Six months of nation-state access to highly targeted networks simply because a widely-deployed tool treated TLS as the one and only integrity verification (rather than what it is, transport security).
The “sophisticated” attack reads like a tourist getting their wallet stolen from their beach chair while they went for a swim without it. Easy pickings, for someone to exploit unsophisticated engineering.
I love reading Dan Goodin, perhaps my favorite tech reporter of all time, but his article buries the lede:
…insufficient update verification controls that existed in older versions.
That’s the whole game, right there.
All the threat intelligence theater with chill names like “Chrysalis” and “Lotus Blossom,” with all the attribution to China-state actors getting “hands-on-keyboard” drama, obscures that this is a solved problem since at least 2005. Like twenty years ago Microsoft OEM’d an Israeli patching company and said oh shit we need to sign code, and that should have been the end of it, right?
Linux package managers have done cryptographic signature verification for many decades. Using apt, yum, pacman, etc means you verify GPG signatures against pinned keys before execution. The fix is older than many people involved in this disaster.
Why am I even writing about this.
The attack chain was to intercept update requests, redirect to a malicious binary, and let it execute. A checksum won’t save you here—if the attacker owns the distribution infrastructure, they serve bad binary and matching hash.
Self-consistent fraud.
The actual integrity breach fix is asymmetric signing. The developer signs a binary with a private key that never lives on update infrastructure. The client verifies against a public key pinned in the already-installed binary. Own the servers all you want—you can’t forge the signature without that hidden private key.
Here’s the part that should make you spit tea all over your screen. Or maybe that’s just me. They had signing. From Beaumont’s razor sharp analysis:
The downloads themselves are signed—however some earlier versions of Notepad++ used a self signed root cert, which is on Github.
Nice.
The lock was in the door and the key for it was… too. The integrity mechanism existed in form but not in function. A self-signed cert with the key material published on GitHub means anyone who could redirect traffic could also forge valid signatures. That’s theater, an appearance of an integrity control when it doesn’t actually constrain anything.
Content-addressable integrity needs better marketing? I don’t get it. The transport layer is a layer for defense in depth, which someone confused with the core package integrity mechanism itself. And the signing layer, which should have been the real gate, was all hat no cattle.
Resources probably all went into features and user growth. They even went into transport layer security. Yet missing content integrity controls allowed something catastrophic.
No regulators apparently required basic cryptographic verification that actually works. So the distribution of content never innovated on authenticity. Now they have an integrity breach, scrambling to apologize and patch late what should have been there since twenty years ago.
Solved cryptographic engineering. Same pattern, always. A consent banner that doesn’t constrain data collection. An operations audit that doesn’t examine infrastructure. The signature that doesn’t verify authenticity. The presence of a control, without regulations to ensure standards of care, can become dangerous cover for its absence.
Jason Zengerle’s new Tucker Carlson biography is titled Hated by All the Right People. The book treats a “struggle” to be hated as Carlson’s personal brand—a story of grievance and ambition. It’s actually the operating manual for authoritarian consolidation, and Zengerle apparently never recognizes he’s describing Mein Kampf for 2026.
The Numbers
Trump’s approval sits at 39-42%, net approval around -13 to -19. Among independents: 29%. Majorities disapprove of nearly every major policy.
Hitler’s numbers during consolidation were remarkably similar. July 1932—the last genuinely competitive election—the Nazi party got 37.3%. Even March 1933, with 50,000 brownshirts “monitoring” the vote, produced only 43.9%.
Neither man consolidated power with majority support. Both did it anyway. Being unpopular fueled their destruction of the state.
A contemporaneous State Department analysis noted that Hitler maintained control through “mass propaganda, backed by the energetic activity of the ‘Brown Shirts’, and with the tacit acquiescence of the Reichswehr.” Not popularity. Force plus institutional capitulation. Just like Truth Social and ICE today. Not a coincidence.
The Mein Kampf Return
Zengerle frames Carlson’s trajectory as psychology: Stewart destroyed him on Crossfire, Tucker felt betrayed, and “bitterness” explains his later radicalism.
This is biography as evasion. The pattern is structural:
Hitler: Failed putsch, then prison, then a lunatic manifesto reframing defeat as persecution, then return as more radical… takes over democracy and destroys it.
Trump: Lost 2020 and whined endlessly of a “Stolen election” mythology, then January 6th and returns more radical… takes over democracy and destroys it.
Carlson: Destroyed by Stewart and fired from CNN, he returns via Fox and then his own network, openly admiring Orbán and Putin. Now he “operates as a political actor, maybe even more than a media actor”
The pattern: Legitimate defeat doesn’t teach adjustment. It teaches that legitimate competition is rigged, which justifies abandoning it entirely.
“Hated by All the Right People” isn’t a brand. It’s the rationalization that transforms every fair loss into proof the system must be captured and destroyed, punishing everyone.
The Selection Mechanism
Being hated isn’t as much about personal grievance as it’s treated as qualification for authoritarian power. If you’re willing to do things decent people reject, you’ve proven your loyalty. The hatred is a token, a credential.
Current polling shows 57% disapprove of ICE enforcement. 51% say it makes cities less safe. The enforcement continues, stair-stepping in escalation. That’s the point.
Unpopular enforcement is the filter that builds the apparatus. Everyone who participates despite knowing better is identified for advancement. Everyone who objects is identified for removal.
The infamous Nazi Amon Goeth found grievances everywhere he looked, and he especially targeted experts, as depicted in the movie Schindler’s List
If the enforcement mechanism were popular, it wouldn’t generate fear. The point of visibly unpopular violence is demonstrating that popular opinion no longer constrains state action.
The “Autocratic Backfire” Fantasy
The same weekend Zengerle’s book dropped, Ruth Ben-Ghiat published a NYT essay arguing Trump’s overreach “may backfire.” Her thesis: autocrats believe their own propaganda, make disastrous decisions, and fall.
Her examples prove the opposite.
On Mussolini and Hitler: “it took being bombed by the Allies in World War Two to start the disintegration of the personality cults.” It took being bombed by the Allies. Not unpopularity. A world war.
Mobutu ruled 32 years until foreign-backed rebellion. Amin ruled 8 years until Tanzania invaded. Erdogan—her “recent example”—is still in power after 22 years. Putin—whom she called a “classic example of autocratic backfire”—is still in power.
She opens with a Chaplin quote from April 1939 about dictators throwing themselves into holes. Six months before Hitler invaded Poland. The “hole” didn’t stop anything. It took 60 million dead.
That’s the timeline “backfire” operates on. Not midterms. Decades of consolidation ended only by catastrophic external intervention.
Waiting for backfire is waiting for someone else to stop it.
I’ll say it again, because it’s such a spectacular misfire: her examples disprove her theory.
What This Means
Hitler was very, very unpopular. It’s how he amassed power. Trump also is very, very unpopular. And it’s working for him too.
Stop waiting for approval ratings to matter to people who want to be hated. They already don’t.
The question isn’t whether Trump’s silver-spoon elitist policies are popular, because they never are. The question is whether anyone with power will stop them. Courts that defer. Legislators that comply. Media that normalizes. Each capitulation teaches the lesson the SA taught in 1933: your disapproval juices the crackdown.
The apparatus is being built by people who understand this—who learned that losing means the game is rigged, that hatred from decent people is a credential, that popular opposition is irrelevant if institutions capitulate.
Zengerle’s book describes the selection mechanism in its title and never recognizes what it’s describing. That’s the liberal problem in miniature: dutifully cataloging symptoms while unable to authoritatively stop the disease.
Got ICE?
The unpopularity isn’t a problem for Trump, it’s proof the operation is working.
Left: A Japanese-American woman holds her sleeping daughter as they prepare to leave their home for an internment camp in 1942. Right: Japanese-Americans interned at the Santa Anita Assembly Center at the Santa Anita racetrack near Los Angeles in 1942. (Library of Congress/Corbis/VCG via Getty Images/Foreign Policy illustration)
Apparently unlawful detention of tens of thousands of Americans into concentration camps is starting to worry the GOP even in Texas.
[Rep. Pete] Sessions, who represents areas of central and west Texas in the state’s 17th Congressional District, suggested during an appearance on “CNN News Central” on Monday that voters were deterred from participating in the special election due to icy conditions.
Canada, for its part, has cancelled a contract with ICE. There’s a simple way to stop giant empty warehouses being converted into Trump concentration camps.
Canadian company says Virginia warehouse sale to ICE won’t proceed.
The owners of a property in Oklahoma City are “no longer engaged with the Department of Homeland Security about a potential acquisition or lease,” according to the city’s mayor David Holt.
These are just three examples of how the Texas GOP could be doing a lot more if it wants to get rid of problems with ICE.
The Freedom Forum published a tepid First Amendment analysis of armed protest after Border Patrol agents killed Alex Pretti in Minneapolis. It’s barely competent, an example of what’s wrong.
It correctly identifies time, place, and manner restrictions, content neutrality requirements, narrow tailoring doctrine. It asks a constitutional question:
When can the government restrict someone’s right to protest because they’re lawfully armed?
It’s also useless. The question isn’t what the law says. It’s who the law protects. The answer to when has historically been that the government restrictions are based on who: race.
The Pattern
Case
Legal Status
Circumstances
NRA Response
Black Panthers (1967)
LEGAL open carry
Monitoring police, protesting at California Capitol
Helped draft the Mulford Act ban, supported passage to deny gun rights
Philando Castile (2016)
LEGAL Licensed, permit holder
Informed officer he was armed, reached for wallet, shot dead
Silence. Then blamed him, based only on a police claim they found marijuana. Refused to defend gun rights
Kyle Rittenhouse (2020)
ILLEGAL—Couldn’t legally acquire rifle
Killed 2 people at BLM protest
Awarded him $50k and AR-15 assault rifle to execute more protestors, promoting “warrior for gun rights”
Amir Locke (2022)
LEGAL Licensed, concealed carry permit
Asleep on couch, woken by no-knock raid, grabbed gun, shot dead in 3 seconds
No support, “not commenting”
Alex Pretti (2026)
LEGAL Licensed, VA nurse, no criminal record
Filming immigration enforcement, disarmed, publicly executed, shot in back while face-down
Attacked gun rights leaders
The Only Illegal One
Every person on that list except Rittenhouse was exercising legal gun rights. The Panthers were carrying legally under California law. Castile was licensed. Locke had a concealed carry permit. Pretti was a permitted VA nurse in the ICU serving the military with no record.
Rittenhouse didn’t stumble into a felony. He got his sister’s boyfriend Dominick Black to break gun laws for him. Kenosha police already knew Black from “numerous interactions” yet Wisconsin courts rapidly reduced his two felonies to a small fine under a no contest plea. Then Black was arrested multiple times again for fleeing police, and for armed robbery—with a rifle. Gun crime pays, if you are a young white boy named Black in Wisconsin.
Rittenhouse couldn’t legally acquire the rifle. He did anyway and then crossed state lines for the sole purpose of pointing a hunting rifle at innocent people. He panicked, while hunting humans, and killed two. ICE agents with handguns panicked and executed two.
It was this that the NRA looked at and decided to flagrantly mock the courts and their felony charges by dispensing huge gifts to Rittenhouse: $50,000 and a trophy AR-15.
The only person using a gun to deny other Americans their constitutional rights, is the one the NRA gives rewards. The only person breaking gun laws is the one that the NRA has openly and repeatedly celebrated.
Armed Protesters in State Capitols
I’ve read so many articles about American gun-toting protesters entering state capitol buildings, that I’ve lost track of the number:
However, only very rarely have I seen anyone reference that the NRA’s firm position on this issue was to ban guns. Guess why.
The Mulford Act
In 1967, the Black Panther Party was legally monitoring police in Oakland—armed patrols using California’s open carry laws to document police brutality. On May 2, several armed Panthers entered the California State Capitol to protest a proposed gun control bill. Republican Assemblyman Don Mulford drafted the Mulford Act to ban public carry of loaded firearms. The NRA helped write it and supported its passage:
The display so frightened politicians—including California governor Ronald Reagan—that it helped to pass the Mulford Act, a state bill prohibiting the open carry of loaded firearms, along with an addendum prohibiting loaded firearms in the state Capitol. The 1967 bill took California down the path to having some of the strictest gun laws in America and helped jumpstart a surge of national gun control restrictions.
Reagan’s Lies
History rhymes even when it doesn’t repeat.
Not so long ago we had a President named Ronald Reagan who was known for being a horribly racist exaggerator. Here’s the Snopes perspective on his justification for banning guns:
“The Black Panthers had invaded the legislative chambers in the Capitol with loaded shotguns and held these gentlemen under the muzzles of those guns for a couple of hours. Immediately after they left, Don Mulford introduced a bill to make it unlawful to bring a loaded gun into the Capitol Building. That’s the bill I signed. It was hardly restrictive gun control.”
This wasn’t true.
The Panthers were disarmed by capitol police soon after entering the building and, according to contemporaneous accounts including the Associated Press, were escorted out 30 minutes later. No one was held at gunpoint for hours.
Reagan’s crooked mythology required to justify the gun ban had to be inflated because the reality—Black men legally carrying, reading a statement, leaving peacefully—wasn’t scary enough to strip their rights. They needed the story to be an armed invasion.
As I’ve written elsewhere, the NRA we know today remains very much the same organization with these same values that it suddenly became in the 1970s.
Building the Base
The pattern the NRA follows extends beyond selective defense. It actively recruits children into the political identity. Business Insider reported on essay contests for kindergarteners asking how the constitutional right to bear arms affects them personally.
Leaving aside the oddness of asking the youngest of grade schoolers how the constitutional right to bear arms affects them personally, the contest raises alarms for gun-control advocates. Gun violence was the No. 1 cause of death for US children in 2021… “They’re selling a lie, and it’s a very dangerous lie,” Brown [the president of the gun-safety group Brady] added. “They are selling it to your kids, and they don’t care if it’s killing them.”
By the time they are capable of making a mature judgment, their health may be harmed irrevocably and their decisional capacity impaired by the product’s addictive qualities.
That analysis misstates it. By the time they are capable of making a mature judgment, these targeted kids—and those around them—are already dead.
I say this as someone who grew up in the heart of rural American gun culture. By 12 years old I had been shot and wounded, requiring hospitalization.
The number of children and teens killed by gunfire in the United States increased 50% between 2019 and 2021…
As a historian familiar with Nazi Germany, I have to point out their children were motivated towards mass violence by rapid dissemination of highly targeted authoritarian disinformation. The NRA runs the exact same playbook (not by coincidence)—capture children ideologically before they can evaluate the claims, normalize the violence that identity produces. An inverse effect also helps illuminate the cruelty. British soldiers in WWII reported a strategy of offering God and Chocolate to melt a Nazi child’s cold coal heart full of false fears and nightmares.
The 180-Degree Flip
The NRA has an origin story that is the exact opposite of its current incarnation.
In 1871, Union generals under President Grant founded the NRA to train Black freemen—emancipated slaves—to defend themselves against white supremacist militias like the KKK. The organization was “a roster of Union commanders” who had just defeated the Confederacy. Training emancipated Americans with marksmanship was seen as logical: help citizens protect the federal government from regression and rebellion.
Then came 1977.
The NRA developed a splinter extreme right-wing Institute for Legislative Action lobby group that suddenly seized complete control of the organization in what’s called the “Cincinnati Revolt.” The timing matters: the United Nations Security Council Resolution 418 of 1977 had unanimously adopted a mandatory global arms embargo against apartheid South Africa.
Southern Africa magazine, August 1977—the same year gun manufacturers seized control of the NRA to violate apartheid arms embargos.
Founded to arm American Blacks against white supremacist gang violence. Pivoted to pass a ban on gun rights for American Blacks. Captured entirely after international embargo of South Africa, in order to arm whites-only-rule. Now celebrates an illegal gun used to kill innocent people at a racial justice protest. Silent when police murder Black men with legal permits. Silent when ICE publicly executes Americans. Not drift. Inversion.
The Legal Architecture
The NRA isn’t the only institution built for one purpose and captured for the opposite.
Grant’s Enforcement Acts were designed to prosecute the Klan. The Supreme Court gutted them within a decade. United States v. Cruikshank (1876) established that the Fourteenth Amendment only restricts state action—the federal government cannot protect Black citizens from private white violence.
Southern states declined to prosecute Klan. The Klan’s members often were state actors—sheriffs, deputies, judges—who refused to prosecute themselves. The doctrine gave them an obvious loophole: put on a hood, become a “private” actor. The same men who wore a badge by day wore a sheet by night.
The Trump administration is using an anti-Ku Klux Klan law to prosecute Minnesota activists for demonstrating… charged with conspiracy to deprive rights—a federal felony under Section 241, a Reconstruction-era statute enacted to safeguard the rights of Black Americans to vote and engage in public life amid the KKK’s racial violence. Levy Armstrong and Allen are both prominent Black community organizers.
Black organizers protested violence by a federal official. The state is acting. No doctrinal barrier applies. Section 241—the fragment of Grant’s law that survived—activates instantly to target the very people it was meant to protect.
The law was carefully stripped of power by jurists who saw Reconstruction as the crime. It couldn’t protect Black Americans from private violence. Yet it retained full power to punish Black Americans if they dared to confront state violence.
Whatever is architected for safety will be weaponized into a tool of terror. Decades of saying gun registration would be the end of freedom, then forcing registration. Decades of open carry as a sacred right, then wearing a holstered gun in public becomes a crime punishable by immediate state firing squad execution.
What “Shall Not Be Infringed” Actually Means
The NRA is no longer a gun rights organization. They’re a white nationalist political organization that uses gun rights selectively. The Second Amendment applies to people they consider legitimate political actors, and doesn’t apply to people they don’t, based on race.
The Minnesota Gun Owners Caucus—not the NRA—defended Castile, Locke, and Pretti. Principled gun rights advocacy is possible. The NRA chooses not to practice it.
They promote illegal gun use for political purposes and work to ban guns when the wrong people carry them legally. That’s the NRA today, opposite of why it was created.
Mass violent detention like this one in 1976, Guguletu, near Cape Town, is why the UN passed arms embargoes. It’s what the NRA illegally armed after the 1977 “Cincinnati Revolt,” and what it stands for today. America pulling out of the UN and deploying ICE is apartheid all over again.
a blog about the poetry of information security, since 1995
