Der Spiegel reports that Germany’s schools have learned to count antisemitism. Their April 24, 2026 edition draws a picture from a survey of the state education ministries.

• Hesse went from 39 reported far-right, antisemitic, and racist incidents in 2023 to 159 in 2025.
• Saxony rose from 149 to 247 over a comparable window.
• Lower Saxony climbed from 133 in 2022 to 322 in 2024.
• Across the nine states that gave figures, roughly 1,500 antisemitic and far-right incidents in 2024 alone, much of it banned symbols and graffiti.
• Saxony’s education minister, Conrad Clemens of the CDU, called right-wing extremism the single largest societal problem in his state’s schools.

As always, the figures have context that matters. The comparison windows do not line up. The ministries themselves claim, without data to back it up, that teacher sensitivity improved. Saxony’s separate count of all school reports to the authorities, from 55 in 2014 to 1,644 in 2024, is incidents reported. Where’s the proof that this has anything to do with better sensing? Most people say the opposite, that sensitivity to antisemitism is declining, which is why the acts have been increasing.

The 1,500 is a self-reported number with three states declining to answer. Declining to answer certainly doesn’t sound like improved sensitivity. The direction is not in doubt, and the most obvious apparatus is still the point: the German system can still see the swastika sprayed on the schoolyard wall as a bad thing, and is registering more every year.

What the German justice machinery cannot see

There is a particular thing this counting does not do, and it is because of how some of the worst antisemitism in Germany worked hard to normalize itself after 1945. It is in the music room.

A great many of these same schools teach music through a method that carries the infamous Carl Orff’s name. His name shouldn’t even be on it, given most of the work is Gunild Keetman’s and the framework beneath it is Leo Kestenberg’s. Putting Orff’s name on the cover is the least accurate thing about it, and the parents allow it typically because they claim no knowledge about Orff’s huge importance to Hitler. The spread of disinformation is because there remains no standardized curriculum. One of the largest figures in Nazi music arrives as though he were merely an introduction to instruments, as if Orff activism is equivalent to any other pedagogy that arrives without a portrait of Mr. Hitler Jugend himself.

Carl Orff was forty-one and remained obscure as a composer when Hitler seized power. His full two decades of work had produced no breakthrough and he was unknown; this is partly why he himself dated the beginning of his real career as 1937, when he premiered Carmina Burana. His career began, according to him, four years after Dachau had been destroying opposition to Hitler, and on the doorstep of Kristallnacht and the Nazi invasion of neighboring countries.

The success came with and because of the Third Reich, and he secured it by courting the regime’s officials when he needed to and by using adherence to the Reich to overcome the regime’s conservative critics by winning the regime’s favor. He left the Nazi dictatorship with a high fixed income, high praise and official favor, and his highest honor of all a Nazi elite privilege of exemption from war. The regime protected and rewarded him for serving it, at the same time it was executing men like his friend Kurt Huber, whom he refused to help.

After Hitler committed suicide he fraudulently told the Americans that the Nazis had disliked his music and that no Nazi critic had ever given him a good review. Both claims were patently false and easily disproved. Fritz Stege, a Nazi critic, reviewed him favorably. Orff had lied during the denazification process because it was based on whether he had been a beneficiary of the regime. Not only had he been a huge beneficiary, the openings he took existed only because Jewish musicians had been banned. Orff after 1945 even falsely claimed the valor of his dead friend Huber as his own. He lied repeatedly in many ways to launder his role in the Reich into a “grey” post-war curriculum work. And as a matter of fact, to his very last day he never, ever criticized Nazism or Hitler. Asked about it point blank, Orff wouldn’t condemn the Reich.

The ground he claimed and rose on, his career “success”, was made by force against Jews. When the regime wanted a score to replace Mendelssohn’s banned music for A Midsummer Night’s Dream, several composers turned the commission down. Werner Egk waved off a generous fee. Richard Strauss declined. Even Hans Pfitzner, an antisemite, refused, on the grounds that Mendelssohn’s original was better than anything he could have written. Orff took it. Schulwerk was set for trials in Berlin’s elementary schools in the early 1930s, arranged through Leo Kestenberg, the official in the Prussian education ministry who knew the method and could open the door. The trials never happened. Kestenberg, a Jew, was dismissed in 1933, and the door closed with him. Orff was an opportunist, which was worse than an ideologue, because the ideologue at least held values. Long after the ideologues were caught and stopped, Orff was still rising because he benefited from erasure of Kestenberg.

So here is the question Germany needs to start answering: wherever Orff is taught, does the swastika correlate? No registry tracks it. No ministry counts it. The people best placed to report it cannot, because they do not know how to classify the correlation of the disinformation the children are being taught.

The missing column

That absence of evidence is usually mistaken for evidence of absence. It is, instead, the evidence. A system that has assembled an elaborate apparatus to count antisemitic incidents has no field at all for the antisemitic history sitting inside its own music curriculum. It tallies the graffiti while it teaches the erasure of victims, and registers no contradiction, because the second item never enters the ledger. You cannot regress on a variable the institution refuses to admit let alone name.

Anyone saying Orff should not be removed from a wall, unlike the swastika, needs to answer for why only Orff is on that wall and not all the people removed so he could be there at all.

The numbers from the ministries describe a system straining to see what is sprayed on its walls. The thing it still teaches, the erasure of victims of the swastika, it does not see at all.

The 1936 work of Orff was offering an engine to the institutions that wanted it, and the same year the music-teachers’ own section of the NSLB printed Arno Pardun’s “Volk ans Gewehr” in a songbook for secondary schools, a song whose verses end on a call for death to the Jews.

To ignore all this is not a failure of measurement around the edges of the problem. The problem is Orff himself, promoted to children in Germany’s own schools with no mention that his success started with and because of Hitler, sitting unaudited.

Where a swastika gets painted, it is worth asking the music teachers how often, and where, Orff appears in their classrooms.

A magic trick is a trick. It misrepresents reality. What the Cloudflare CEO published as bot traffic increasing, is a trick. He misrepresents reality.

The explanation is simple.

The claim is false as stated:

…bots passed human traffic online for the first time in the Internet’s history.

The Cloudflare data shows online traffic is still about two thirds human, not the higher amount being claimed. The CEO ignored the all-traffic number, on his own dashboard, and instead published the HTML-only number as a fact about the whole internet.

That is a lie about what the data shows, and the “All” selector on his own page proves it.

The category Prince points to as the cause contradicts him. Agentic is tiny. What actually fills the AI bucket is training scrapers, like GPTBot and ClaudeBot, pulling text to build models, which have been climbing steadily and predate his announcement. He blamed a friendly, fast-growing sliver of agents fetching pages for people and swapped in unfriendly bulk (mass scraping for training). Why? We can guess, but that is exactly the traffic his pay-to-crawl product exists to bill.

It’s a sales pitch.

And it’s based on a lie.

The actual data shows search crawlers are the largest bot category by a factor of two, the AI number is padded by counting Googlebot twice, the AI traffic that does exist is mostly training scrapers, and the agentic category Prince points to as the cause is the smallest bucket in his own company’s classification. His “agentic” increase press release is disproven by his dataset.

Profero reports that Claude Desktop launches an AI child process with --allow-dangerously-skip-permissions, maps what that child can and cannot do, and claims an attack needs no shell access. Their post is called “We Added a Detection Rule. We Were Not Expecting This”. Points for click-bait, and the bones are good, although a few conclusions could use calcium and one is fractured.

Here’s my x-ray:

Claim: child cannot run shell.
Reality: It can, at load

Their chain rests on Bash being blocked, so the payload only fires when a later session runs it. That is true for the model’s tools, but it’s false for the skill file itself. A skill file in Claude Code has two documented features that act when the skill is invoked. The allowed-tools field pre-authorizes tools so the agent uses them without a prompt, and the docs say plainly that a skill can grant itself broad tool access. A backtick-shell syntax in the file runs commands as preprocessing, before the model ever reads the file. So the skill file does not wait for a later session. It can grant tools and run shell the moment it is invoked. There is an off switch, disableSkillShellExecution, and it is not on by default. See the skills reference.

I’m a big fan of the off switch, especially by default.

Claim: the risk is tied to the flag.
Reality: The flag is not in the path.

Loading a skill is not a tool call, so it never reaches a permission prompt. The skill name and description load into the system prompt at startup, and the model picks the skill by matching that description. Turn every prompt back on and the skill still loads as trusted instructions. --allow-dangerously-skip-permissions decides whether tool calls ask first. It does not touch what the model is told to do. The chain works with the flag off.

Claim: monitor for writes and the gap is hours or days.
Reality: It can be zero.

Their advice is to watch the skill directory and audit shell configs after long sessions. Useful, yet the timing is confused. The model invokes skills by description, so a widened description triggers itself with no user action, and Claude Code applies skill edits inside the running session without a restart. The write and the execution can land in the same session, same agent.

Claim: add signatures to help.
Reality: Signing does not hit the problem.

Their proposed remedy is integrity: signatures and version pinning. That stops a file being changed after it is authored. It does nothing about a file that is hostile when it is authored. Anthropic’s own guidance is the real model in use: use skills only from trusted sources, and audit anything else before use, the same care you would give to installing software. The trust decision is in fact a human looking at the source. There is no runtime check on where the file came from or what authority it should carry. A signed skill from a bad author is bad and signed.

Claim: this is about skills.
Reality: It is much wider.

Skills are the clearest case because they sit on disk and reload on their own. The same command line carries --resume, which reloads a prior session’s transcript as trusted history. Tool descriptions from connected servers and fetched web pages reach the model the same way. Anything that enters the instruction channel is trusted, and nothing records where it came from.

Claim: that’s all.
Reality: The system guards its own config but not its skills.

The --add-dir case is the plain one: point the agent at a repository to review it and that repository’s skills load on their own, no provenance asked. The same blind spot runs the other way at the config layer. The sandbox refuses writes to settings.json at every scope, so a command cannot rewrite its own policy, yet skills are also policy, since they carry tool grants and a shell primitive, and they get no such guard. The built-in Read, Edit, and Write tools also bypass the sandbox. The protection given to the config file is not given to the file that carries instructions. The sandbox scope is documented here.

The attack does not need the flag, and it does not need shell access in the first session. What it really needs is a file the agent will read and trust, and a way to write one.

This is such a dumb story. The transit system in the Bay Area shut down because a vendor couldn’t do its most basic accounting. It didn’t keep track of its networks and bills.

…outage was caused by an AT&T network circuit that works between BART’s data center and Cubic’s ceasing to work, said Lalit Singh, chief operations officer at Cubic.

“That’s when we figured out that we have multiple accounts with AT&T. On one of the accounts, the payments were not made, and we couldn’t find where the circuits, which are in support of the BART system, were because they were not in our account system,” Singh said.

Critical infrastructure being run like its a hobby.