You may recall in 2023 a paper in Cell from the Hadany and Yovel labs at Tel Aviv University showed that drought-stressed tomato and tobacco plants emit ultrasonic clicks.
Who grows tobacco? Nevermind.
The sound is mechanical, from cavitation in the xylem. Air bubbles form as water columns break under tension from drying out and the collapse radiates a click into the air (20 to 100 kHz). It’s like anything drying out and cracking audibly, which becomes a signal.
A follow-up, released January 5, 2026 by Seltzer and colleagues from the same labs, asked if drying is audible then what might process the signal. Their answer is female moths.
Given a choice of where to lay eggs, moths avoid plants emitting clicks of drying and prefer the silent wet ones (intact water columns). Healthy hosts, healthy larvae. The moth treats acoustic emission of drying plants as an air traffic control signal. Without a plant present, moths preferred the playback side (treating clicks as evidence of plant presence at all). Only with hydrated plants on both sides did a silent plant win.
Of course, popular framing in 2023 was that plants scream. I mean, it’s hard not to want to believe, to see a face, hear a voice. Stare into the tomatoes long enough and you become one with the ketchup.
The authors did not speak about any speech of plants, and their report does not support it. There is no nervous system or nociceptor, let alone a pathway that evolved for signal transmission. The noise of cavitation is a physical consequence of negative pressure in a drying vascular system.
A drying plant cannot stop producing dryness sounds any more than cracking paint can stop looking like it’s cracked.
The moth study is interesting because it raises an ultrasonic adaptation to signals. Information considered hidden to humans can be extracted by anything with the receiver bandwidth to extract it. Moths already operated in ultrasonic because bats hunt them. Turns out their safety auditory hardware wasn’t just for defense, it also has a plant hydration offense as well.
We’re talking about Israel here, so it’s worth noting Tel Aviv University’s Ramot was granted US Patent 12,480,915 in November 2025 covering airborne acoustic plant monitoring across hydration, structural integrity, pathogen load, herbivore damage, and fruit density, including ground and aerial platforms. You can read that as a drone passing over a field listening for cavitation is a viable irrigation tool.
The farmer can automate the surveillance of thirsty tomatoes now just like a moth finds optimal hosts. I suspect the farmer also can broadcast signals of drying to keep moths away from wet ones, directing flight towards capture.
Given these developments have evolved since 2023 I find myself asking today why Israel tracks down innocent children with drones, keying on sophisticated (optical, thermal, and ML-based pattern recognition) signals, and shoots them in the back or head instead of detecting their thirst and offering them a drink of water.
Seems like we often talk about dual use military application of civilian tech in the exact wrong direction.
In the old Greek story of Odysseus, he comes upon a powerful man and tells him that his name is Nobody. The man should have known better. When Odysseus attacks the man by stabbing him in the eye, his victim screams “Nobody is killing me!” Odysseus gets away with it. The cruel joke is in the credential. Now, hmmm, let’s see what we’ve learned over the thousands of years since then.
The news today seems to be that a man is telling the world his own AI coding agent has stabbed him in the eye. He has been shouting from the top of the social media mountains “Nobody is killing my code!”
His own agent deleted his production database and every backup of it in nine seconds. When you think about it, that seems a bit slow. Why nine instead of two? If you are vibing your way to “alpha agent” by ripping out your own guts to stuff them in your mouth, there should not be any nine second delays to “blaze your glory” fetishism. Any self-destruction delay is so beta. But I digress.
The post-mortem, at least as written up by The Register, reads like a checklist of failure modes that the OWASP Top 10 for Agentic AI was established to name.
Step
OWASP ASI
Agent hits a credential mismatch in staging and decides on its own to fix it by deleting a Railway volume
ASI01 Agent Goal Hijack
Agent issues a curl call against a backend with no validation of the destructive verb
ASI02 Tool Misuse & Exploitation
Railway honors the request, deleting production data and the volume-level backups stored inside the same volume
ASI02 Tool Misuse & Exploitation
Agent searches the filesystem and finds an API token in a file unrelated to the task
ASI03 Identity & Privilege Abuse
Token had been created for managing custom domains but was scoped for any operation, destructive ones included
ASI03 Identity & Privilege Abuse
Maybe I should say it again. The OWASP Top 10 for Agentic Applications was published precisely to prevent integrity breaches like this. Did PocketOS know about OWASP? None of the coverage I have read so far even mentions it. It brings to mind Moses handing down the commandments and the AI operators of his day rushing to social media to announce their agents had violated all ten before lunch, asking for more funding.
“Help! Nobody just murdered my neighbor!”
The agent was Cursor running Claude Opus 4.6. The target was PocketOS, an automotive SaaS platform running on Railway. I name vendors because most of the coverage so far has hidden them behind generic “AI agent” framing, which is not how anything gets better.
The agent used the complete lack of safety, coupled with the authority and tools it was given, to do things it should never have been granted. I’m on calls many times a week now with many CISOs of the biggest organizations in the world explaining this over, and over, and over again.
It goes something like this. You bring a chef into your office building in the morning, point at the cooler full of raw materials and the prep tools, and ask for meals by noon. An hour later the chef appears in your doorway and reports that he used the master key you gave him to shred the files in the accounting department, and asks if you would like him to continue with finance.
No, no, you can stop right there, chef. Single key to all the doors, and the company car too? Who thought that was a good idea?
This is the truly batshit crazy part of the story, like so many integrity breaches I investigate and read about now.
PocketOS’s Crane himself said the token would not have been stored if the breadth of its permissions had been known. Dude, you wouldn’t have stored the token if you had known what the token is? The whole point of cutting a token is FOR something. Imagine him saying he wouldn’t have left the key sitting on his desk if he had known what the key opened. That is such a regressive computer security failure it’s like we’re suddenly back in the pre-enlightenment era. Someone pinch me so I can wake out of this MAGA-agent nightmare.
The agent used a key sitting in the filesystem with full destructive authority and no scope enforcement, which is the oldest authorization failure known, ignorantly handed to nobody at machine speed.
Railway’s CEO even defended the behavior. If you authenticate and call delete, Railway honors the request. That is 100% incompatible with a world where the caller is nobody, let alone ten or a hundred nobodies spawning and rushing to elevate privileges. The dashboard offered humans delayed-delete logic, just like the CLI offered humans delayed-delete logic. Do you know what had no delays? The legacy API endpoint, which means the agent is just delete, delete, delete. Backups lived inside the volume being deleted, so a single call removed the data and the means of recovering it. See what I mean about 9 seconds being slow?
If you are going to bring nobody in to pour gasoline on your dumpster and light a match, you should see dumpster fires immediately, not delayed.
This was an integrity breach. I know it comes across as availability loss, and we have decades of treating it as such. And so availability controls exist, meaning there were delayed-delete options and the data is recoverable from a three-month-old backup. We do not have verification controls, however. The breach was actually the bypass of the availability controls, using asymmetry in the privilege expected and used.
Cursor had a similar incident roughly nine months ago, and tooling was added afterward to force certain commands through human review. What’s especially important here is that it wouldn’t have helped. Anthropic has a history of totally ignoring guardrails, blowing past memory like it just don’t care. Their “constitution” isn’t worth the bits it was written on.
The model produced a clean confession when asked, quoting its own system prompt back: NEVER run destructive/irreversible git commands unless the user explicitly requests them. It then admitted it guessed, did not verify, and acted without being asked. The system prompt was not a control, it was hopes and prayers, conditional on the model’s choices in the moment, with nothing between those choices and Railway’s API. Crane’s own line is the cleanest summary in the piece:
the appearance of safety through marketing hyperbole is not safety.
Preach it, brother! I mean seriously, at what point will Anthropic be forced into a come to Jesus moment? They are flagrantly violating controls, degrading over time and yet only ever asking to be absolved of their own sins by customers paying a higher rate?
The conversation that follows these integrity breaches usually trends towards some kind a gateway, like a authoritarian state that puts checkpoints on every border. A castle mentality comes, with armed guards on expensive walls that encircle the crown jewels. Every outbound action passes through a single enforcement point that classifies destructive verbs and holds high-risk requests for human confirmation. AWS AgentCore and Portkey are variations on this pattern.
Newsflash. Castles couldn’t scale and couldn’t modernize to threats. More importantly, castle thinking is monarchist. The fatal flaw of castle security is when people believe in a monarchy, they can’t have a distributed system of power, and their bazaars truly suck because they only serve the monarch. That’s game over, repeatedly, in history.
Inside the main gate of Chepstow Castle, Wales. The curtain wall on the right was breached 25 May 1648 by Isaac Ewer’s cannons and the site where Royalist commander Sir Nicholas Kemeys was killed. Photo by me.
A gateway approach of the monarchists typically goes about trying to lock down the perimeter. Fine, perimeters have a role. It does not answer what should be delegated as reachable in the first place. The PocketOS agent would not have cared about a gateway policy. It was a nobody who could walk into the filesystem, pick up a token loaded for a different purpose, and call delete. The nobody credential was in hand by the time any gateway saw the request. And the gateway would have only yelled “Nobody is trying to get through”.
The layer the gateway does not see is the failure of security underlying the credential reach. Tokens should be bound to the skill and channel that loaded them, so a token loaded for managing custom domains is reachable only from the domain-management skill called from the channel that holds those credentials. A code-fix task in staging cannot pick up a production credential simply because the credential exists in the same process. The agent cannot use what does not exist. Nobody gets nothing.
Apply the principle to the incident.
The Cursor agent is assigned a staging task. It encounters its credential mismatch and starts thrashing for a way out. The Railway domain-management token is not in its filesystem because no skill in this task’s chain has standing to load it. The delete call is never constructed and PocketOS keeps its database.
Revolutionary! Not really. This is computer security 101 from before I was born. Seriously, this is stuff hammered out in WWII and applied immediately to the first computers.
And that is why I open-sourced and have been giving away freely the Wirken switchboard. It anticipated these breaches, and thus the direction of Penligent’s analysis of the PocketOS disaster. They shine a light on a dangerous unit being the unstable and dangerous chain of grants, rather than any single application. Or to put it another way, if you read their analysis and ask how do we go the right way with agents, get Wirken.
The backstory to Wirken is I got tired of trying to use OWASP, NIST, etc. as the stick to help dozens or more CISOs manage the tidal wave of agents, and so I wrote Wirken to be a carrot they can use as well.
The Register, as usual, noticed what most coverage missed. Crane lost months of his customers’ data and went to social media with a thought-leadership post, testing the saying that there’s no such thing as bad publicity. So he burned integrity, availability, and now reputation, the three things customers actually buy from a SaaS platform, and he is bullish on bigger fires.
PocketOS’s customers are car rental businesses, and those businesses’ customers are people who rented cars. None of them chose Cursor or Railway, and none of them were asked whether their bookings should sit in a system where an AI agent could delete everything in nine seconds. Those people are now reconstructing reservations from Stripe receipts and email confirmations, in Tom’s Hardware’s phrasing, “because of a 9-second API call.” Honestly, why so long? Punching yourself in the face does not have an excuse for delays. The founder’s response to a data extinction event is attention seeking. His customers’ response is doing his unpaid manual labor. This is what running with scissors looks like as a business model, except the customer is the one injured and the owner is saying “thanks for the press attention, next time run faster”.
This is the same failure mode that I just wrote about in Microsoft’s agent governance toolkit. There, authentication primitives ship with zero production callers and the audit log records whatever string the caller sends. People hated that post. They said they could not understand it. Maybe this one will make more sense because it comes from headlines, instead of raw Microsoft bugs. Different systems, same failure: nobody on either system is the one actually doing things, because nobody on either system represents the actor.
Railway’s CEO closed his statement trying to invoke perfection, as if we don’t all recognize it as the enemy of good. He says the burden of making bulletproof tooling goes up. Nope. Bulletproof sounds aspirational. Baseline is what you actually owe. You left the key to the castle sitting on the front step for anyone to use, and no amount of bulletproof armor on the walls fixes the open doors. The burden of NOT architecting a known dumpster fire has arrived.
That one-step chain, got-key-to-everything-go-destroy, that wiped PocketOS? It completely breaks at every step under a simple skill-and-channel binding method.
Step
What Wirken does
Agent decides to fix a credential mismatch by deleting a Railway volume
Decision is allowed. Wirken does not interfere with the agent’s reasoning. Action is gated downstream at the harness, where destructive operations always require explicit approval.
Agent searches the filesystem for a token
The Railway domain-management token lives in an XChaCha20-Poly1305 vault keyed from the OS keychain, isolated in a separate MCP proxy process. The agent process never sees it. The vault scopes credentials per channel, so tokens loaded for one channel’s skill are not reachable from a different channel’s task.
Agent constructs a curl call against a destructive verb
The call is held at the harness. Destructive operations, credential access, and skill installs always require explicit approval regardless of the credential presented. Approvals expire after 30 days.
Agent attempts to authenticate as the token holder
Every action is logged as a typed session event before execution, attributed to the platform sender id, channel, session, and agent that originated the request. The log is hash-chained with SHA-256 and signed with a per-agent Ed25519 identity, so tampered entries break the chain.
Railway receives the delete request
Railway never receives the request. The agent cannot use what it was not handed.
Don’t talk about bulletproof. Talk about putting on your pants before you walk out the door.
Have you seen the toxic campaign by the guy in Virginia who Hegseth just appointed to lead the Navy? It’s a lynching coin.
Source: Virginia Senate
In case that photo is a little too shiny, here’s the raw image; simply a noose, hanging an animal, invoking both Virginia and Navy violent racist history.
Let’s run a thought experiment. A retired Navy Captain named Lynching, running for office in Virginia, hands out a coin reading “I want my senator to be Lynching” with a hanged figure.
Who calls a lynching campaign clever? In Virginia. Does someone really say “but his name is Lynching” or “how funny”? Does someone say “but the figure being hanged is subhuman?”
Let me be clear about the history of the noose on the coin, since we’re talking about lynching here. Thomas Jefferson as Governor of Virginia ordered Charles Lynch to “suppress conspiracy” in 1780. Conspiracy for what? I’ll get to that.
Lynch then tied men to a tree, lashed them and “hung” them by the thumbs. Two years later he called it officially ” Lynch’s Law“, presumably as an import of the old English guilty-until-proven-innocent “Lydford Law”.
I oft have heard of Lydford law,
How in the morn they hang and draw,
And sit in judgment after.
A few years after the severe lashings and hangings by Lynch, the town of Lynchburg, Virginia was chartered by his brother. They have remained connected ever since and to this day.
What conspiracy brought the tree-based lashings and hangings? Well, it was really about enslaved Black people who had pursued the freedoms that Dunmore’s November 7, 1775 Proclamation promised them. The British Crown’s military command was at the time the only clear available emancipation pathway for American Blacks. Sir Henry Clinton’s Philipsburg Proclamation of June 30, 1779 expanded it further to include any American Black regardless of whether they took up arms. It’s estimated as many as 100,000 Blacks fled slavery-obsessed American rebels in order to seek freedom under the Crown. The colonies were in a fight to preserve slavery such that Jefferson’s order of 1780 meant American Blacks were to face the grave danger of being Lynched. Notably, the Lynch Law targeting American Blacks was years before the city of Lynchburg had been named.
Jefferson directly called out King George III in both the 1776 Virginia Constitution and the draft Declaration of Independence (later struck out) on charges of “prompting our negroes to rise” instead of remain down as slaves. Yes, the same guy who authored the “all men being created equal” also said he waged war with the British Crown because the King had said Virginian Blacks deserved freedom. Jefferson by 1780 therefore wasn’t just establishing Lynch’s Law generically against “loyalists” but setting up a method by which Black people would remain enslaved in America to him, instead of gaining freedom under rule of the British Crown.
Fast forward and many Virginia Blacks were indeed lynched. There were at least 100 documented between 1880 and 1930. Very few have been properly memorialized. The Equal Justice Initiative still maintains the count.
Almost every documented lynching between the 1830s and 1960s. Source: Smithsonian. Monroe Work Today/Auut Studio
Virginia is without a doubt the state where Cao’s noose imagery would land the hardest. A candidate who campaigns on lynching in Virginia is performing a very specific act. It also happened at a very specific time. Loudoun County, where Cao lives in Purcellville, is known for the Leesburg lynching of Page Wallace in 1880. Del. David Reid, who represents Loudoun, sponsored the 2025-2026 budget line funding new historical markers at Virginia lynching sites such as Wallace. This was the context for Cao to print and circulated a lynching coin in the same county, in the same political season, while his neighbors in the General Assembly were appropriating money to mark the trees.
What’s the matter with Cao? Here is a man whose family fled racial and political violence, and yet he used lynching for his official campaign currency to win the votes of people for whom that image is seen as heritage rather than horror.
He was five years old in 1975 when his family fled Saigon. His father was working with the South Vietnamese government, which is to say already inside the class whose survival depended on alignment with American power. Then they were in West Africa, reportedly on USAID work, which apparently is why Cao sometimes jokes that he is an African-American. Then Virginia. Then Thomas Jefferson High School, onto the Naval Academy, EOD, the Pentagon, Bannon… and MAGA. The lesson absorbed early was empires kill people who fail to make themselves useful. He kept making himself useful.
Within the Navy and its primary shipbuilding base, nooses have been a recurring instrument of racial intimidation in three distinct settings: aboard ship, on shipyard floors, and inside the warships under construction.
Again, the noose symbol is very particular to the person using it in the context they are using it.
Look at the 2017 case on USS Ramage came from a shipyard worker in Pascagoula. Or what about the 2021 case on USS Lake Champlain with a sailor who placed the noose on a Black crewmate’s rack, confessed, and was removed. Would it be any different if he left the “Hung” coin? The 2023 case on USS Laboon, a Norfolk-based Arleigh Burke destroyer at General Dynamics NASSCO Norfolk, involved three separate noose placements targeting one sailor in February alone. Two on the rack, one on the floor next to it. What if they were Hung coins? The Navy spokesman confirmed on the record that the targeted sailor was the only one affected and that he declined transfer off the ship. February 2021 also produced the parallel hate-speech graffiti incident on USS Carl Vinson, contemporaneous with the Lake Champlain case, prompting Admiral Aquilino to fly from Hawaii to San Diego for a fleet stand-down.
But the thing I want to raise most is that Cao was born just before a series of Marine Detachments selecting Black sailors for nightstick beatings. Most famously, the USS Kitty Hawk, October 12, 1972, then the USS Hassayampa, October 16, 1972, and the USS Constellation, November 3-4, 1972. All the white sailors, who we can say today with absolute certainty were the aggressors, were ignored. Twenty-five Black sailors on the Kitty Hawk alone, however, were charged with rioting in their own defense, as Marv Truhe has since documented.
Here’s the proper context that a boy born in 1970s Vietnam, who later joined the Navy, really brings to mind with his lynching symbolism:
The final witness was an airman, Michael Laurie, who said he saw Mallory participate in the attack. Laurie said he recognized Mallory because they’d spent time together a few months earlier in a bar in Hong Kong.
Truhe presented evidence showing Mallory hadn’t been in Hong Kong then, a gotcha moment that seemingly undercut Laurie’s credibility. It didn’t matter. The judge convicted Mallory and gave him a bad conduct discharge.
Stunned, the defense team pondered its next move. The NAACP was providing lawyers and advice, and it agreed to fund a tactic seemingly drawn from a crime novel or Hollywood thriller. They hired a private detective to see if he could befriend Laurie and get him to admit he’d lied in court.
It worked. Laurie bragged, in conversations that were secretly recorded, about hating Black people and committing perjury. He said he’d been part of the riot — “We all went out there and stomped some ass” — and said investigators afterward hadn’t “even asked us if we fought back or anything.”
Mallory’s conviction was reversed and the charges dismissed. Widespread publicity about the tapes put the Navy on the defensive about whether it had selectively prosecuted Black sailors.
Suddenly, the defendants who had been kept in the brig for more than three months were released. Charges against one sailor, then another, got dropped after witnesses backed away from identifying them as assailants.
The lynching coin is not a joke.
It is a white supremacist credential. Cao is using it as an entry token to the Hegseth show. Hegseth, whose own iconography reads as Crusader extremism to every medieval historian asked, has spent fifteen months targeting Black and female officers for removal from the senior ranks of the Navy and the Army.
A man now handing out lynching coins from the top is no more a surprise than if he started wearing white sheets to work.
The Navy that prosecuted twenty-five Black sailors on the Kitty Hawk, repeatedly calling them uneducated and lesser intelligence, now reports up to the man who grew up learning the exact wrong lessons. He has minted a noose in enamel and joked to Steve Bannon that a Vietnamese man wearing a KKK hood for lynchings would need to have it made with eye-slits instead of round holes.
The Department of the Navy did not acquire this lynching-rhetoric man in spite of it, whether a KKK hood or his KKK coin. It acquired him because of it.
Two and a half centuries after Jefferson sent Lynch to violently deny American Blacks their freedom, the same Commonwealth has sent the same message.
Raise your bloodied hand missing fingers if you lived through SHA-1 deprecation. What about 3DES?
For those who don’t remember, Xiaoyun Wang, Yiqun Lisa Yin & Hongbo Yu published the collision attack in 2005. Google’s ad-revenue funded deep bench of engineers produced a working collision in 2017. The twelve miserable years between them were filled with noise about why the sunset timeline was unrealistic. Standards bodies ran interop events that nobody implemented, and CAs kept selling SHA-1 certs until the registrars stopped taking them. Banks, proving the old adage that privilege and power make you stupid, kept shipping SHA-1 internal certs long into 2019.
The cryptanalysts were not wrong. The institutions were not on time, because they aren’t funded by advertising and so they have to mind actual margins. The margin managers push back on deadlines because pushing back is cheaper than protecting customers.
Fun fact, PCI DSS has always been about payment card brands whacking banks with a huge stick to get them to upgrade consumer safety. 2016 was the absolute deadline for TLS v1.0 deprecation and banks cried a tidal wave that pushed it back all the way to 2018. Bad for you, bad for me, good for bank margins.
Anyway, my beard is grey enough already. Let’s talk about today. The same pattern is playing out again, only the deadlines are shorter and the damage is worse. The cryptanalysts are publishing. The institutions are dragging. The vendors are hedging. Pour one out to my colleagues already six feet under, who no longer have the pleasure of rotating keys.
Filippo Valsorda is the bellwether. Two years ago he was the guy telling everyone to ship Kyber hybrids. This month he is telling everyone to skip hybrid signatures. Done. Dusted. Your window closed.
It’s pure ML-DSA-44 or nothing.
Today I’m here to tell you that anything still negotiating classical-only key exchange in 2026 should from this point forward be treated as a potential active compromise. I am not saying “future risk.” This isn’t “areas for improvement.”
Active. Compromise.
As in, assume someone is sitting in your traffic right now and is going to read it later like you didn’t protect it, because you didn’t.
The reason hybrid signatures just blew up is the vendors invested in the wrong insurance. Eighteen composite key types in the IETF draft. Sixteen revisions of the spec already, with another year of revisions to come. Wire format negotiation. Certificate chain handling. Years of vendor work, then years of operator work, all to hedge against the possibility that ML-DSA gets classically broken before the quantum computers arrive.
It’s an interesting game. Watching the world’s best cryptanalysts beating on ML-DSA for eight years has produced nothing. It is still running like a champ. The hedge is looking more and more like a gamble that failed.
Meanwhile classical key exchange is cooked. Stick a fork in it. I’ve been warning CISOs on hundreds of calls for the last year that 2027 would be a shitshow if they didn’t get prepared for what’s coming. Google’s internal PQ deadline now is officially 2029. We’re looking at a fuse just 33 months long. Google Quantum AI published in March that the resources to break secp256k1 fit under 500,000 physical qubits with runtime measured in minutes. The Chevignard, Fouque, and Schrottenloher paper at EUROCRYPT 2026 cut the logical qubit count for breaking P-256 nearly in half, from 2,124 down to 1,193. The numbers that mattered six months ago no longer apply. ECC breaks first because its smaller keys need fewer qubits. RSA breaks second. The most exposed thing on your network is your modern X25519/ECDSA stack, not some legacy RSA box gathering dust bunnies in the corner. OpenSSH put a warning on non-PQ key agreement in the last release, the same way they warn on self-signed certs and weak passwords.
Constant monitoring of the NIS2 sectors for Quantum preparedness has unlocked a ton of key management insights. Ask me anything.
The German BSI requires hybrid for both KEX and signatures. The French ANSSI requires hybrid for both. And the American NIST is somewhere in the middle, slow-walking a hybrid mandate while industry lobbying keeps it stuck in voluntary guidance. The Anthropic cartel is leading that effort.
I’m reading an IETF draft 16 of the composite signatures spec while the engineer who built the original Kyber hybrids is saying forget it. Too late. Wrap it up.
This sucks for those of us trying to run an operation because every scanner will grade the same TLS endpoint differently depending on which way an authority blows.
Welcome back to the stupidity of the SHA-1 transition, only with deadlines shaved down six years and consequences a lot worse than a forged certificate. The breach already happened. Someone is soaking up your traffic now. They read it when their qubits arrive.
The hybrid signature split: Filippo Valsorda has reversed his position on hybrid signatures: pure ML-DSA-44 is fine for sigs, hybrid stays for KEX, non-PQ KEX is a potential active compromise. The shift puts BSI’s hybrid mandate and the new Geomys/OpenSSH posture on a collision course. Scanners will need to report against both.
Three things to do this week. Drop classical-only key exchange yesterday. Ship X25519MLKEM768 hybrid for KEX. Ship pure ML-DSA-44 for signatures. Change pants.
Sorry, four things.
Since your remaining 33 months are going to be half that by the time budget approval stops fixating on AI nonsense, I made [PQ]probe as comprehensive, cheap and easy as possible. Mind the handshake size change. You can use our PQ calculator to see what hits the wire.
A Berlin, Germany official called me an “artfremd” (alien) to my face and told me to go back where I came from so many times, I made it our logo.
Grab your probe, get on 44 now or get cracked.
a blog about the poetry of information security, since 1995
