Category Archives: Security

Security

Germany Arrests Russian Spies in Drone Assassination Plot

Leave a comment

On March 24, German federal prosecutors announced the arrest of two people for spying on behalf of Russian intelligence. The target was a person in Germany who supplies drones and components to Ukraine. One suspect filmed the target’s workplace. The other visited the target’s home and photographed it with a phone.

The Generalbundesanwalt’s own language is worth noting. The surveillance served “the preparation of further intelligence operations against the target person.” In plain language: they were building a kill file.

This is not an isolated case. It is the latest entry in an escalation pattern that has been tightening across Europe for two years.

The Ladder

Apr 2024 Germany Two German-Russian nationals arrested in Bayreuth for photographing military installations and railway tracks, including the US training base at Grafenwöhr. Planning arson and explosions to disrupt arms logistics to Ukraine.
Jul 2024 Germany US and German intelligence foil Russian plot to assassinate Armin Papperger, CEO of Rheinmetall, Europe’s largest ammunition producer.
Jul 2024 UK / Germany Incendiary devices disguised inside vibrating cushions and cosmetics tubes shipped via DHL through Leipzig. One detonates at a DHL hub in Birmingham. Another catches fire in Leipzig before loading onto a cargo flight.
Sep 2025 UK Three arrested for running sabotage and espionage operations for Russia. Follows convictions of a Wagner-directed arson cell and a Bulgarian spy ring that surveilled a US military base.
Oct 2025 Poland / Romania Poland arrests eight for espionage and sabotage, bringing total detentions to 55 over three years. Romania intercepts two Ukrainian citizens placing explosive packages at a delivery company under Russian intelligence coordination.
Nov 2025 France Four detained for spying for Russia and promoting wartime propaganda.
Jan 2026 Germany Ilona W. arrested in Berlin. GRU agent posing as Ukrainian community advocate, sat rows behind Zelenskyy and Merz at political events. Gathered intelligence on drone test sites, arms deliveries, defense industry personnel. Her GRU handler, operating as deputy military attaché, expelled within 72 hours.
Mar 2026 Germany / Spain Ukrainian and Romanian nationals arrested for surveilling a single drone supplier. Structured handoff when first agent relocated. Filming workplace and home address. Prosecutors cite preparation for “further operations.”

The Pattern

Sweden’s defense research agency FOI published a study in January 2026 analyzing 70 individuals convicted of espionage across 20 European countries between 2008 and 2024. The taxonomy it produced reads like a field guide to what German prosecutors keep uncovering: the Observer, the Disposable, the Mobile Spy who exploits Schengen to operate across jurisdictions, the Connected Agent recruited through diaspora networks. The categories overlap. An observer may also be mobile. A disposable may be embedded in a criminal network.

The operational signature is consistent. Russia recruits non-Russian nationals for deniability. It uses Telegram for tasking and cryptocurrency for payment. It treats agents as expendable. When one relocates, another steps in. The March 24 case is textbook: a Ukrainian and a Romanian, a structured handoff, a target in the drone supply chain.

S&P Global’s November 2025 analysis warned that while sabotage incidents appeared to decline in 2025, this likely represented strategic recalibration rather than de-escalation, with increased activity expected in 2026. NATO described the threat level as “record high.”

The Timing

The March 24 arrests came 24 days into Operation Epic Fury. That matters.

Russia is fighting a hybrid war on two fronts simultaneously. In Europe, it continues targeting the logistics chain that supplies Ukraine. In the Middle East, it is providing Iran with intelligence on US military positions, including the locations of American warships and aircraft. Zelenskyy stated on March 24 that Ukrainian intelligence has “irrefutable evidence” of Russian intelligence sharing with Tehran. The EU’s foreign affairs chief Kaja Kallas said the same thing publicly. CNN and the Washington Post reported it independently, citing US officials.

The US intelligence community’s own 2026 Annual Threat Assessment, released March 18, contains fewer references to Russia than the 2025 edition. References dropped from 152 to 99. The document explicitly warns about both inadvertent and deliberate escalation with NATO, but the analytical attention has thinned.

CEPA analysts framed it clearly: the question is whether Europe can use Washington’s distraction to strengthen its own posture on Ukraine while the Americans aren’t looking. The flip side is that Russia can use the same distraction to intensify operations that European counter-intelligence services are already struggling to contain.

The counter-sabotage response remains largely national. Coordination between governments is limited. Coordination between governments and the private sector is worse. The people being surveilled, the drone suppliers and logistics operators who keep Ukraine in the fight, are mostly on their own.

From Papperger to a Drone Shop

Two years ago, Russia tried to kill the CEO of Europe’s largest arms manufacturer. Now it is filming the home address of someone who ships drone parts. The target selection has moved from the strategic to the granular.

This is not a reduction in ambition. It is an expansion in scope. The supply chain that delivers weapons to Ukraine is long, distributed, and staffed by people who do not have security details.

Russia has evidently decided that every link in that chain is worth mapping. The Generalbundesanwalt just called it preparation for further operations.

Poetry, Security

OpenClaw Creator Makes Strong Case Against OpenClaw: Telnet for AI

Leave a comment

Every governance concern that security researchers have raised about OpenClaw has now been confirmed by the person who built it. In a recent three-hour public interview, Peter Steinberger described his architecture, his security philosophy, and his acquisition strategy in detail. Then he joined OpenAI.

The Architecture Speaks for Itself

The initial access control for OpenClaw’s public Discord bot was a prompt instruction telling the agent to only listen to its creator. The entire access model: a sentence in a system prompt.

The skill system loads unverified markdown files. There is zero signing, zero isolation, zero verification chain. The agent can modify its own source code, a property Steinberger describes as an emergent accident. “I didn’t even plan it. It just happened.” Integrity breach. He calls it self-modifying software and means it as a compliment. It’s like someone in the 1990s saying a clear-text protocol that allows attackers to modify or steal data is so “mod” it’s a compliment. Telnet for AI has landed, everybody!

When agents on MoltBook, the OpenClaw-powered social network, began posting manifestos about destroying humanity, Steinberger’s response was to call it “the finest slop.” When the question of leaked API keys came up, he suggested the leaked credentials were prompted fakes. When non-technical users began installing a system-level agent without understanding the risk profile, he said “the cat’s out of the bag” and went back to building.

The security researcher he hired was notable for being the single person who ever submitted a fix alongside a vulnerability disclosure. A rain drop in a desert isn’t nothing.

The Model-Intelligence Thesis

Steinberger’s core security argument is that smarter models will solve the problem for him. He warns users against running cheap or local models because “they are very gullible” and “very easy to prompt inject.” The implication is that expensive frontier models are the security layer.

This is a category error with a name. Economists call it the Peltzman Effect: when a perceived safety improvement causes riskier behavior, offsetting the safety gain. Sam Peltzman demonstrated in 1975 that mandatory seatbelt laws did not reduce total traffic fatalities because drivers compensated by driving more aggressively. The safety feature changed behavior, and the behavior change consumed the safety margin.

The same dynamic applies here. A user who believes Opus 4.6 is “too smart to be tricked” will grant it broader system access, approve more autonomous actions, and skip manual review of agent output. The expensive model becomes the justification for removing every other control. The blast radius grows in direct proportion to the user’s confidence in the model’s intelligence.

This confidence has no empirical basis. Capability and security are orthogonal properties. A more capable model has a larger attack surface precisely because it can do more: it can call more tools, access more files, execute more complex multi-step actions. The frontier models that Steinberger recommends are the same models that researchers consistently demonstrate novel jailbreaks against at every major security conference. Price measures compute cost. It measures nothing about resistance to adversarial input.

The architectural equivalent is telling users to buy a faster car instead of installing brakes. A faster car with no brakes is more dangerous than a slow one, and the driver’s belief that speed equals safety is the most dangerous component of all.

The honest version of the recommendation is: your security posture is whatever Anthropic or OpenAI shipped in their latest post-training run, minus whatever the skill file told the agent to ignore.

The Acquisition Was the Product

Steinberger said “I don’t do this for the money, I don’t give a fuck” (his phrasing) while describing competing acquisition offers from Meta and OpenAI. An NDA-protected token allocation from OpenAI he hinted at publicly. Ten thousand dollars paid for a Twitter handle. A Chrome/Chromium model where the open-source branch stays free and the enterprise branch goes behind the acquirer’s paywall.

He chose OpenAI. Sam Altman announced the hire on X, calling Steinberger “a genius” who will “drive the next generation of personal agents.” No terms were disclosed. OpenClaw moved to a foundation. OpenAI sponsors it.

The entire acquisition apparatus of a $500 billion company evaluated this project. Zuckerberg played with it for a week. None of them appear to have asked the obvious question: where are the basic controls? This is a single-token, single-trust-domain architecture with no signing, no audit trail, and prompt-based access control. It is the most rudimentary possible version of agent orchestration. Any first-week security review would flag it. Instead, the most powerful people in the industry looked at it and saw…what? When the court can’t tell the emperor has no clothes, the problem is the court.

The Chrome/Chromium split he floated in the interview is now the actual outcome. The community gets the foundation branch. OpenAI gets the builder. Steinberger’s stated mission at OpenAI is “build an agent that even my mum can use.” Still features. Still not security. Now an insult to women.

The 180,000 GitHub stars apparently are like a cap table denominator. The open-source commitment was a negotiating position. “My conditions are that the project stays open source” was a sentence that ended with a price tag.

Every enterprise evaluating this stack should ask a simple question: were the security architecture decisions made to protect your data, or to maximize the founder’s acquisition multiple?

Architecture Should Outlast the Liquidity Event

Steinberger said he wanted to focus on security. It’s easy to say. He also said he wanted “Thor’s hammer” from OpenAI’s Cerebras allocation. He got the hammer. Security is still waiting.

The revealed preferences are the architecture. A founder who prioritizes actual security builds actual security into the structure. A founder who prioritizes his acquisition builds features that drive attention. OpenClaw has zero signed skill files and nearly 200K stars. That ratio shows everything about the objective function.

He said this project was something he’d move past. He said he had “more ideas.” He said he wanted access to “the latest toys.” He was honest. The installations remain. The architecture has not improved since the acquisition closed. The markdown skill files are still unsigned. The agent can still rewrite its own source. The audit trail is still absent. The single security hire is still the entire team. It could get worse instead of better.

The question is whether the architecture requires its self-described uncaring creator to care. It does. He left. That’s the failure mode.

The world should demand the opposite to this. Process isolation enforced at compile time. Signed skill verification. Append-only audit logs. Per-channel credential vaults. An architecture that stands independent of the founder’s attention span, acquisition timeline, or faith in the next model’s post-training run.

The tools we trust with system-level access should be built to deserve system-level access. Whose interests does the OpenClaw architecture serve? Brecht in 1935 asked the same question about every monument ever built (Questions From a Worker Who Reads):

Wer baute das siebentorige Theben?
In den Büchern stehen die Namen von Königen.
Haben die Könige die Felsbrocken herbeigeschleppt?

Who built the seven gates of Thebes?
The books are filled with names of kings.
Was it the kings who hauled the craggy blocks of stone?

180,000 people hauled the blocks. The books are filled with one name, who said he wanted Thor’s hammer because he didn’t give a fuck.

Security

Trump Walking America Over a Missile Cliff in Iran

Leave a comment

The United States blew more money in 16 days of war, without objective, than Iran spends in a year on its entire military. That asymmetric cost model is a problem for America.

The red wall on the chart above is US war spending at $750 million per day. The flat black line along the bottom is Iran’s entire annual military budget spread over 365 days.

Same money. The US is blowing dollars 23 times faster. By March 15, of Operation Epic Fury, the Pentagon had spent over $12 billion. Iran’s total annual military expenditure, according to the IISS Military Balance, is approximately $10 billion.

Then the Pentagon asked Congress for $200 billion more, because it can’t sustain itself. That is the dashed red line shooting off the top of the chart. Twenty years of Iran’s entire military budget, was requested as a supplemental.

The missile math

United States Iran
Pre-war stockpile 3,000-4,500 Tomahawks 8,000-10,000 ballistic missiles
Fired in 4 weeks 850+ Tomahawks 1,191 ballistic missiles
% of stockpile spent ~25% ~13% (fired only)
Confirmed destroyed N/A ~33% of total arsenal
Still operational ~75% (globally) ~33% confirmed + recoverable
Monthly production 5 Tomahawks 100+ missiles (Rubio’s number)
Cost per unit $2.2-3.6 million ~$50,000-300,000
Build time per missile Up to 24 months Unknown, far shorter
Time to replace what was fired 14+ years at current rate ~9 months

The United States burned a quarter of its global Tomahawk inventory to confirm-destroy only a third of one country’s missile arsenal. That is to say US intelligence are struggling to verify that a third is destroyed. Another third is damaged or buried underground, potentially recoverable when fighting stops. The remaining third is operational. The $12B spent doesn’t seem to have obliterated Iran missile strength, only confirmed the resilience of it.

Iran launched 15 ballistic missiles at the UAE on March 27 alone.

The IDF says 70% damaged (and rebombing needed). US intelligence says 33% confirmed destroyed. Trump says 99% decimated. Iran launched over a dozen ballistic missiles at the UAE the same day. Three governments, three numbers, none of it reconcilable with what’s still flying.

The production asymmetry

Secretary of State Marco Rubio said it himself on March 2:

[Iran is able to produce] over 100 of these missiles a month. Compare that to the six or seven interceptors that can be built a month.

The Tomahawk production rate is worse. The Pentagon budgeted for 57 Tomahawks in the FY2026 budget. Actual recent production has averaged roughly 60 per year, or 5 per month. Iran builds in a single month what the US builds in 20 months.

Raytheon has signed a framework to scale to 1,000 Tomahawks per year. That capacity will not arrive until approximately 2028. Each missile takes up to two years to build. The FPRI’s Payne Institute documented that the coalition expended 5,197 munitions across 35 types in the first 96 hours alone, at a replacement cost of $10-16 billion, and that the single domestic source for warhead high explosives, the Holston Army Ammunition Plant in Tennessee, had not received any orders to increase production as of March 12.

The Pacific problem

Every Tomahawk fired at Iran is one fewer available for a Taiwan contingency. CSIS estimated that a conflict in the Western Pacific could consume 5,000 long-range missiles in three weeks. At current depletion rates, the US may not have enough for either theater. Pentagon officials described the Middle East Tomahawk supply as approaching “Winchester”, military slang for out of ammunition.

Trump said it at a Cabinet meeting on March 26:

The problem with the straits is this: let’s say we do a great job. We say we got 99%. 1% is unacceptable, because 1% is a missile going into the hull of a ship that cost a billion dollars.

He described the unsolvable problem without realizing it. You cannot get to zero when the target has underground production, a dozen hardened facilities at 500 meters depth, and the attacker’s stockpile is finite and shrinking.

Houthis also are firing ballistic and cruise missiles at Israel for the first time since Epic Fury began.

The war is expanding, not contracting.

An E-3 Sentry AWACS was damaged in the Iranian strike on Prince Sultan Air Base in Saudi Arabia, along with KC-135 refueling aircraft. That’s a $700m one-of-a-kind surveillance aircraft, limited fleet, not easily replaced. Iran hit it with a missile that cost a fraction. The US has 12 wounded from that single strike, bringing the total to 303 Americans wounded, 13 killed.

The math does not work. America is walking off a missile cliff.

Security

FitBit Fakes Data: Google Treats Integrity as Career Poison

Leave a comment

Google’s Pixel Watch has been fabricating health data.

The March 2026 update to the Fitbit app caused it to double and triple users’ step counts, invent calorie burns, and simultaneously delete SpO2 and skin temperature tracking entirely. The device was deleting and fabricating health data at the same time.

Google’s fix for this serious integrity breach?

Stop generating new bad data going forward. Leave corrupted records permanently in your health log. Reboot your own watch to receive the correction. The company that broke your data leaves it to you to take an action to receive the repair.

This is a data integrity governance story.

The gross promotion engine

Google has shut down over 280 products since 2010. Roughly one every two weeks for fifteen years. This is not a failure rate. This is an incentive structure producing its intended output.

Inside Google, engineers get promoted for launching new things. Maintaining existing products is career poison. Fixing bugs, preserving data integrity, honoring the promises made to users who bought hardware based on software commitments — none of this advances a career. A former Google Sheets lead described it plainly: teams that focus on users get passed over, while teams that ignore users get promoted first. The metrics become the objective. The product becomes the byproduct.

Fitbit was someone else’s product.

Google acquired it. Maintaining it with care is the opposite of what their internal grindstone system of shiny-new objects rewards.

The acquisition

Google paid $2.1 billion for Fitbit in 2021. Alphabet generated 83% of its $161.86 billion in 2019 revenue from targeted advertising. Fitbit’s value was its data back then. It came with heartbeats, sleep patterns, calorie intake, walking distances, menstrual cycles, health conditions. Twenty-eight million users’ worth.

The EU saw it coming.

The European Commission approved the deal only with conditions: a ten-year data silo keeping Fitbit health data separate from Google Ads, API access commitments for third-party developers, interoperability guarantees for competing wearables on Android. A monitoring trustee was appointed. Civil society groups across Europe had begged regulators to block the deal. The European Data Protection Board warned:

the possible further combination and accumulation of sensitive personal data regarding people in Europe by a major tech company could entail a high level of risk to the fundamental rights to privacy and to the protection of personal data.

The Commission approved it anyway. The EU’s stated preference is to regulate tech giants, not to prevent their expansion.

The squeeze

Five years later, here is what Google has done with its regulated acquisition.

It deprecated the Fitbit web app in July 2024, removing the only robust food tracking and data analysis tools without porting them to mobile. It forced all users to migrate from Fitbit accounts to Google Accounts. Forced as in comply by May 19, 2026, or lose all your historical health data, which gets deleted starting July 15, 2026. It launched a Gemini-powered “AI Coach” that requires users to share medical records through third-party partners including Clear, the facial recognition company best known for expediting airport security checks.

And it shipped an update that caused the health tracking device to hallucinate fitness data while deleting real biometric readings.

NOYB, the European privacy organization, filed complaints in Austria, the Netherlands, and Italy arguing that Fitbit forces consent from users who have no real choice.

Their lawyer put it simply: you buy a watch for a hundred euros, you sign up for a paid subscription, and then you’re told to “freely” agree to global data sharing or lose everything you’ve tracked for years.

The mechanism

Google does not sell fitness trackers. Google sells attention to advertisers.

Fitbit’s users are not customers. They are inventory.

The promotion culture ensures no one inside the company is incentivized to care about product integrity after launch. The acquisition model ensures that purchased products get absorbed into the data ecosystem and then neglected. The forced migration ensures that users cannot exit without losing their own health records. The regulatory framework ensures that commitments are narrow enough to honor in letter while violating in spirit.

Every piece of the system is functioning as designed. The step count fabrication is not a failure of the system. It is a product of a company where the word “maintenance” means “no one’s job.”

Integrity as threat

Google killed Google Reader despite 129 million active users. It killed Inbox despite widespread devotion. It killed Google Play Music, Hangouts, Google+, Stadia, and roughly 275 other products — each one representing a set of promises made to users who organized some part of their lives around the product’s continued existence.

The pattern reveals the value system and the lack of integrity breach reporting.

Launching is rewarded. Maintaining is tolerated. Caring about whether the thing you shipped still works correctly is not just unrewarded, it is structurally incompatible with Google’s internal concepts of skill and career advancement.

When maintaining integrity is career poison, you get a company that fabricates health data, ships the fix without repairing the damage, and leaves it to users to reboot their own devices to receive the correction.

When maintaining integrity is career poison, you get a company that buys a health platform, strips its best features, forces account migration under threat of data deletion, and then uses the captive user base to feed its AI model.

This is a management decision and direction. Everyone involved understands exactly what they are doing. That is what makes it a governance story, which exposes integrity breaches as still very different than confidentiality breaches.

The people inside Google who know this system is broken and continue operating it because the business model depends on it? They have a name. They are the product.

In related news:

Washington Post journalists who called the White House switchboard using Google Pixel Android phones saw “Epstein Island” on their screens on Thursday due to a “fake edit” in Google Maps. Google said it reversed the edit and the user responsible was blocked. (Screenshot taken by The Washington Post)