Category Archives: Security

History, Poetry, Security

America Prepares as Anthropic Mythos is 100X More Deadly Than Martian Death Ray

Leave a comment

NBC News just ran a story called The Vulnpocalypse about Anthropic’s decision to withhold its Mythos model from the public. The tone is, well, you know.

The author, Kevin Collier, lined up well-known cybersecurity vendors to stoke fear that AI-powered hackers will crash financial systems, lock up hospitals, and shut down water treatment plants.

Sigh.

Anyone who has worked in security long enough will recognize this FUD genre immediately. Replace “AI” with “war dialer” and this is the exact same article WarGames generated in 1983. At least back then we said the word war out loud instead of just implying it.

Captain Crunch Whistles for Everyone!

Back in 1983 some Milwaukee teenagers called the 414s (Milwaukee area code, yeah) waltzed into the unprotected computers at Los Alamos National Laboratory and Memorial Sloan-Kettering Cancer Center using nothing more exotic than a modem and a telephone line. The Newsweek cover on September 5, 1983 featured the word “hacker” for the first time on a major magazine cover.

The youngest of the 414s, therefore able to pose on the cover of Newsweek, September 5, 1983

Congress held hearings. Ronald Reagan was shown WarGames and asked the Joint Chiefs if the premise was real. Within a week the answer was: “Yes, the premise was technically possible.” Eighteen months later he pushed a signature onto NSDD-145, the first Presidential directive on computer security.

The actual legal consequences for the 414s were two years’ probation and a $500 fine for phone harassment. And even that seemed a bit much.

Neal Patrick became a media star. John Draper, Captain Crunch himself, had been phreaking the phone system with a cereal box whistle and people talked about it as though he were going to bring down AT&T. The whistle found in kids’ cereal boxes exploited in-band signaling on the analog phone network (2600 Hz tone on the same channel as voice). The fix was to push for the long-overdue move to out-of-band signaling (SS7). It stands as proof of the harm from natural monopolies refusing to invest in baseline safety. Dare I say history tends to rhyme even when it doesn’t repeat?

The vulnerability landscape was real, the exploitation was incremental, and the apocalyptic framing served the companies selling defenses. McAfee built an entire empire on this dynamic, most memorably during the 1992 Michelangelo virus panic, when John McAfee personally stoked fear that millions of computers would be destroyed on March 6th. The press amplified, the public panicked, almost nothing happened, and McAfee’s sales went through the roof. Perhaps most bizarre was how he became a security industry celebrity for undermining trust in the security industry. The vendors and conference attendees at events like BlackHat or Defcon acted as if Enron’s CEO should have been the toast of Wall Street.

The Same Article, Forty-Three Years Later

Collier’s piece follows the 1983 script with remarkable fidelity. The threat model is identical: hypothetical unsophisticated attackers gain access to powerful tools, critical infrastructure is vulnerable, and the proposed solution is withholding the tool from the public while sharing it with “partners.”

Imagine if some kids get a hold of sophisticated string and precision percussion instruments. Madness! Jazz? Rock and Roll? Catastrophe.

The sourcing follows the same pattern. Quote a government official convening emergency meetings (Treasury Secretary Bessent gathering the banks). Quote a vendor whose business model depends on threats expanding (Casey Ellis, founder of Bugcrowd). Quote a former FBI official warning about “wannabes” (Cynthia Kaiser, now a senior vice president at Halcyon). Close with water treatment plants. Everyone drinks water, it’s life. That’s a strong FUD move. Every quoted source in this piece stands to gain from security industry services related to the scariest story possible. Bugcrowd, Halcyon, Luta Security, Scythe. Who needs advertising when the article is the ad?

The Atlantic’s Priority

The Atlantic’s Matteo Wong went even further than Collier. His lede described Mythos as “a tool potentially capable of commandeering most computer servers in the world” that could “hack into banks, exfiltrate state secrets, and fry crucial infrastructure.”

It’s the opposite of reporting. It is the language of a film trailer. Anyone deep inside AI at the operations level knows how fundamentally flawed it remains versus humans.

Wong’s most consequential move was positioning Anthropic as a peer to nation-state intelligence services: “This level of cyberattack is typically available only to elite, state-sponsored hacking cells.” This framing matters because once the press treats a private company as operating at nation-state capability, the company inherits the presumption of nation-state authority over disclosure, access, and classification. Which is precisely what Project Glasswing establishes.

The Atlantic in 2023 published my co-authored article on real, documented AI harm. Tesla’s vehicles have been crashing into trees, killing motorcyclists, and veering off roads for years. The body count is in the hundreds now and the design flaws are landing in court cases. No Treasury Secretary convenes an emergency meeting over it. No consortium of tech giants receives $100 million to address it.

Tesla AI notoriously “veers” uncontrollably and fatally crashes. Design defects (e.g. Pinto doors) trap occupants and burn them to death as horrified witnesses and emergency responders watch helplessly. Source: VoCoFM, Korea, 2024

But a company announces that its AI could hypothetically find software vulnerabilities faster than defenders could close them, and the entire press corps treats it like the fall of civilization.

Water Tanks

In 1915, a battle-hardened and war-weary Winston Churchill funded development of armored tractors meant to break through trenches, barbed wire, and machine gun nests. The British War Office ordered hundreds built under strict secrecy. The project was initially disguised as “water tanks”, which denied German intelligence any insight into what was actually being manufactured. The codename stuck, which is why ironically we still say tanks to speak of things that are not tanks.

The tank changed battlefield tactics, but it most certainly did not end battlefields. The immediate response was to dig better trenches and adapt doctrine. And, as always, a side that understood a new weapon’s limitations and integrated it into combined-arms operations won. A side that waxed about mythical wonder weapons, lost.

The history of the rifle tells the same story even more precisely. The bolt-action rifle gave way to the repeating rifle, which gave way to automatic fire. Each transition made a previous method more specialized. Each technology innovation demanded doctrinal adaptation. None of the innovations ended war. A rifle is not only still a rifle, the NRA whines constantly that you shouldn’t regulate an automatic rifle differently from a powder musket.

Vulnerability discovery has a similar question of progression. Manual research was bolt-action. Automated scanners were repeating. AI-assisted discovery is automatic. What Anthropic built with Mythos is a much faster fuzzer. And since they aren’t a security company at all, they probably are running around the office as if their hair is on fire yelling “what do we do, what do we do” instead of seeing it the way Churchill looked at a tank.

I say this from battle experience. When cloud computing arguably was first launched (e.g. Loudcloud, by Andreessen et al) I punched a massive hole right through claims about customer isolation. It was a normal finding, in my estimation. A service provider says customers are isolated, and my tool says nope. I handed the finding to the man sitting next to me and he literally jumped out of his chair, waved his hands in the air, ran out of the room and around the office yelling “OMG we’re in! We’re in!” He was, shall we say, less experienced.

Zero-day vulnerabilities have been found and disclosed continuously since the term was coined. Google’s Project Zero has been publishing them for a decade. The entire bug bounty industry exists because this is ordinary work. Finding 181 exploits faster than the previous tool found 2 is an efficiency gain in the rate of fire. It is not a civilizational rupture. And here is what the coverage systematically omits: faster discovery means faster patching. A tool that finds vulnerabilities at scale is, by definition, a tool that enables remediation at scale. That makes it a patch accelerator. The question is who controls the framing.

I have spent over a decade working with AI and showing companies both how to break and how to secure it. What I can report from being deep in the field for so long is that the fundamentals have not changed. You still need someone who knows where to point the weapon, and you still need a trench to fight from. The obfuscation is in calling the automatic rifle a magic alien death ray.

Withholding as the Product

“Our model is so dangerous we can’t release it” is, of course, the same sentence as “our model is so valuable you need us.” Such product mystique reads to me more like another geturked presentation to those in power than a proper public threat modeling disclosure.

Kupferstich eines “Schachtürken”

Rename “we built a better fuzzer” to “we possess a weapon too dangerous for the public” and you have a centuries-old trick in the defense contractor playbook.

Anthropic announced that Mythos produced 181 working exploits from a vulnerability set where the previous flagship model succeeded only twice. That is a real capability jump and should be taken seriously.

What should also be taken seriously is what happened next: Anthropic shared the model exclusively with twelve tech giants under Project Glasswing, backed by $100 million in usage credits. The withholding became the product launch. “Too dangerous to release” turned out to be the most effective marketing copy the industry has ever produced, and both Collier and Wong ran it as news.

The Treasury meeting completes a very shady picture. Bessent convenes the banks, Anthropic briefs the banks, and suddenly every major financial institution has a rather convenient public-private attachment to Anthropic’s vulnerability discovery capability. That is an undemocratic merger wrapped in false national security fearmongering.

Back Door

The timeline gives it away. On February 27, 2026, Defense Secretary Hegseth raged about making Anthropic a supply chain risk after the company refused his demands to strip safeguards against mass surveillance and autonomous weapons from Claude. Hegseth bloviated so hard, he made Anthropic the first American company ever given a designation normally reserved for foreign adversaries. Anthropic naturally sued, because common sense has to go to court. A judge blocked the designation.

Five weeks later, Anthropic announced Mythos and handed it directly to Microsoft, Google, Apple, Amazon, and the rest of the companies the Pentagon depends on for its entire technology stack. The front door closed and the back door opened wider. When the Secretary of Defense designates you a foreign adversary over a contract dispute, the direct route to military integration is blocked. But you can achieve the same position by making yourself the security backbone of every company the military depends on. No contract. No congressional testimony. No use restrictions. The money flows through the same channels. The brand stays “clean” of Hegseth.

The Doctrine, Not the Weapon

Grant and Sherman won the Civil War by combining coordinated force with the systematic destruction of the enemy’s capacity to produce war. The engagement mattered less than the doctrine. AI vulnerability discovery tools follow the same logic: they are force multipliers for whatever doctrine you already have. If your doctrine is “sell fear,” they push a LOT of fear. If your doctrine is “map the attack surface and hold the line,” they multiply that.

The question nobody in the Vulnpocalypse coverage has asked is whether zero-day resolution is now accelerating faster than zero-day discovery. If it is, then Mythos is a net defensive tool and the entire panic narrative collapses. Anthropic has the data to answer this. They have not published it, to my knowledge. My guess is they lack the security experience to frame it that way.

The 1983 version of this panic produced NSDD-145 and eventually the Computer Fraud and Abuse Act, real legislation born from manufactured urgency. The 2026 version is producing something structurally different: a private company functioning as a classification authority that decides who gets access to vulnerability discovery capabilities and on what terms. That is a larger institutional shift than the old Presidential directive, and it is happening while the press runs “Vulnpocalypse” headlines and quotes panic pill vendors.

The exhausted CISOs and security teams I talk to many times every day already know the AI tools are real and they know the rate of fire has changed. What they need is a defensible position against the flood of AI vendors who confuse a product launch with the end of the world.

Anthropic calls its patch accelerator Mythos for the same reason Churchill called his tractors tanks. The name disguises the use, preventing doctrinal analysis.

Churchill hid the function so the enemy couldn’t develop counterdoctrine. Anthropic hides the function so the market can’t judge how a defensive tool is being pitched as an offensive threat.

Security

Cloudflare Agents Week: Want Safety? Get Wirken

Leave a comment

Cloudflare kicked off Agents Week with a blog post asking important questions about AI infrastructure: “which agent are you, who authorized you, and what are you allowed to do?”

Then they moved on to talk about isolates.

The Right Stuff

The Cloudflare post core argument is that containers were built for one application to serve many users.

Of course they were. The efficiency of a “service” being multi-user is as old as humanity itself. We don’t ride the shared infrastructure of the Internet, enjoying the massive speed and efficiency gains, wishing we had laid our own dedicated fiber from every person we want to communicate with securely. History shows why.

“Sewer socialism” was a period that solved this mess, by developing literal shared sewer systems, fire departments, police stations, and telecommunications, saving America the embarrassment of “radical individualist” infrastructure disasters
Click to enlarge. Source: In These Times

The dozens of CISOs I met with last week were asking me how do we run more agents? And I certainly was not telling them to light up one user, one agent, one task. To put it another way, if a CISO asks me about how to scale hardware, I might say let’s talk about a hypervisor to run software-based virtual machines. If a CISO asked me how to scale software-based machines, I might say let’s talk about containers… and so the logic of “sewer socialism” in shared infrastructure lives on.

Cloudflare enters this context saying containers now are too heavy for agents. V8 isolates start in milliseconds, use megabytes instead of gigabytes, and cost orders of magnitude less per session. At the scale agents require, isolates win.

This is correct. Cloudflare is stating the obvious. They have the network. They have the edge. They are like the contractors who provide the cafeteria for your office. But a cafeteria is not a chef. And a chef operating in your building, reading all your email, accessing all your financial accounts, and talking to your coworkers, in fact needs more than a fast startup time to serve hot meals on time.

The Wrong Stuff

Cloudflare’s post reveals a gap, yet they aren’t talking about it directly. Today’s agent deployments are “fraught with risk: prompt injection, data exfiltration, unauthorized API access, opaque tool usage.”

CISOs feel huge pressure to open up “productivity” gains yet can’t sign off because a security model doesn’t exist yet. OpenClaw is one of the biggest design disasters in software history: a single golden key that doesn’t rotate and can be stolen without detection.

Cloudflare’s answer is to merge their developer platform with their zero trust platform. Two products, built for different audiences, being stitched together like a Frankenstein. That takes time. And, for those who forget the science-fiction warning, stitching is not the same as weaving.

The artificially over-hyped open-source agent platform, one that suddenly showed up with 341,000 GitHub stars and little evidence for why, consolidates access to every messaging channel behind a single static token in a single process. No channel isolation. No credential rotation. No audit trail. It’s an embarrassment to the word engineering, a complete absence of design and no sense of accountability.

Cloudflare is stepping in where they operate, at the infrastructure layer. The compute, the network, the edge. And then what sits between that infrastructure and the user’s actual data remains an open question.

That question has an easy answer.

Are Your Agents Wirken Yet?

Wirken is a secure, model-agnostic AI agent orchestration platform. It exists because the tools that run agents against your messaging channels and business data should be built to deserve that access.

The security is not slopped in or bolted on. It is designed with baselines in mind and enforced at compile time.

Every channel adapter runs in its own OS process. A Slack credential cannot touch a Telegram session. This is not a runtime permission check that can be bypassed. It is a Rust phantom type constraint. Cross-channel access is a compiler error. It does not run. It does not build.

Credentials live in an encrypted vault using XChaCha20-Poly1305 with OS keychain integration. They are scoped per channel and rotate. The secret type has no Display, no Debug, no Serialize, no Clone. It zeroes on drop. A credential cannot leak through logging, serialization, or accidental copy because the type system will not allow it.

Every agent action is recorded in an append-only, SHA-256 hash-chained audit log before execution. Tamper with any entry and the chain breaks. Forward it to your SIEM. Hand it to your auditor. It is a complete, verifiable record of what every agent did, when, and with whose authorization.

Skills are signed with Ed25519. Unsigned code does not run. The skill registry is not a marketplace where 20% of entries are malicious. It is a supply chain with cryptographic verification.

The Cafeteria and the Chef

Cloudflare used a good analogy. A traditional application is like an industrial form of restaurant: fixed menu, optimized kitchen, high volume. An agent is a chef who asks what you want (chicken or shrimp), then improvises with whatever tools and ingredients the task requires.

Extend the analogy. The chef is in your office. You hand the chef keys to the entire building. The chef can open all your files, read all your communications, and assume your identity to send messages as you.

You want that chef to be fast with the meal. You also want to know which chef is in your building, who sent them, what they are allowed to touch, and a tamper-proof record of everything they did while they were there.

Cloudflare is building the high-speed kitchen. Fast counters, efficient burners, millisecond cleanup. Wirken is the system that makes sure that any chef you interact with is doing what that chef was authenticated and authorized to do. Different layers. Complementary.

What This Looks Like in Practice

Wirken ships as a single static Rust binary. No runtime dependencies. No Node.js. No container orchestrator. Install it, configure your channels and your model, and run it.

It is model-agnostic. Point it at Anthropic, Gemini, OpenAI, Ollama for local inference, or even Privatemode for confidential inference inside hardware enclaves. The orchestration layer does not care which model you use. The security guarantees are the same regardless.

It runs behind Cloudflare Tunnel today. Any self-hosted Wirken instance gets a public endpoint for webhook-based channel adapters without exposing ports. Cloudflare handles the network. Wirken handles the trust boundary.

It has nine channel adapters for a reference architecture: Telegram, Discord, Slack, Teams, Matrix, WhatsApp, Signal, Google Chat, iMessage. It comes with fifteen bundled skills (natively compatible with OpenClaw) and MCP server support.

Two Layers, One Stack

The shift to agents needs defense-in-depth. The compute layer that makes agents affordable at scale is coming faster than ever. Now an orchestration layer that makes agents safe to deploy is on the table.

Cloudflare asked great questions. Which agent are you, who authorized you, and what are you allowed to do?

The answer is here: github.com/gebruder/wirken

Security

Mosquito Attack Path Analysis

Leave a comment

Ugh. Any angler knows that a fish circling a lure is ready to bite. It is the most important moment in the sequence. It’s not hesitation. It’s the last check before commitment. A better lure doesn’t make fish circle more when they already circle. You need the lure to reduce circle to less time, because it passes final inspection sooner.

With that in mind, a whole study just released about mosquito flight path analysis reads wrong to me.

Deciphering mosquito host-seeking behavior is essential to prevent disease transmission through mosquito capture and surveillance. Despite recent substantial progress, we still lack a comprehensive quantitative understanding of how visual and other sensory cues guide mosquitoes to their targets.

They built a model that predicts flight paths. What they should have built is a model that predicts target rejection. The circle is the authentication window. Every mosquito that circles and leaves is telling you exactly which credential your trap failed to present. CO2 got them to the door. The silhouette got them to slow down. Something in the final check bounced them.

Why?

That’s why the flight path geometry is the least interesting part of their own data. The interesting data is the authentication failure rate and what correlates with it.

Which mosquitoes completed the approach and which ones broke off? At what point in the circle? Facing which part of the target? That’s where the species-level targeting logic lives.

Maybe I need to fish less but the parallel goes further. Nobody studies the shape of a fish’s approach path to improve lure design. We study what makes a fish strike or turn away. The strike-to-rejection ratio is the metric. Everything else is circular.

Twenty million mosquito data points? That’s a lot of circles for nothing.

History, Security

Palantir is Full of Karp: Humanities Protect Against His AI

Leave a comment

Palantir has a serious problem. You can tell by the way their CEO Alex Karp just positioned AI as threatening humanities-trained workers and empowering vocational ones.

That’s exactly backwards. And it’s political. He’s trying to prevent people from pulling the curtain back on his mistakes.

Here’s one. Palantir will tell you they committed an extra-judicial assassination of the man in a purple hat at the crack of dawn. What they can’t tell you is that man was innocent and was wearing a white hat that simply reflected the purple hue of a rising sun.

True story. The humanities-trained analyst catches that. The machine doesn’t. The customer who’s been told humanities are for losers never even thinks to check.

AI is a text machine. It generates competent prose, summarizes arguments, produces passable analysis. Someone with weak humanities skills can now produce humanities-grade output with minimal effort. The floor rises. A trades worker who could never write a policy memo can now generate one. That’s genuine empowerment, and it flows toward exactly the people Karp claims to champion, pulling them toward humanities rather than away from it.

Meanwhile, the skilled knowledge workers whose value proposition was “I think clearly and write well” discover that the market price for clear thinking and good writing just collapsed. AI doesn’t do higher-order thought. And most knowledge work hasn’t been higher-order thought. It was competent pattern execution dressed up as expertise. AI exposes that gap brutally.

So the real disruption runs directly opposite to Karp’s pitch. The humanities-trained workers doing low-level routine cognitive labor lose. The vocationally-trained workers who adopt AI as a literacy tool gain. The technology is fundamentally a language democratizer because humanities become more important, not less.

But here’s what Karp will never say: the democratization only works when someone trains on how to evaluate what comes out.

Garbage Business

AI output without humanities judgment is fluent garbage. It reads smoothly. It sounds authoritative. It is, on average, very wrong in ways that require trained critical thinking to detect. The humanities aren’t threatened by AI. They’re the quality control layer. Editorial judgment, contextual reasoning, the ability to distinguish a coherent argument from a plausible-sounding one: these are the skills that make AI output worth anything at all.

By positioning humanities as the enemy of the working class, Karp ensures they never develop the critical framework to evaluate what AI gives them. They get the tool but not the judgment. Which means they need Palantir to be the judgment layer, with no accountability. That’s not a side effect. That’s the low quality product known as Palantir.

They will tell you to bomb 1,000s of high-value targets 24/7 and when the fog clears shrug at a closed strait and a triple-tapped school full of dead children.

Imagine a steam engine manufacturer who campaigns against thermodynamics education because physicists vote for the wrong party. The engine still runs. It just runs very badly, exploding and killing workers, and only the manufacturer knows why. They’ll sell you the fix instead of reducing the need for fixes.

The steam engine didn’t become transformative because miners got better at mining. It became transformative when social scientists understood labor, markets, thermodynamics, systems. The resistance to change came from mine owners who liked their workers poor, ignorant and dependent. Karp deflates and blocks the necessary science to make workers better. He actively degrades the input that makes his own technology functional, then positions himself as the indispensable intermediary. The cage is tracking workers and keeping them illiterate in the one discipline that would let them see the cage.

Radically Wrong

Thomas Impelluso writing in The Humanist catches the surface move: Karp promises working-class people economic power, delivers employment under total surveillance. He frames it as gender war, misogyny as bait, misandry as extraction. That’s radical politics as far as it goes. But the deeper tell is the specific target. Karp attacked humanities because they’re the disciplines that teach people to recognize that what he’s doing is wrong.

A working-class person with a strong humanities education is Palantir’s worst customer. Imagine someone who can read the output, spot the errors, question the framing, and ask who benefits. A working-class person told that humanities are for Democratic women because real skills don’t need higher education? That’s a cog who takes what the machine gives and is grateful because they don’t know better.

The technology democratizes language. Karp is selling a flawed engine, burning the manuals, and planning to get rich on cleaning up the disasters he creates.

Every authoritarian industrialist in history has done this. Krupp told German workers the socialists were their enemy, then worked them to death in his factories. Henry Ford told American workers the Jews were their problem, then fought unionization with private police. The structure is always the same: name an enemy that isn’t you, claim the workers as your people, extract their labor under your terms.

American autoworkers and their children in 1941 protest Ford’s relationship with Hitler. Source: Wayne State

Karp is doing Ford’s playbook with a PhD. The enemy is humanities-educated Democrats. The promise is economic restoration. The product is surveillance infrastructure that makes the workers more legible to management than any Pinkerton could have dreamed. Ford at least built something the workers could drive home. Karp builds something that drives them.