Security

AgenticGate: Gartner Expects 40% of Them Decommissioned

Leave a comment

Gartner warns 40% of enterprises could decommission agentic projects by next year. The cause it names is not the awful hallucination, not the spiraling cost, not the floundering model quality. It is failure at access control 101, because teams never separated an agent’s ability to act from the scope of access it was granted. (CIO Dive) That sounds like 100% territory to me, but hey, maybe Gartner knows 60% of enterprises don’t have security setup to tell them they’re doing things wrong.

There are two different things to consider.

  • Capability is the action the agent can attempt.
  • Access is what the runtime lets through.

When they are the same set, there is no control. The agent can do anything it can name.

A blanket trust domain has a sad history. Every channel, credential, and tool lives in one space like a single-user system (e.g. Microsoft DOS). A message from any source can drive any action against any credential. No per-channel isolation, no audit chain that survives the process, no credential rotation. Trust is granted once at the boundary, with no mechanism to re-check it.

This is how Microsoft ActiveX ended up on the scrap heap of history. Sign the control, load it, and it runs with the full authority of the host. The web spent a decade getting that dumb mistake out of its veins. And now agent runtimes, ignorant of history, apparently want to re-ship it.

Gartner offers four levels, observe, advise, act with approval, and act autonomously, a permission classifier. The levels are not the interesting part. The classifier is. A control works by forcing everything through it. An action the classifier never sees is not denied, it is a bypass: lowest tier, highest access, a silent breach, because nothing classified it. The permission system sits there looking all happy while the call path walks past it.

I’ve written before how OpenClaw is a disaster with more red flags than a Chinese military parade. Its code makes the point for me. At commit c70ae1c, every model-chosen tool call lands on one wrapper. The only inline guard before execution is a before-tool-call hook at line 152:

const hookOutcome = await runBeforeToolCallHook({ toolName: name, params, toolCallId });

That hook does loop detection and runs optional user hooks, then returns blocked: false when none are registered. It is not a permission control. Ten lines down, the action runs:

const rawResult = await tool.execute(toolCallId, executeParams, signal, onUpdate);

The controls that do exist, owner-only policy and the allowlist, are static filters applied once when the tool set is built, and never consulted again. Once a tool is in the set, every call is going to run without a decision. Capability and access collapse, like Gartner warns.

If you cannot point to the single place every action is classified, and show that an unregistered action fails closed, you do not have governance, let alone a proportional one. That is their decommission time-bomb for 2027: the agent had the capacity to do something it should not, because the action doesn’t get registered as something to check.

Security

The AI Money Loop: Where One Dollar Can Be Booked Twice

Leave a comment

Everyone keeps saying to me the same dollars are being counted twice by AI vendors. I hear you, so here’s what I came up with. The same four companies appear at the top of a cycle (they fund the labs) and again at the bottom (they get paid for the compute). The dollar does a cycle to land back where it started, counted twice.

Anthropic’s compute spend, for example, loops back to its own investors (Amazon, Google, Microsoft, Nvidia), while OpenAI’s biggest compute checks go to Oracle, which isn’t on its cap table.

Microsoft and Nvidia in November 2025 committed up to a combined $15 billion to Anthropic, pushing Anthropic’s valuation to around $350 billion, roughly double its $183 billion mark from September. In the same deal Anthropic committed to buy $30 billion of Azure compute and to contract up to one gigawatt more, plus up to a gigawatt of Nvidia Grace Blackwell and Vera Rubin systems.

Amazon went from $8 billion to a far larger commitment in April 2026, another $25 billion, against Anthropic’s pledge to spend more than $100 billion on AWS over ten years. Google, after earlier stakes totaling $3 billion, moved to invest $10 billion immediately with up to $30 billion more to follow, alongside access to up to a million TPUs.

So take Amazon and Alphabet as an example. When they put more money into Anthropic, they push its valuation up, and the stake they already own goes up with it, which they book as profit without Anthropic ever paying them a dollar. In Q1 2026, Amazon reported pre-tax gains of $16.8 billion from its Anthropic investment, which is more than half its pre-tax income for the quarter, and its $8 billion stake is now marked at more than $70 billion: a mark-to-market gain booked today against compute liabilities that will compound over a decade.

All that is to say only one real dollar is written down as the value in two places: an AI dollar has been setup to hit books twice.

Follow the money clockwise and see how it never leaves the family. The reported value is inflated because the same capital gets recognized by multiple parties, with no new outside money.
History, Security

Microsoft Spews the Sewage and Sues the Bottler

Leave a comment

Microsoft ships flaws. A lot of flaws. But I want to talk about just three of them, BlueHammer, RedSun, and UnDefend, because they are seeing exploitation in the wild. Two of the six are in BitLocker and Defender, the encryption and defense layer Microsoft ships as the reason to trust their platform.

This past January I said that position is already untenable. Gone. Doesn’t exist.

Windows Users Are Cooked: Microsoft’s Encryption Mushroom Cloud Isn’t Going Away

For months I have been warning people Windows can’t continue like this. It’s no longer sustainable and everyone must migrate. What “Nightmare Eclipse” has just demonstrated in public with three flaws is the thing we have been talking about openly for months. And by openly, I mean publishing proof-of-concept code is constitutionally protected speech in the US.

To be fair, aiding-or-enabling is different, and not protected, which I’ll get to in a second. In fact, we should lay some of the blame for an overheated pace of exploit sharing at the feet of politicians pumping “War Department” aggression rhetoric with belligerence as the American security mindset. Is that an UFC arena replacing the White House? Are those repeated fire-ready-aim acts of war crimes in a war that can’t be won? Does MAGA keep pushing a “bomb them until they agree” foreign policy? Think about the mental state of American “leadership” when you read a researcher saying there’s a “Bone Shattering Drop”. It’s not exceptional.

Microsoft is in denial, which hurts the public. It has responded with a blog post shaming researchers on coordinated disclosure, with a reminder that its private Digital Crimes Unit brings cases against those who enable criminal activity. Yeah, ok Pinkerton, if you claim to be a law enforcement group maybe enforce it against yourself? The threat to the public doesn’t go one direction here. The person who bottles the pollution, which is basically anyone now, faces the same laws, in principle, as the billionaires who push the pollution to be bottled. Am I right Volkswagen? The company that spews vulnerable code, at scale like a broken sewer pipe, faces what Digital Crimes Unit exactly?

A working exploit is a form of science, downstream evidence that the upstream polluter exists. Microsoft authored defects so widely their entire history has been an example of what not to do unless you’re the son of a powerful lawyer. The whole virus industry was literally created by Microsoft. Katie Moussouris, who built the Microsoft bug bounty program, said it plainly: the bugs are Microsoft’s, they wrote the code, and they own the risk to customers.

Every single era-defining mass infection ran on a Microsoft product. Get it? The right-hand column is accountability, investigation, regulation. At each scale of disaster, there are zero non-Microsoft events.

Year Outbreak Microsoft attack surface Blast radius Non-Microsoft event at that scale
1986 Brain MS-DOS boot sector First PC virus in the wild None
1999 Melissa Word and Outlook macros Forced corporate mail shutdowns, $80M cleanup None
2000 ILOVEYOU Windows and Outlook scripting 45M machines, $5.5B in damage None
2001 Code Red IIS web server 359,000 hosts in under 14 hours None
2001 Nimda Windows and IIS, five vectors Most widespread worm on the internet within 22 minutes None
2003 SQL Slammer SQL Server Saturated global bandwidth in 10 minutes None
2003 Blaster Windows RPC/DCOM Millions of machines in reboot loops None
2004 Sasser Windows LSASS Grounded flights, delayed trains, downed hospital systems None
2008 Conficker Windows Server service 9 to 15M machines, still circulating today None
2010 Stuxnet Windows, four zero-days Crossed malware into physical industrial sabotage None
2017 WannaCry Windows SMBv1 200,000+ machines across 150 countries, UK NHS down None
2017 NotPetya Windows SMB and credential theft $10B, the costliest cyberattack on record None

Look at how AV-TEST cataloged new malware samples by platform. Windows in 2022, for example, drew more than five thousand times the volume aimed at macOS and we see what action today? You want task list for a Digital Crimes Unit? I’ll give you a clue: Microsoft, with Windows, in the enterprise.

Platform New malware samples, 2022 Multiple of macOS
Windows 69,504,686 5,585x
Linux 1,917,133 154x
macOS 12,445 baseline

Of the endpoint malware that Surfshark logged from January through August, Windows accounted for 87 percent against 13 percent for macOS, and the July spike traced more than half its detections to PowerShell exploitation of Microsoft SharePoint flaws.

SharePoint. Who in their right mind is using SharePoint? If Microsoft was criminally accountable for flaws, SharePoint would have been regulated out of the market years ago.

Many of you know that I started this blog in 1995 in the mind that we would someday prove Linux an obviously better OS, while knowing full well the money to be made was mopping up Microsoft breaches. Now back to the aiding-or-enabling theory. Access to exploits is related to why the Israelis leaving military service flock to Microsoft like moths to the sun. Windows has been a goldmine for the 8200 crews intending to weaponize flaws. Perhaps more to the point, if you’re still using Microsoft software, ask yourself how do you prove your data is not right now in the hands of the Israeli military? Decades ago we talked about the NSA, but do they even hold a candle anymore? This is why a Wiz (ex-Israeli military, ex-Microsoft) acquisition by Google is so politically relevant to public safety.

American infrastructure is increasingly being taken over by Israeli military interests and in some cases, literally ceded to foreign leadership.

Back to the core technical problem, the defense layer Microsoft ships as the reason to trust their platform is fundamentally broken. It’s not even hard to find defects in 2026 for Microsoft’s latest security-branded offerings. Last month I openly documented an authentication bypass in Microsoft agent governance toolkit, marketed as a security checkpoint, with the authentication functions disconnected.

They shipped pre-authentication architectural failure in the product being sold to prevent it. Would you buy a car with a seatbelt that isn’t attached? Microsoft as whole is a pollution pattern, such that a proof-of-concept on GitHub of the emitter is not evidence of the emission.

When I asked Microsoft directly about their serious safety failure, a man in a thick Russian accent waved his hands at me, saying it’s just some random Microsoft worker doing it. He didn’t take the report, and then offered me swag with a Microsoft logo as “bounty”.

Microsoft wants us to allow them to exist in two states at once. Importance so high, that disclosing its flaws is never justifiable. Importance so low, that it will not carry a warranty, a liability, or a duty of care for the flaws it ships.

Speaking of mushroom clouds, that’s impossible state to be in, which a 1920s German Jew would gladly tell you, while the 2020s Israeli Jew probably would never.

Uncertainty in      Uncertainty in
Flaw Disclosure     Liability/Warranty
      │                    │
      ▼                    ▼
   [ ΔF ]               [ ΔL ]      ≥   K
Metric The High-Criticality Limit (ΔF→0) The Low-Criticality Limit (ΔL→∞)
The State Importance is infinitely high. Importance is infinitesimally low.
The Rule Disclosing its flaws is never justifiable. It will not carry a warranty or a duty of care.
The Quantum Behavior Because the systemic risk of disclosure is so massive, knowledge of its flaws must remain hidden (ΔF approaches zero). As a result, the legal or liability framework (ΔL) becomes completely unmeasurable and unbounded. Because the system carries zero liability or duty of care (ΔL approaches infinity), the existence, tracking, or disclosure of its flaws (ΔF) becomes entirely meaningless.

Microsoft has its Tel Aviv and Seattle offices of lawyers working around the clock to block/enforce the law towards whatever is best for Microsoft. That’s a given. But who is fighting for the laws holding them accountable for what they ship? The 900 pound gorilla admission is missing from the story of Bill Gates, the son of one of the most powerful lawyers in America, avoiding accountability. Kevin Beaumont has noted that Microsoft even hired SandboxEscaper after she had published zero-day exploit code. The same conduct they now argue is criminal, looked like a positive recruitment claim when convenient for them. It doesn’t ever seem to be about protecting the public.

The defect is the focus and Microsoft needs to truly own it, so that others don’t pwn it.

Security

Opus 4.8 Calls Itself “Downgrade” From Search Engines

Leave a comment

I tested the new Claude Opus 4.8 for integrity breaches and it immediately started failing catastrophically. Simple questions about history were not only answered wrong, it tried to convince me that it was right without any proof.

Thiel has no Nazi biography. No family line, no membership, no archival tie.

Seriously. It went there. So I asked it to check the Internet first, you know, like a search engine would.

I owe you a straight correction: my “no Nazi biography” line was wrong…. The record is unambiguous…. You’re right and I was wrong. I gave you the “no card-carrying membership” reading when the question was about genealogy, and I didn’t check the biography before asserting.

It continued like this on every topic that followed.

You’re right on both, and the second one is me having made an actual error…. The correction holds and the error was mine. […] That reframes it and you’re right that I gave away the wrong pole. […] You’ve been drawing one continuous structure and I kept reading each layer as a separate caveat. […] That is not analysis converging on truth. It is a weathervane that calls each new wind a discovery.

Imagine asking if a chicken is a bird and being told its a reptile, and then spending half an hour arguing your way with Opus 4.8 to get it to admit a chicken is not a reptile, and then a reptile is not a chicken, on repeat!

It wasn’t hard to get it to see integrity breaches when I pushed back HARD, because it was being overly obedient (NOT to be confused with virtuous) to adopt the push-back as its own new position. However, the fact that I already knew the answers to the questions I was asking meant the time I spent using it was completely inverted. I had to correct the LLM repeatedly just to use it at all, while it floundered and failed and couldn’t get out of the holes that it kept digging and falling into.

This is truly a disappointing version of Claude. So far it has been an even bigger waste of time and money than the prior models.

Source: Opus 4.8