History, Poetry, Security

Why We Need a Separation of AI Church and State

Leave a comment

Margaret Hu has been making this argument for years, before I caught up to it. She is a professor of law at William and Mary, directs the Digital Democracy Lab, and has testified before Congress on AI regulation.

She just mentioned the separation of AI Church and State has been a rising topic for several years, most recently on the Federal Newswire podcast.

She pointed out separation of Church and State rhymes with separation of AI and State. The Church minted the coin and then charged for salvation. The labs mint the token and charge for salvation. Same institutional makeup, eight centuries apart. That got me thinking:

Church Coin AI Token
The instrument Placed on the altar Submitted via API
Who mints Empire grants it, commune holds it, the Church absorbs it and the ius monetae migrating across one disc of metal The lab holds it, ungoverned
Booked twice The offering in the box, plus a credit struck against purgatory Compute revenue, plus a mark-to-market gain on the same dollar
The salvation sold Time taken off the afterlife AGI, alignment, civilization rescued, cure disease, reduce labor, blah blah blah
The half you can audit 70,000 coins found beneath Scandinavian church floors Amazon’s 16.8 billion dollar mark, booked in the open
The half you cannot The grace. Never recoverable The capability claim. Never independently proven
The trinity Mints the coin, sells the salvation, writes the law of usury Mints the token, sells the salvation, writes the safety framework

Where This Ends is Ugly

An institution that mints the money, sells the salvation, and writes the morality of money holds all three levers with no independence or separation. Nothing inside would work to pry them apart. The medieval version did not reform by memo. It was Luther who nailed the indulgence (the AI double-booking of his day) to a door in 1517. Then a brutal correction unfolded over the next hundred and thirty years. Princes seized the mints and the monastery lands. The wars of religion ran into the Thirty Years War, which emptied as much as a third of the German lands in the worst regions.

The act of “disestablishment” (prying mint and salvation away from the sword) was Westphalia in 1648.

The AI labs clearly are bringing back the trinity and infusing it into the state: we just saw an export ban on who may run a model, we just saw empty warehouses permitted as datacenters and ruled as critical infrastructure, with the national-security frame doing all the consecrating. They may as well say national holiness. Elon Musk may as well be called the holy emperor of SpaceX, presiding over what looks like the biggest fraud in history. The records are blunt about the very high price of undoing the Church coin collapse. Elon Musk isn’t going to disestablish himself any sooner than he will admit he isn’t going to achieve driverless by 2017 or land on Mars by 2018.

Someone has to seize the AI tokens before more people die from AI. Or to put it how was said a very long time ago:

Doch schweig ich noch von dem, was ärger als der Tod,
Was grimmer denn die Pest und Glut und Hungersnot:
Daß auch der Seelen Schatz so vielen abgezwungen.

Andreas Gryphius wrote that in 1636, mid-war, which reads: “and yet I stay silent on what is worse than death, grimmer than plague and fire and famine: that the treasure of the soul was wrested from so many.”

The AI token is today’s Seelenschatz: sold as salvation, never proven, never refunded. The medieval fix wasn’t a stronger emperor. That kind of escalation always fails. It was prying the mint, the salvation, and the sword into separate hands and holding the line. Separate the AI Church from the State before the unauditable claim bills us in death again.

Security

Amazon Told the White House to Kill Anthropic Fable Model Running on AWS

Leave a comment

The official account of the Fable takedown is bizarre. Anthropic says it got a 1:30 p.m. call giving it 90 minutes to take the models down, no details on the threat. They added that there was never any begging or asking to work together, just a deadline.

You don’t have to take Anthropic’s word for it. Axios, reporting the episode separately, landed on the same 1:30 call, the same 90 minutes, the same blank where the threat details should be. Two newsrooms confirmed Anthropic’s timeline.

And then? The government’s own story popped up, as an outlier. A senior White House official told Politico the export controls were “a last resort after begging them for hours to work with us.” When the neutral account backs your opponent and not you, “we begged them for hours” reads like something spun up after the fact as propaganda to dress up a decision that already had been made.

The decision rested on a report almost nobody was allowed to read.

The henchmen who pulled the trigger (Bessent, Cairncross, Sacks) spoke gravely about the danger, yet not one of them apparently read the thing they were rambling about. The administration says Amazon’s findings went past the NSA and that it had “proof,” which it has declined to describe.

How Kafkaesque.

The one outside expert who actually read the report, my good friend Katie Moussouris, says the response was wildly out of proportion to its contents, and that Amazon’s researchers found the flaw by asking the ordinary questions a defender asks, which is the entire job the model was built to do.

Yeah, this story is more and more bizarre. So a product used by hundreds of millions of people was yanked off the global market in an evening, on the strength of a document the deciders hadn’t read, written by Anthropic’s largest investor, at the government’s own request, and the only person who read it and spoke publicly says it justified none of it.

America makes no sense right now.

So let’s take the new rule at its word. Software, when asked the questions an attacker might ask, is a national security threat if it returns something an attacker could use. In the interest of saving America, the following should also have been shutdown by Friday night.

Product The actual national security risk Status
Anthropic Fable / Mythos A non-universal jailbreak the one outside reader called minor. Crime: answered the questions defenders are supposed to ask. Pulled worldwide in one evening
Atlassian Confluence CVE-2022-26134 and CVE-2021-26084: unauthenticated remote code execution, mass-exploited as zero-days, both on CISA’s must-patch list. An actual hard case of failure. Still shipping. No letter.
Atlassian Bitbucket CVE-2022-36804: command-injection RCE, added to CISA’s known-exploited catalog after crews walked through it in the wild. Still shipping. No deadline.
Atlassian Jira Template injection and access-control flaws used in real intrusions against real organizations. Still shipping. No NSA review.
Microsoft Teams A default-trust attack surface pre-installed inside every enterprise in the country, with documented token-theft and phishing pathways. Still shipping. Pre-installed, in fact.
Oracle NetSuite Default configurations that have exposed customer records at scale. Still shipping.
Salesforce The 2024–25 social-engineering campaigns that walked data out of live production orgs by the gigabyte. Still shipping. As a way of life.

Notice that column on the right. Every product below Fable on that list has been the actual vector in actual breaches, not some hypothetical. All of them. Fable was sold to help defenders and got recalled for it, despite it not even being usable. The software that poses actual danger just keeps shipping without any Treasury letter, without the Trump-telltale high pressure UFC 90-minute clock.

If national security mattered, the list goes first and the defensive model is basically ignored. The order was exactly reversed with all the eyes on Anthropic. So the standard isn’t the standard because … it’s a lie.

This seems like an abuse thing, and that’s all. There’s nothing more to it. The one company that got pulled into an angry rant about safety is also the one already being bullied about its stance on American citizen rights against surveillance and autonomous weapons. The White House was apparently just waiting for a reason to be more abusive of Anthropic. The report is an empty excuse for Trump to punch down, to alert the world that American tech is within reach of his personal whim and abuse.

In completely unrelated news, which obviously has nothing at all to do with any of this, nothing, Jeff “Melania” Bezos just announced his new AI company.

Energy, History, Security

AI Is Not a Fascist Artifact

Leave a comment

Several people have asked what I thought when Jürgen Geuter, writing as tante, argued that AI is a fascist artifact.

He’s not saying AI is being deployed badly. He’s saying AI is inherently fascist. He places it in the category Langdon Winner reserved for technologies that demand a particular social order, the way the atom bomb demands a centralized command state. You cannot run that particular bomb democratically. In that sense, tante wants the model in the same classification.

I get it. I typically talk about minefields or cluster bombs as inhumane, and therefore a crime. If we can classify a weapon off limits, we can feel comfortable saying it crosses a bright line.

The problem for me is how his argument refutes itself.

He leans on Stafford Beer’s maxim that the purpose of a system is what it does. As such, tante reads the purpose of AI off its most disgusting and reprehensible deployments. Palantir, an overtly fascist company out to destroy democracy, markets its software as a weapon for kill decisions. Andreessen, an inhumane mockery of tech, demands the right to build without regulation while also demanding regulations that erase its critics. Image models infamously inherit the racism of the data scraped to train them. These deployments are all good examples of the bad, and they are reactionary.

The lean into Beer comes from tante saying he is an admirer. Beer built Project Cybersyn, a centralized computer system meant to coordinate the nationalized economy of Allende’s Chile.

Stafford Beer’s VSM (Viable System Model)

That’s interesting because it’s in the similar class as the bad examples above. Centralized computational coordination of an economy. By tante’s own logic a system is whatever it does, so Cybersyn was socialist because it served socialism. The politics are defined by the person in control and to what end they are aiming.

Record scratch.

This is the applied, contingent politics tante insists does not exist. He cannot endorse the principle that a system is what it does and condemn the model class as fascism in the same breath. That principle is what makes Cybersyn liberatory, and it puts the politics in the operator of the system.

Going back to Winner instead, we should separate two kinds of political technology. For example, when Robert Moses built overpasses so low that large buses carrying poor families could not reach the beach, that was politics by design.

Jones Beach was made inaccessible by bus due to the intentionally low overpasses, like this one. Source: Pin-Up

The bomb is different from the overpass. Its politics are in the functional necessity. In other words, the evidence tante uses is all about the overpass. The frontier vendors would concentrate power because of how it is financed and owned, not because a working model can only exist in a form that prevents poor families from going to the beach.

On that point, we have evidence of models that pass the test. Apertus, from ETH Zurich and EPFL, was pretrained from scratch on rights-clean data. Pleias built its models on the Common Corpus the same way. Run the weights locally through Ollama with no telemetry and no API, and the capability should be free of fascism. And this trend seems like common sense. The model does not need its lab, while the bomb always and still needs the state.

M28/M29 Davy Crockett entered service in May 1961. It fired an “atomic watermelon” with 20 tons of force up to 2.5 miles away, bad news for the operators.

What the bomb actually requires is not centralized command but a centralized means of production: a secret, capital-heavy, state-scale enrichment and weapons base. The Davy Crockett above makes the case clear. The Army handed the trigger to a three-man crew, the most decentralized nuclear launch ever fielded, and it still came out of Los Alamos and the Atomic Energy Commission. You can decentralize the distribution. You cannot decentralize production. Every warhead that has existed came out of that base.

The simple contradictions by tante make me wonder why he didn’t see them. He grants that oppressive tools can be turned against their makers. Ok, so they become good? But then he still tries to land the campaign to destroy AI. Destruction doesn’t follow from the premise that the tool is dual-use. If the politics is in the ownership and operation, the answer is to take ownership and operate another way: public compute, worker control over deployment. Destroy AI foolishly tries to name an enemy, which unfortunately could be the self.

The reactionary political economy of frontier AI is a real problem. The firms deserve the harshest criticism, especially Palantir. Calling the company fascist makes perfect sense to me, but their tools don’t carry the same labels. I’m no more likely to say an LLM has to be fascist than the rest of their compute infrastructure. And I say that because if you follow tante’s very broken and self-defeating logic, we start signaling that to build the alternative is forbidden if not impossible. And that’s simply not true.

The Amish refuse the public grid. The line to the utility is a tether to the outside world, and that relationship as dependence is what they reject. Electricity itself is fine. Build your own windmill, run it locally, and no one objects. The objection was never to electricity itself, which has no political stake. It was to the politics of someone else taking control.

Security

Viginum Just Wrote a Sales Brochure for Blackcore Disinformation

Leave a comment

I’ve been scratching my head about the Viginum report on Blackcore. As a quick introduction, the report says an orchestrated online disinformation campaign didn’t work, since the fake accounts didn’t persuade anyone. And so you would think that’s a relief. But instead, I have a nagging feeling that what is actually being sold isn’t the persuasion.

The Blackcore demo page offered a persuasion method and 1,600 avatars to do it with. But the product is more about something that can take a beating, compromise by public exposure, and keep on running campaigns anyway. Delete the shells, keep the registered toolmaker, edit the avatars, reload and fire again. The Viginum report in that context proves the product works as designed, by showing a full pressure takedown isn’t able to take it down.

The report names who’s at the top. The 8200-to-INCD-to-Cygun chain leads to Yigal Unna, a real law firm, a real address, a registry number. So they could name him. And in Section 4 they do the thing that looks like the start of a prosecution. They write atteinte aux intérêts fondamentaux de la Nation, harm to the fundamental interests of the Nation. That phrase is one of the four boxes that VIGINUM’s founding decree requires it to check before it can call anything foreign interference. Section 4 checks the box, VIGINUM detects and names, and yet it cannot prosecute.

Ok. Ready. And then? Nothing happens. Why?

The operation is built to handle it. The foundation layer is fake accounts and disposable websites. Those are illegal and they’re hidden, and after the press coverage in May they evaporated. Flip a switch, they’re gone. The top layer is the opposite: the report says there are legal companies, registered in Sweden and the UK, with named directors. They’re clean on paper, which means finding them nets nothing. They make software. Making software isn’t a “harm“.

The trap is the foundation is easily erased while the parts floating above aren’t breaking any laws. VIGINUM climbs all the way to the top of the system and finds a registered businessman who can say he just sells the usual marketing tools.

Fun history fact: modern marketing was born in WWI government propaganda offices. Creel’s Committee on Public Information under Woodrow Wilson was a civilian agency, the first large-scale propaganda bureau the United States ever ran. The famous Bernays worked inside it. Lippmann spent the war in Army military intelligence, working on Allied propaganda aimed at German troops at the front. The concepts of manufacturing consent back at home were assembled as state service at war between 1917 and 1919, and then privatized into Madison Avenue the moment the war ended.

After WWI Edward Bernays left the military propaganda office to sell the same methods to corporations. He claimed Goebbels adopted them to push Hitler into power.

The reason an investigation goes all the way up to a former head of Israel’s national cyber agency is that this isn’t some random shop. It’s the normal Israeli cyber-export path working as intended: people leave military intelligence, the money and legal cover follow them into private companies, the state encourages it.

Israeli intelligence operators become marketing tool vendors, or “security” monitoring tool vendors.

When investigators reach the root, they can’t claim a company broke the rules. So the technical report builds a case and then looks like it flames out with a generic firm. It can’t cross into demanding a trial for a foreign government’s economic strategy. The report lands on “the Service will continue its investigations” because there is no solution yet for what is really being sold.

And the irony, therefore, is that the French report ends up a sales brochure: Israeli disinformation sold as a resilience product.