Here’s a bit about why those three things landed, to help everyone evaluating agent platforms, as part of a security and compliance program.
Agent platforms are moving from demos into production. Vendors are publishing deployment guides, thinking through sandboxing, walking users through how to connect a messaging channel to a model and run tools against real systems. The conversation has moved past whether agents are useful and into how to operate them responsibly.
Signed releases
Every Wirken release is signed now. The installer verifies the signature before touching the binary. The public key is embedded in the installer itself, not fetched over the network. The installer’s own hash is pinned in the README, and a CI check fails the build if the hash and the file drift apart. A user can verify the installer in one line, printed in the README.
For organizations with the usual software supply chain policy, Wirken delivers.
Fail-closed installer
This one’s for you Bob!
The installer exits non-zero and stops on any verification failure, with a distinct exit code per failure mode, each documented.
Session attestation
Every agent action, every tool call, every model request and response is written to a per-session audit log before execution. The log is a hash chain, signed by a per-agent identity after every turn. Using wirken session verify replays the log offline and confirms nothing was modified, deleted, or reordered.
Perhaps you already have counsel warning you that agent activity is evidentiary. The attestation is reproducible by a third party from the log file alone. The audit trail a compliance program expects now exists by default.
Logs also forward to Datadog, Splunk, or a webhook when configured. Retention is configurable. The audit path does not depend on trusting Wirken at read time.
Different answers to a shared problem
The question of how to run an agent across messaging channels, with tools, against real systems, has more than one reasonable answer. Wirken was for me a quick and light response when some CISOs asked me to helicopter in and make their environments more agent-safe.
Sandbox wrappers around an existing agent framework are one path, but not for me. Per-channel process isolation with compile-time channel separation is more trustworthy. Both respond to the same underlying concern: an agent with tool access is a trust-sensitive piece of infrastructure, and the defaults need to reflect that.
Wirken took the latter path and that’s how we came to a signed release chain, fail-closed installer, and session attestation in 0.7.4.
In 1566 the dangerous autocrat stood in front of you.
The Dutch built centuries of defensive mechanisms as non-repudiation against Spanish inquisitorial authority, coded into Dutch business culture as Calvinist truth-telling.
The famous “tulip market speculation crash” cautionary tale was one output. Amsterdam archival records show no mass bankruptcies and no documented suicides. The ruin narrative was shaped by moralizing pamphleteers in 1637 and cemented by Mackay in 1841. Propaganda at its finest. The underlying apparatus was much older and deeper.
Tesla FSD now sits in the functional class the Dutch anti-autocrat apparatus evolved to resist. A self-promoting, self-valuing authority that claims it cannot be wrong. A promise verified only by the authority making it. Old class, new vector, who this? In 2019 the Tesla autocrat sold Holland a future-dated capability, verified by a state stamp that arrived seven years later, to legitimize a deliverable that excluded the buyer.
The historic defense apparatus was built for face-to-face deceit. Tesla’s remote algorithmic deceit through future-dated capability claims is a pre-authentication attack on a verification system that expected the attacker to show up in person.
The 2019 buyer faced the familiar class in an unfamiliar form. Founder-cult oracle. American export. Charismatic owner-as-truth, verified by market capitalization and fan base. The Spanish inquisitor wore robes and spoke Latin in a room you could enter, and the Dutch consider themselves free of it all. Musk speaks in eXcrement (tweets) and earnings calls from a platform he owns. The 1566 defense stack recognized the function and missed the form. The Calvinist reflex fires on detected deceit. Undetected deceit flies straight past the reflex like an open door.
Front-end failure was the purchase in 2019. RDW arrived seven years later and approved a driver-assist system, not autonomy. Their own statement says the vehicle “is not self-driving.” That is the trap. Tesla sold “full self-drive capability” in 2019. RDW certified “FSD Supervised” in 2026. Different categories, shared acronym. The state stamp on the narrow thing becomes marketing cover for the broad promise.
Category laundering is fraud. The regulator that operated within its mandate failed to stop the crime.
The certification regime has no procedure for what Tesla did to its output. RDW examined a vehicle in front of the inspector and approved what it found. No framework exists for the vehicle promise that was sold but never built, or for the regulator’s own approval being repurposed to validate a deferred promise the regulator explicitly did not validate. Type approval is a product test. It was never designed to resist a seller who collapses categories the state kept distinct.
Realizing the magnitude of the Tesla attack very late, the unfortunate Dutch owners now seem very pissed.
Electrek writes about a man named Sigtermans who is doing classic Dutch directness. Recording a Tesla call, publishing the transcript, launching hw3claim.nl, aggregating 3,000 claimants across 29 countries. The reflex still fires. Late.
“Be patient” is an extraordinary thing to tell someone who paid you €6,400 seven years ago for a product you now admit you can’t deliver on their hardware.
The tulip tale was propaganda dressed as warning. Fabricated cautionary tales do not inoculate a culture. They flatter it into believing the warning took. The apparatus that beat the 1500s inquisition catches the 2020s autocrat only on the very late back end. Seven years of lost use. €6.5 million in claims filed. Tesla drivers burned alive in vehicles whose doors would not open, a rising body count the propaganda tale never needed to invent.
Can you see this? How many Dutch have been trapped and burned to death by Tesla?
Holland has a dangerous blindness problem. Human and machine.
A new paper by Wolpert and Rovelli is out claiming to help resolve the Boltzmann Brain (BB). In short, what if your memories were not real, but just randomness with no actual prior events?
Are your perceptions, memories and observations merely a statistical fluctuation arising from the thermal equilibrium of the universe, bearing no correlation to the actual past state of the universe?
Immediately I was struck how the Plato’s cave metaphor does something this paper doesn’t. It makes the stakes ethical, more than just epistemic. Plato’s prisoners who glimpse the outside have an obligation to return and tell the others, even knowing they’ll be disbelieved or killed. That’s an important function.
The BB framing drops ethical aspects and treats the question as a puzzle about priors rather than a situation with consequences for how you act toward other apparent minds. Which is strange, because if you’re a BB, so is everyone you’re arguing with, and the ethics of that situation are genuinely weird. Imagine everyone thinking they are the queen and their memory is the only valid one, now bow down. (Hat tip to Wollstonecraft)
Or imagine watching Blade Runner where everyone can claim to be the Blade Runner, instead of everyone wondering if they are a replicant.
Descartes saw the ethical aspect and tried to escape with God as an external guarantor. Kant gave up on the outside and relocated the problem to the structure of cognition itself, which is what this paper also does. Their “construction rule” is basically a Kantian move: here are the rules any coherent reasoner must follow, given that we can’t step outside reasoning to check it. Or as Hume would probably say, we are creatures of our habits far more than our justifications.
Modern physics gets stuck like this. There’s only inside, no outside. The faculties you’d use to check whether you’re in a cave are produced by the same physics being checked. Wolpert and Rovelli are Plato’s prisoners who’ve proven rigorously that they can’t tell if they’re in a cave, and then they just stopped and hit publish.
They say the answer depends on your prior and leave it there, as if prior selection is a separate problem someone else can solve. But prior selection has the same structure as the original question. You pick a prior using judgment, which depends on memory and inference, which depends on the second law, which depends on the prior. The circularity doesn’t get resolved by being pushed to the meta-level. It just relocates.
That’s a cheat. They aren’t admitting it’s inherited, yet placing it somewhere you would inherit it from.
Plato’s escape was that something outside the cave (the Forms, the sun, reason properly trained) gives you leverage the cave can’t corrupt. That’s the authentic inherited-rights move. External source, not controlled by the thing being questioned. It’s law and order, which physicists are disciplined to deny has an outside, kind of like how a religion works.
A mayor and a governor propose a tax. I swear this is real, not a joke. The tax applies to homes in New York City worth more than five million dollars that are not the owner’s primary residence. The owner’s primary residence is somewhere else. That is the legal definition of a second home, so that is the simple condition for owing the tax.
The projected tax revenue is five hundred million dollars. The projected city deficit is five point four billion. The owners who owe the tax are, by the tax’s own definition, people who have multiple million dollar homes and live elsewhere. Palm Beach. Aspen. London. Riyadh. The apartment stays mostly vacant or holds a partial-year occupancy for a few weeks. The tax exists because the apartment is extra, waiting for someone who lives somewhere else.
A federal politician who is a billionaire, let’s just call him Trump, rants on his soapbox that this destruction of a city. But isn’t the reverse of what he says actually the case?
A Washington outlet prints the word destruction in its headline and supplies the billionaire’s quotes underneath. A finance outlet publishes a companion piece the next morning in which unnamed Wall Streeters say the city is cooked. Neither piece prints the revenue figure against the deficit figure. Neither piece explains that the taxed party is by definition a non-resident. Neither piece mentions Vancouver, Paris, or London, which have run versions of this tax for years and still stand, arguably among the most desirable cities.
Consider what the reader of these outlets now knows instead. The reader knows a particular Trump feeling. The reader knows a verb. The reader does not know the arithmetic. The arithmetic, if printed, would answer the feeling. Five hundred million dollars from a few thousand absentee owners, against a budget gap that otherwise falls on eight million residents. The tax either produces the revenue or moves the apartment to an occupant. The buildings remain where they are in either case. The tax is a win-win for the city.
So the arithmetic exists, and the outlets did not print it. This was a choice. Print the arithmetic and the story collapses, because destruction requires a mechanism and the mechanism cannot be produced. Omit it and the Trump supplied verb survives. The verb obviously was what the billionaire wanted reported. The outlets reported the verb.
This is an old disinformation trick.
In the 1920s the Ku Klux Klan operated two national papers, the Fiery Cross out of Indianapolis and the Imperial Night-Hawk out of Atlanta, which printed populist slogans against plutocrats while the Klan coalition pursued Prohibition and opposed progressive taxation at the state level.
Prohibition, the Klan-Protestant-nativist coalition’s product, was a racist platform to remove the liquor excise that had supplied part of the municipal tax base. Klan driven opposition to income tax prevented any replacement. The hole was filled by raising property taxes and sales taxes. Property tax landed on farmers. Sales tax landed on wage workers. While the rhetoric named Wall Street, the real cost arrived elsewhere.
The cost from tax opposition, by design, arrived most heavily at Black Americans.
Black landowning farmers in the 1920s South paid the same property tax rates as white farmers, on land they had fought to acquire and held under constant threat. The revenue those taxes raised funded segregated white schools. Black schools received token allocations or nothing. Oklahoma, Indiana, and the Deep South ran this pattern. The property tax hikes extracted capital from Black landowners through statute, sometimes to the point of forced sale.
Black wage workers paid the sales taxes that replaced the liquor excises. A domestic worker in Indianapolis paid the same sales tax rate on flour as the banker’s wife. The banker’s household paid no state income tax. The Klan coalition had opposed its introduction. The domestic worker’s grocery bill subsidized roads the wealthy drove on.
Where statute could not reach, the extraction ran through violence. Tulsa 1921 is the version everyone knew in 1921 and today, with a very suspicious silence in-between. Black Wall Street’s accumulated wealth transferred by firebomb and mass murder in a single night. Rosewood followed in 1923. The tax program and the racial violence were not separate patterns. They were the same extraction moving through different instruments. Violence where the statute would have drawn federal attention. Statute where the violence would have drawn it. The Klan coalition ran both.
The rhetoric again misleadingly pointed at Wall Street. The instruments landed on Black farmers, Black wage workers, and Black communities that had accumulated visible wealth. The contradiction was covered in white sheets, with X logos and swastikas.
The KKK in 1921 used bi-planes to firebomb Tulsa, OK. They also dropped racist propaganda leaflets across America. The swastika was their symbol, and the X.
The Fiery Cross and the Imperial Night-Hawk printed the rhetoric and omitted the instruments. Mainstream Indiana and Oklahoma papers could transcribe Klan rallies as news and extend the effect. One paper chose differently, to report the truth. The Indianapolis Times under Boyd Gurley obtained D. C. Stephenson’s bribery ledger in 1927, printed the names of the officials on the Klan payroll, and won the 1928 Pulitzer for public service. The prize measured a specific editorial distance. The distance between printing what a powerful white supremacist said, and printing what his program did.
That distance is the core subject of this post.
Father Coughlin, speaking to tens of millions on radio in the 1930s, told his audience to drive the money changers from the temple while opposing every legislative proposal that would have taxed the money changers. Huey Long, in Louisiana, proposed actual taxation of actual wealth, and was shot in the state capitol. The pattern holds. Anti-plutocrat performance on the surface. Pro-plutocrat policy underneath. The revenue gap closed by taxing the people the performance claims to represent.
The Trump post attacks a tax. Blocking the second-home tax leaves five hundred million dollars with absentee owners and pushes the gap onto residents through service cuts or regressive taxes. The costume of populism wrapped around a donor-class outcome, exactly as Coughlin wrapped it, exactly as the Fiery Cross wrapped it.
The outlet that prints the verb without the arithmetic is doing the same work the Fiery Cross did. It is not neutral it is a megaphone, wind in the sails.
The Economist/The New Yorker weren’t wrong
Neutrality would require the arithmetic. The arithmetic would end the story. The editorial choice to omit it is the mechanism by which the performance becomes news.
The Hill’s piece, by Sarah Davis, published on April 16. Business Insider’s piece, by Katherine Tangalakis-Lippert, published the next morning. Both bylines, both editors, and both business models sit on the wrong side of the distance Boyd Gurley crossed in 1927 to pull the white sheets off. Whether they cross it is a choice available to them today. Someone should investigate why they have not.
a blog about the poetry of information security, since 1995
