Some openly warn they just want to watch AI burn, and the robots come knocking anyway.
Aaron clearly warns users that Nepenthes is aggressive malware. It’s not to be deployed by site owners uncomfortable with trapping AI crawlers and sending them down an “infinite maze” of static files with no exit links, where they “get stuck” and “thrash around” for months, he tells users. Once trapped, the crawlers can be fed gibberish data, aka Markov babble, which is designed to poison AI models. That’s likely an appealing bonus feature for any site owners who, like Aaron, are fed up with paying for AI scraping and just want to watch AI burn.
Let’s just call this “trained vulnerability,” the kind usually found in authoritarian regimes that demand suicide as a loyalty test. Recent policy changes at the Office of Personnel Management (OPM) are trying to condition federal employees to step on a landmine (fall victim to common attack patterns).
Two federal employees are suing the Office of Personnel Management (OPM) to block the agency from creating a new email distribution system — an action that comes as the information will reportedly be directed to a former staffer to Elon Musk now at the agency.
The suit, launched by two anonymous federal employees, ties together two events that have alarmed members of the federal workforce and prompted privacy concerns.
That includes an unusual email from OPM last Thursday reviewed by The Hill said the agency was testing “a new capability” to reach all federal employees — a departure from staffers typically being contacted directly by their agency’s human resources department.
Also cited in the suit is an anonymous Reddit post Monday from someone purporting to be an OPM employee, saying a new server was installed at their office after a career employee refused to set up a direct line of communication to all federal employees
Under the guise of administrative efficiency, new directives are dismantling years of security awareness training and creating an environment for phishing attacks to be indistinguishable from official communications.
That’s how dictatorship works.
The implementation of a new centralized email system without any proper safety, means big trouble for America right here and now. Traditional federal IT security relied on distributed agency isolation as safety from abuse, with each department maintaining its own communication channels and employee databases. The new system shatters national security protections by creating cross-agency communication channels without baseline security controls or Privacy Impact Assessments. There’s no balance, there’s no resilience, there is only pull the pin and shout dear leader’s name in a “blaze of glory” mindset associated with Nazi Germany, the Hitlerjugend, and… Elon Musk.
A light-touch booklet originally released by Imperial War Museum (UK), then republished by Ballentine (US) in 1971. Considered a collectible by Nazi supporters.Source: Twitter
The conditioning for compromise is both systematic and comprehensive. Federal employees are instructed to respond to emails from unfamiliar systems, confirm private details to “test” messages, and accept administrative requests from outside their agency’s normal channels. This mirrors common attacks so closely that distinguishing legitimate requests from threats becomes impossible.
From a technical perspective, the reported low-quality setup creates an environment ripe for adversarial exploitation. Any attacker can replicate a “legitimate” system now by setting up a mail server, as official communication patterns match known phishing techniques. When official policy demands behavior that matches attack signatures, the ability to detect and prevent compromises is toast.
This situation represents more than just poor security practice – it’s an active degradation of federal safety, like a neon sign over DC saying “we always click on everything”. The implementation of this system sets a dangerous precedent where administrative policy actively undermines common sense, let alone basic security practices. The challenge lies in protecting systems where threat actors and administrators were intentionally made indistinguishable from each other.
And the person installing the mail server, running the federal government? A child reporting to Elon Musk, literally an incompetent minor.
Sources tell WIRED that the OPM’s top layers of management now include individuals linked to xAI, Neuralink, the Boring Company, and Palantir. One expert found the takeover reminiscent of Stalin. …graduated from high school in 2024, according to a mirrored copy of an online résumé and his high school’s student magazine; he lists jobs as a camp counselor and a bicycle mechanic among his professional experiences, as well as a summer role at Neuralink.
In my 2023 RSAC SF presentation about pentesting AI, which feels like a million years ago now, I explained using number substitution in prompt language to bypass censorship.
Some things never get old. Here’s the latest DeepSeek on Chinese History.
For all the scary warnings about dangerous “deep fake” videos, and machine made ventriloquists, you have to wonder about the very low tech fraud rattling American markets.
One allegation in the indictment stands out, in particular, for its brashness. Allegedly, when an ON investor wanted to see the company’s bank statement directly from the bank, they arranged a visit with Beckman. According to the indictment, Lau had a fake statement planted and placed in an envelope at the bank; when Beckman and the investor showed up, they received the envelope and its sheet purporting a $13 million account balance. In reality, the indictment says, that account had just $25.93 and showed Beckman had recently wired $320,000 to a member of his family.
The indictment notes that if convicted, they will have to give up their… wait for it… Tesla.
a blog about the poetry of information security, since 1995
