safeguard the security of industrial and supply chains and maintain a fair international economic and trade order,” he said.
He added that China has also set an important example, providing a useful reference for other countries, especially developing economies, to respond to such economic sanctions and trade bullying.
“Since 2025, the US has imposed sanctions on Chinese refining, shipping and port companies over their involvement in Iranian oil trade, freezing assets and banning transactions,” said Cui Fan, a professor at the School of International Trade and Economics at the University of International Business and Economics and chief expert at the China Society for World Trade Organization Studies.
“It has ignored Chinese companies’ claims to legitimate rights, expanded the scope of sanctions and adopted increasingly aggressive measures,” he said.
“If China allows this to continue, this will disrupt the stability of China’s energy supply chain and harm its energy security and development interests,” he said. “In this context, using the Blocking Rules is a necessary step to safeguard China’s national and corporate interests, while the framework also provides institutional mechanisms to protect the lawful rights of Chinese citizens, legal entities and other organizations.”
He pointed out that the US Treasury’s SDN list now includes about 18,900 entities and individuals, including more than 1,100 linked to mainland China and over 400 connected to Hong Kong, and that the so-called 50% rule extends the impact to a wide network of affiliated companies.
The United States’ 50% rule means that any entity owned, directly or indirectly, 50% or more by one or more sanctioned parties is also treated as blocked, even if it is not explicitly listed, effectively preventing the use of subsidiaries or affiliates to circumvent restrictions.
The dispute has further fueled political tensions between Beijing and Washington ahead of US President Donald Trump’s planned meeting with Chinese President Xi Jinping in China on May 13 and 14. The two leaders are expected to discuss a range of issues, including the ongoing conflicts in Ukraine and Iran, as well as trade frictions and export control measures.
Bank of Kunlun
On April 15, Treasury Secretary Scott Bessent said the US had sent letters to two Chinese banks warning them of the risk of secondary sanctions if they are found to be supporting transactions tied to Iran. He did not disclose the names of banks.
On April 24, the OFAC added Hengli Petrochemical (Dalian) Refinery to the SDN list, describing it as one of Tehran’s most valued customers. It also sanctioned around 40 shipping firms and vessels alleged to be operating as part of Iran’s so-called shadow fleet. On April 28, it warned financial institutions about secondary sanctions risks associated with China’s independent “teapot” refineries.
Despite Washington’s strong warnings, Beijing did not back down. On May 2, it invoked the Blocking Rules, a legal framework adopted at the end of Donald Trump’s first term in January 2021. The rules empower the Ministry of Commerce to lead an interagency working mechanism, together with the state planner and other departments, to assess whether foreign laws and measures constitute improper extraterritorial application.
The mechanism considers four main factors:
whether the measure violates international law or basic norms of international relations
potential impact on China’s sovereignty, security and development interests
potential impact on the lawful rights and interests of Chinese citizens, legal entities and other organizations
other relevant factors
The rules also allow companies and banks to apply for exemptions. Parties seeking to comply with a restricted foreign measure must submit a written request to the Ministry of Commerce outlining the reasons and scope. The ministry typically makes a decision within 30 days, or sooner in urgent cases.
Some observers said such an arrangement could allow large banks with global operations and US-based assets to comply with US sanctions, while smaller local banks continue to settle Iranian oil trade transactions and face the associated risks.
Zhou Chengyang, a Chinese current affairs commentator, told Sputnik that “teapot” refiners such as Hengli are expected to continue settling crude purchases in renminbi, using a mix of strategic reserves and market-based procurement to diversify settlement channels and ensure the security of their oil supply operations.
In July 2012, OFAC added China’s Bank of Kunlun to its SDN List for its role in settling Iranian oil trade transactions, thereby kicking it out of the global SWIFT system.
In 2019, the bank was also placed on OFAC’s Correspondent Account, or Payable Through Account (CAPTA) Sanctions list, a non-SDN designation that restricts foreign financial institutions from maintaining or opening US correspondent accounts for the entity. While the SDN list imposes a full asset freeze, the CAPTA list focuses on limiting access to the US financial system.
Chinese media said that despite US sanctions, the Bank of Kunlun has continued to settle oil transactions linked to Iran and Russia through China’s Cross-Border Interbank Payment System (CIPS). The bank has relied on a barter-like clearing mechanism in which payments are offset through matched trade flows rather than direct dollar transfers.
In practice, Chinese importers and Iranian buyers settle accounts via reciprocal credits through partner banks, allowing trade to proceed without using US dollars.
![12 years old Palestinian Mohammed al-Mubayyid, who lost a leg in an Israeli attack on Gaza’s Al-Zeitoun neighborhood, is seen on a wheelchair in Gaza Strip on December 03, 2025. [Saeed M. M. T. Jaras - Anadolu Agency]](https://i0.wp.com/www.middleeastmonitor.com/wp-content/uploads/2025/12/AA-20251203-39880309-39880300-PALESTINIAN_CHILD_CONFINED_TO_A_WHEELCHAIR_AFTER_LOSING_HIS_LEG_IN_ISRAELI_ATTACK-1.jpg?fit=920%2C613&ssl=1)
