A couple decades ago I made a late night drinking bet about SANS with a colleague outside the security industry. Would I be able to inject myself easily to the cover of every brochure?

He owed me a beer within a month.

What did I do? I wrote a gross, obviously over-glowing, completely saccharine, review of a SANS course into a feedback form. It was something like this training was better than sliced bread. Everyone MUST do this NOW or be a FAILURE at security. Boom, my name went to the top of every brochure (back then they were paper as well as online). I contributed heavily to a SANS Linux security hardening guide by 1999 and reviewed a lot of what was coming in, so I was no stranger to a lack of filtering on inputs and outputs.

As much as I enjoyed my frothy beer of victory, in a way it backfired. My friend was disgusted. He also was disgusted when I popped root on another colleague’s laptop to prove that he shouldn’t be running portmap on insecure networks. Ah, the good old days.

It turned out to be unsettling to know SANS lacked filtering on hyped nonsense. I wanted to be wrong. And then came the recognition I didn’t expect. Soon many strangers in the industry were greeting me with “oh, I know the name Davi, you’re the guy on the cover of SANS”. Uh, oops. The difference between intelligence and literature is a known problem in security marketing.

SANS was rushing into print the parts that serve their seats and subscription alarm, and not the parts that complicated it.

Fast forward to today’s Mythos discourse.

Anthropic is feeding one very dubious premise: the asymmetry between attacker and defender is permanent. Ok, that’s nonsense. And yet, Rob Lee at SANS just told Forbes he does not see it changing for a year, maybe longer. Kara Sprague at HackerOne said the same. Gordon Goldstein’s CFR piece pulls in Lucas Nelson at Lytical Ventures (on whose advisory board Goldstein serves) to say this is the defining cybersecurity challenge of the next decade.

“It’s not like Mythos was unique, it’s just faster,” Rob Lee, chief AI officer and chief of research at SANS Institute, told me via video interview. “There’s been a concerted effort of finding zero days over the past year using all of the existing models. So what that basically means [sic] that there were thousands of zero days that have been discovered that have been queued up to patch. This basically takes it from moving at 50 miles an hour to about breaking the sound barrier in terms of speed.”

The premise is simply false. And evidence it is false has been sitting on CISA’s website since at least 2023.

And just because I like history, let me point out up front the excited Mythos briefing that names Jen Easterly as a contributing author (hi Jen!) does not cite the federal guidance issued while she ran CISA.

Defenders Only Have to Be Right Once

Grab Mythos. Point it at your own code. Do not ask which bugs it can find. Ask a completely different question.

If I rewrote this C service in Go, would the exploit chain you just produced still run. If I moved this Java handler to Rust, would the deserialization primitive survive. If I took the 27-year-old system you found a bug in and ported its network-facing code to a memory-safe language, how many of the thousands of zero days you claim to have found would remain.

It’s like when crossbows showed up to battle as a low-skill accelerant. In theory a French King could hire a bunch of Italian mercenaries and their bolt-firing machines, and wipe out highly-specialized and rare knights challenging bad monarchy. In reality, Genoese crossbowmen lost their pavises in the baggage train, fought in rain that slackened their bowstrings, were outranged by longbows, and were then ridden down by their own French cavalry for withdrawing. The theory failed under adverse conditions and the people operating the new machines were murdered by their own leader.

The answers to a defense forward approach are known.

Microsoft has reported for over a decade that roughly 70 percent of the vulnerabilities it assigns a CVE are memory safety issues. Google reports the same proportion for Chromium. Microsoft’s November 2025 Secure Future Initiative report confirms the number has not moved. The class is not a long tail. It is a spine to the exploitable vulnerability population.

In June 2025 CISA and the NSA published joint guidance calling memory-safe languages the most comprehensive mitigation against this class and describing the shift as a paradigm change from detection after the fact to prevention at the language level. CISA’s Product Security Bad Practices document pushed manufacturers to publish memory safety roadmaps by the end of 2025.

The Mythos announcement could have been THAT acceleration topic and we’d be in a whole different media circus right now. The White House Office of the National Cyber Director has been on this trajectory since the Back to the Building Blocks report.

None of this is speculative. The rapid improvement map is sitting on federal websites, waiting for someone to execute it at Mythos speed. I have given talks about this for a decade already, rooted in the lessons of automatic weapons that led into trench warfare and tanks of WWI. Faster patching is the wrong goal. Eliminating the class is the right one.

Microsoft Research has published on using LLMs to port C code to memory-safe dialects. Microsoft’s Surface line now ships Rust-based UEFI firmware. AWS runs Rust at scale. Chromium is on the memory-safety path. The Linux kernel accepts Rust contributions. The technical path exists, the guidance exists, and the tooling exists.

If Mythos is the supersonic technology that Rob Lee claims, a defender strapping it on does not just speed up the patch cycles. A defender eliminates the class.

Supersonic Inversion

The chorus frames AI-augmented discovery as a flood that attackers will ride faster than defenders can bail. This may be an entirely wrong geometry, based on people thinking about horseshoes in the era of bicycles.

An attacker has to find one real bug in one real service and exploit it before the defender detects or patches. A defender armed with the same capability is not obligated to play that game. And the industrialized profit model of Mythos makes it entirely vulnerable to a simple economic exploit well known to drone warfare logistics.

The defender can generate ten thousand plausible endpoints where one real service sits. Each endpoint responds like a real system. File structure plausible, command history coherent, protocol behavior consistent under inspection. Microsoft Defender XDR already auto-generates decoys from environment naming conventions. Tracebit ships LLM-generated canaries. Research published in late 2025 documents generative AI deception operating at machine pace, with attacker dwell time and intelligence yield well above traditional honeypots.

Now run the incredibly over-priced Mythos’s supposed capability against that attack surface. The attacker’s AI agent cannot tell which of ten thousand endpoints is the real service. Every exploit burned on a decoy is intelligence for the defender and a cost to the attacker. Zero days are expensive. Spending them on chaff is fatal when your model costs a lot of Jacksons per million tokens instead of a dime.

AI Sweden’s research frame is the sharpest: cybersecurity is fundamentally a problem of asymmetry, and deception’s purpose is to make attacker effort prohibitively expensive by forcing adversaries to burn zero days in controlled environments. At Mythos speed, the defender generates chaff so much faster than the attacker can possibly triage any real targets.

The obvious asymmetry game inverts, and yet I’ve seen exactly nobody talking about this.

Drunk Chorus is Off Key

The SANS 30-page briefing’s Priority Action 1 is to point agents at your code. That headline is what SANS has been promoting. The briefing itself is more honest than the promotion. Priority Action 8 includes a paragraph on AI-assisted software minimization and replacing third-party libraries with framework primitives. Priority Action 9 is titled “Build a Deception Capability” and runs three sentences on canaries and honey tokens. Both exist in the document. Neither appears in Rob Lee’s Substack summary, which names Priority Actions 1, 6, and 11 by number and skips 8 and 9 entirely. The sections most aligned with the defender path are in the briefing. They are not in the marketing.

I found a complete absence of memory-safe languages. Zero mentions across 30 pages. No Rust. No Go. No memory-safe. No memory safety. No Back to the Building Blocks. No ONCD. No reference to the CISA and NSA joint guidance that has named memory-safe languages the most comprehensive mitigation since 2023. Jen Easterly gave us federal guidance while she ran CISA, yet it is not cited in the briefing with her name on it that claims to respond to the moment that guidance was built for.

The omission is annoying particularly because of the industry economics.

SANS sells training against persistent threats. HackerOne sells bug-bounty infrastructure that requires bugs to continue existing. Palo Alto Networks sells defensive AI priced against a permanently adversarial environment. CFR sells policy access predicated on the crisis remaining unresolved. Anthropic sells a consortium seat. VulnOps, Priority Action 11 in the SANS briefing, is a permanent staffed operational function designed to run continuously.

None, not a single one, of these products monetize in a world where the attack surface has been architecturally eliminated, or where deception has made offensive AI economically unviable. The defender path threatens the business model. The chorus defaults to the answer that preserves its revenue.

Where the briefing does cover deception, it covers it as a 2015 technique. Canaries and honey tokens. Static lures. What the briefing leaves out is the inversion Mythos-class AI unlocks for defenders: LLM-generated endpoints at machine pace, plausible under inspection, forcing the attacker to burn zero days on chaff. Tracebit ships this. Microsoft Defender XDR ships this. Late-2025 research documents the dwell-time and intelligence yield. The briefing treats deception like telling people it’s still 2006, completely missing a 2026 Mythos-enabled version.

CISA’s memory safety push, the NSA’s guidance, and the ONCD’s Back to the Building Blocks report all point at the same answer. The exploitable surface can be reduced by a majority through language choice. Refactoring cost collapses when AI does the port. The surviving surface can be drowned in chaff. The combination, at AI speed, collapses the attacker advantage the chorus is marketing as permanent. Five years of federal guidance. Zero mentions in the briefing that claims to respond to the moment the guidance anticipates.

I can’t stop shaking my fist at my screen.

Integrity Test Elephant in the Room

A security expert worth the title, handed a Mythos-class capability, would publish the first systematic refactoring of memory-unsafe components at scale, with before-and-after exploitability measurements. The work would support CISA’s 2025 roadmap deadline and demonstrate the defender path concretely. It would ship in a GitHub repository, not a press release.

A security expert selling a subscription to the alarm would avoid publishing anything that makes the alarm shorter.

The defender path exists. The guidance exists. The tools exist. The question is which experts are running the defender path and which ones are running the press tour to a “Mythos” world of FUD.

As the old protest song goes, congressional-industrial-military-complex, what is it good for…

OX Security published a report today that lands directly in the growing storm about Anthropic’s risk management practices. To put it bluntly, a systemic vulnerability sits at the core of Anthropic’s Model Context Protocol (MCP).

The finding is simple. MCP’s STDIO transport accepts arbitrary command strings and passes them directly to subprocess execution.

Yup.

No validation.
No sanitization.
No sandboxing.

It gets worse. The command runs even when the MCP server fails to start. The process executes first, then the MCP handshake tries to validate it as a legitimate server, then the handshake fails, then the error gets caught. But the payload already ran. Execute first, validate second. Fire, ready, aim fails any threat model.

Every developer who builds on Anthropic’s MCP inherits the exposure because it is found across all ten official MCP language SDKs: Python, TypeScript, Java, Kotlin, C#, Go, Ruby, Swift, PHP, and Rust.

OX POC Numbers

The OX Research team report shows they executed commands on six production platforms of paying customers. They took over thousands of public servers spanning more than 200 popular open-source GitHub projects. They uploaded a proof-of-concept malicious MCP server to 9 of 11 major MCP marketplaces.

Not a single marketplace caught it.

The case studies are where it gets really interesting.

• LangFlow: 915 publicly accessible instances on Shodan, unauthenticated session tokens, full server takeover and data exfiltration without ever logging in.
• Letta AI: authenticated users could substitute a valid STDIO payload via man-in-the-middle, achieving arbitrary command execution on production servers.
• Windsurf: prompt injection to local RCE with zero clicks, assigned CVE-2026-30615.
• Flowise: the most important case. Flowise actually did what Anthropic says developers should do. They implemented input filtering. Specific commands only. Special characters stripped. And then? OX bypassed it in a single step using npx’s -c flag. When the architecture permits arbitrary subprocess execution, application-layer filtering is a wet paper bag. The “developer responsibility” defense just lost a whole lot of trust.

The obvious objection to LangFlow is that 915 instances of a tool designed for local deployment ended up on the public internet, and that’s a configuration failure not a protocol failure. Ok, fine. That is why the Flowise case is up there too. Flowise did the right thing. They implemented filtering in the intended local context. It didn’t work. The design flaw defeated the shift of responsibility.

We can apply this generally to the world of MCP and think in big, big terms. Anthropic’s MCP Python SDK alone accounts for 73 million downloads. The third-party projects that depend on it push the aggregate higher: 57 million for LiteLLM, 22 million for FastMCP. Over 32,000 dependent repositories. Not all of those are Anthropic’s code, but all of them inherit Anthropic’s architectural decision.

OX confirmed 7,374 public servers vulnerable on Shodan, of more than 200,000 estimated exposed. That’s a meaningful number for a company gathering headlines about a $100 million vulnpocalypse in OTHER people’s software.

Anthropic Response

OX contacted Anthropic on January 7, 2026 and got this statement:

This is an explicit part of how stdio MCP servers work and we believe that this design does represent a secure default.

LangChain’s response:

It is the responsibility of the application author to validate and sanitize inputs from untrusted sources.

FastMCP’s response:

We don’t consider this a vulnerability. stdio transport spawns a subprocess by design, per the MCP specification.

Google’s Gemini-CLI:

Known issue, no CVE, no fix planned near-term.

Cursor:

By design. User must click accept on mcp.json edit.

Clearly, when five independent organizations float the same answer, threat modeling is not experiencing deep or diverse thought. I’m having flashbacks to the old Telnet is everywhere days. Apparently MCP comes with an industry-wide expectation for architectural insecurity to float away onto someone else.

At least we can see that, after OX’s initial report, Anthropic quietly updated its SECURITY.md to recommend that MCP adapters and specifically STDIO ones “should be used with caution.”

A documentation change. Not a code change. The vulnerability is there for you to step on like a land mine under a treadmill. The responsibility is not where it should be. The question is why.

Contrast to Glasswing

Anthropic just launched Project Glasswing, a $100 million cybersecurity initiative using its unreleased Mythos model to find zero-day vulnerabilities in everyone else’s software. AWS, Apple, Google, Microsoft, and CrowdStrike are officially participating and promoting their participation.

Anthropic is positioning itself as the entity that will secure the software ecosystem. Why would you trust a company to find vulnerabilities in your code when it classifies arbitrary command execution in its own protocol as expected behavior?

The conflict is not that Glasswing exists while MCP is insecure. The conflict is that Glasswing’s value proposition requires exactly the kind of belt-and-suspenders “secure by default” thinking that Anthropic refuses to apply at all with MCP. Can they really sell everyone on the standard they refuse to meet?

OX proposed four specific fixes that would have propagated protection instantly to every downstream library and project:

1. Manifest-only execution to replace arbitrary command strings
2. Command allowlisting to block high-risk binaries by default
3. A mandatory dangerous-mode opt-in flag for any STDIO configuration using dynamic arguments
4. Marketplace verification standards requiring security manifests signed by verified developer identity

Anthropic declined all four. The company is spending $100 million to find other people’s decades-old bugs with Mythos. Fixing the architectural flaw in its own protocol from 2024 apparently does not qualify.

OX calls Anthropic’s approach “Fault-Diversion”: pushing the burden of complex security sanitization onto downstream developers. Their framing is generous. This ain’t my first rodeo, so I recognize this pattern. A company understands the problem. Has the resources to fix it. Receives concrete proposed solutions. Declines all of them. Updates a document. Then shifts responsibility to implementers. Which obscures who created it.

Lay My Body to Rest On the Hill of Secure by Default

The proposed remediation list from OX reads like a requirements document for Wirken, the secure agent gateway I built to address exactly this class of problem. CISOs often know “this is not how things should be done”, but they lack a pivot. They really need help pointing at something that proves it can be done differently.

Attack Surface	MCP default	MCP behind Wirken
Command execution	Arbitrary strings passed to subprocess, no filtering	Docker/gVisor/Wasm sandbox, graduated permissions, shell exec requires approval, approvals expire after 30 days by default
Audit trail	None	Append-only hash-chained log, SHA-256 tamper detection, SIEM forwarding to Datadog/Splunk/webhook in real time
Identity verification	No identity or signing in the STDIO transport specification	Each channel runs as isolated process with its own Ed25519 identity over Unix domain sockets via Cap’n Proto
Credential storage	Exposed (primary exfiltration target in OX findings)	Encrypted at rest with XChaCha20-Poly1305, keyed from OS keychain

Secure-by-default agent execution is NOT aspirational. It should be the baseline. That’s why I open-sourced it so anyone can pull and play with it. When a CISO asks “what ships today” for MCP security, it’s right there. Single static binary. The architectural choices OX is asking Anthropic to make are choices that already have been made available via Wirken.

Credit to OX for doing the work and setting the record straight. Their full report is available here: The Mother of All AI Supply Chains.

Anthropic did the opposite of every established norm in vulnerability disclosure, and I am curious why. Or to be fair, someone commented on my earlier post that they aren’t sure “cartel” is a fair term here.

Ok, challenge accepted.

A company that genuinely believed it had discovered an unprecedented offensive capability would do what every serious security organization has done since CERT/CC was founded in 1988: coordinate disclosure quietly, patch the affected systems, publish the technical details after remediation, and let the work speak for itself.

In the aftermath of the Morris Worm attack, the Defense Advanced Research Projects Agency (DARPA) asked the SEI to establish an incident response capability. In 1988 Pethia founded the CERT Coordination Center (CERT/CC) as the first computer emergency response team.

That’s right, 1988. We aren’t new to this. And even the newest and shiniest researchers usually get it. Project Zero does this. Talos does this. ZDI does this. They don’t hold press conferences before patches ship, because they understand the economics, if not the history. They don’t create named consortiums with Fortune 100 logos to gate-keep safety because that’s been known as hoarding. They don’t radically inflate the discovery tool price 5x the prior product, and then discount it $100M in credits to nudge people to use it, because that’s known as manipulation.

What does a normal discovery look like? Let’s say Google’s Project Zero finds a critical vulnerability. They file it with the vendor, start a 90-day clock (incidentally a very short window that was pushed as a standard by Google), publish the technical writeup after the patch ships, and move on. The writeup includes reproduction steps, version numbers, CVSS scores, and enough detail for independent verification. A consortium adds nothing. They don’t withhold discovery tools. They don’t issue press releases about how their own researchers are too dangerous to let out of their cages. The work is the product. The reputation follows the work. I recently gave Google a good rubbing for issues with their attacks on Microsoft NTLM, if you want to see an example of the normative dynamic. Google turned threat knobs up to 11, while saying damage is the defenders’ problem.

The clever mind will notice Google is a Glasswing partner, and Google’s own CISO Heather Adkins is a contributing author on the CSA “not just one model, one vendor, one announcement… Mythos-ready” paper. Ok, point taken. But that does not validate the consortium. Look at Google’s actual Glasswing quote:

It’s always been critical that the industry work together on emerging security issues.

That is a politically neutral statement about showing up to work anywhere with anyone, not a statement about Mythos finding anything in Google’s products. Google joining Glasswing is Google taking a zero-risk seat on the possibility that Anthropic’s claims are real. It is a rational move for any company to take a free seat at a table where vulnerability information will be shared. It is not an endorsement of any evidence, which Google’s own Project Zero standards would reject on the first page of the Anthropic card.

There are so many examples of what normal discovery does that it raises the obvious question of why Anthropic enters the ring only to start punching themselves in the head. When DARPA AIxCC found 54 vulnerabilities in four hours at DEF CON, it was a competition with public rules, public participants, public results, and no commercial product attached. When AISLE found 12 OpenSSL zero-days, they published the methodology and the results. When Carlini’s own February paper documented 500+ vulnerabilities with Opus 4.6, it followed a recognizable research disclosure pattern.

Mythos breaks every one of those norms, as if someone in the marketing department grabbed the reins and said the world is about to change for… marketing department KPIs.

The capability is withheld. The evidence is self-evaluated. The technical document refuses to quantify the headline claim. The disclosure regime is controlled by the vendor. The consortium is funded by the vendor. The partners validate the vendor’s product as a condition of access.

Seasoned practitioners DO NOT do this.

Decades of vulnerability management, thousands of experts, have taught the industry several things that Anthropic’s Mythos launch ignores or contradicts:

1. Volume is not severity. OSS-Fuzz finds thousands of bugs per quarter. The industry absorbs them through triage, prioritization, and patching. “Thousands of vulnerabilities” is not a crisis. It is a Tuesday. A first-year researcher panics at the number. A seasoned CISO asks: what’s the CVSS distribution, what’s the exploitability, what’s the exposure, what’s the patch velocity? The system card answers none of those questions, while flooding the reader with over 200 pages of unnecessary filler and nonsense.
2. Discovery is the easy part. The constraint on vulnerability management has been remediation for over a decade. Finding bugs faster without fixing them faster grows the backlog already growing beyond capacity. Anthropic’s own stated justification for Glasswing is defensive uplift, yet their system card measures zero remediation metrics. No patching velocity delta. No mean-time-to-remediation. No partner-reported CVE closure rate. A seasoned security leader would never build a defensive program and then measure offensive capability only, making remediation a second-class story. That is the kind of dog and pony show that any good security initiative would slam the door on. Or it’s like a surgeon telling you they have an even sharper scalpel to cut you deeper and faster. Yeah, so then what?
3. Severity is not leverage. Responsible disclosure exists precisely to prevent the weaponization of vulnerability knowledge for commercial or political advantage. The entire ethical framework of the security community is built around the principle that knowledge of vulnerabilities is meant for remediation, not a matter of market positioning. McAfee predicted five million Michelangelo infections in 1992, got a few thousand, never retracted, and rode the panic to a decade of market dominance. Symantec ran the same playbook for years: inflate the threat, sell the cure. The industry is still recovering from the blocklist monoculture those companies built on manufactured fear. When a vendor withholds a capability from the market, grants selective access to the largest incumbents, and funds participation through its own credits, the vulnerability knowledge is being used as leverage. That is the opposite of responsible disclosure. It is cynicism and protection racketeering that undermine decades of trust building by well-intentioned hackers.
4. Fear is evidence of something other than security engineering. The “too dangerous to release” framing is doing commercial work, not security work. It justifies inflationary pricing with the same ethics as surge pricing taxis during a terror attack. It should not be used to justify a consortium structure. It should not justify withholding a model from the market. It should not justify a $100M credit pool that creates a vendor-funded validation loop. Every element of Anthropic’s commercial structure depends on fear being their blunt tool. If the capability is in fact already a commodity, as AISLE has quickly demonstrated, the fear-based pricing collapses, the consortium has no reason to exist, and the withholding is just a market corruption.

The burden of proof is on Anthropic now to show more evidence, or it’s a manufactured crisis pattern. Step back and look at their sequence first as a product launch and then ask if there is any security event:

1. Build a model.
2. Test it against targets with mitigations removed.
3. Get a headline number (72.4%) that collapses under scrutiny (4.4%).
4. Put the headline number in the blog and the collapse in a footnote on page 52.
5. Claim “thousands” in the press materials and refuse to quantify in the technical document.
6. Attribute a prior model’s finding to the new model.
7. Price the new model at 5x.
8. Create a consortium of the largest companies in tech.
9. Fund their participation with credits for the new model.
10. Frame the whole thing as too dangerous for the public.
11. Let the press, the government, and the institutional ecosystem, roped in and invested in the price jump, do the rest.

That is not how a company responds to a genuine security discovery. That is how a company manufactures urgency to launch a premium product into a market that didn’t know it needed one. The crisis is the marketing. The consortium is the channel. The fear is the pricing justification.

A first-year vulnerability researcher inflates severity because they don’t know better. It is the job of the expert to help them gain the intelligence necessary to become wise.

Anthropic inflated severity without any apparent reason other than their business model depends on it. That seems worse than just being new or bad at security, because they do know better.

Their own system card proves they had staff who knew that the 72.4% collapses to 4.4%. They published both numbers. They pushed the wrong one into the headlines, into the velvet rope promotional events, and the real one got dropped along the way somehow.

I’m not a lawyer, but cartel is easily the word that comes to mind for me.

Glasswing is sharing more than technical threat information. The partners get early access to a commercial capability withheld from competitors outside the consortium. A company on the Glasswing list gets to scan its own products and its competitors’ products before the rest of the market can. Apple, Google, Microsoft, and Amazon are on the same list. They compete in operating systems, cloud, browsers, and AI. Knowing which of your competitors’ products has unpatched vulnerabilities, before anyone else does, is textbook competitively sensitive information. Strike one.

As much as I’m a huge information sharing guy, I recognize that information exchange alone, even through an intermediary, can constitute concerted action under Section 1 of the Sherman Act. The DOJ argued exactly this in their 2024 Statement of Interest in the Pork Antitrust litigation: exchanges facilitated by intermediaries can have the same anticompetitive effect as direct exchanges among competitors. Anthropic is the intermediary. The partners are competitors. Strike two.

The $100 million in credits creates a financial relationship between the intermediary and the participants that goes beyond information sharing. Anthropic is subsidizing competitors’ use of its product in exchange for validation and participation in a disclosure regime that only Anthropic controls. That is a vendor-mediated exchange where the vendor has commercial interests in the outcome. Strike three.

Yer’outta here.

Selective access to a withheld capability, vendor-funded participation, incumbents shaping disclosure timelines on their own products, and a partner list drawn entirely from the largest companies in the affected industry. That is coordinated market control. The word cartel is for exactly this. The fact that Anthropic framed it as safety does not change the meaning of the word cartel, it reveals why they think they found a loophole.

The policy that EFF just advocated on their blog and the business outcome the NETGEAR CEO just announced are the same policy and the same outcome. And that’s a very bad thing. The consumer is the justification in both cases and the beneficiary in neither.

Whether their combined failure is coordination or convergent interest doesn’t matter. Both organizations take an externally imposed condition and narrate it as evidence of their own virtue.

• NETGEAR can’t sell new routers without a government waiver? Then the waiver becomes proof they’re trustworthy.
• EFF can’t generate traffic on X? Then they leave claiming it as proof they have standards.

These are identical and disappointing because they convert an unjustified constraint into a credential.

EFF’s position on router bans protects the same move NETGEAR is making to falsely credential itself. EFF argues for product-by-product evaluation instead of a geographic ban. NETGEAR is the poster child for that argument: a US-headquartered company manufacturing abroad that would sail through a Cyber Trust Mark certification while being caught in a geographic ban. EFF’s “better policy” argument backs up the literal corrupted regulatory environment where the NETGEAR letter from their CEO makes sense.

To our Valued Customers:

We’re pleased to share that NETGEAR is the first retail consumer router company to receive conditional approval from the Federal Communications Commission (FCC) as a trusted consumer router company. We hope this recognition gives you added peace of mind — knowing that the network powering your home meets rigorous standards.

First of all, my name isn’t “our Valued Customers”. Did someone in China write this?

Second, “conditional approval” is a waiver from a blanket ban, not recognition or endorsement. It says “we licked boot” or “we kissed ring” and basically nothing more. The “transparency” process requires full management structure disclosures, supply chain disclosures, and a plan for onshoring manufacturing. None of that is real security. It’s basically a hostile roadmap for the Trump family to exert control over private companies. There’s no mention from NETGEAR how they navigated Andrew Jackson levels of federal corruption, and nothing has been proven about consumer safety let alone a security certification.

Third, at the risk of repeating myself, “rigorous standards”? What? I see none.

The traditional EFF position on this would frame Trump’s blanket ban on foreign hardware as overreach, full stop. Instead, their response has been to swallow expanded government authority and loss of liberty. Because why? Are they worried about certain forms of hardware or software being among the good stuff, justifying tailored controls? What proof of any gain in security do they need to prevent overreach?

Let me put it like this. The EFF says we can’t narrowly tailor speech to block Nazis. We have to let even the most heinous and deadly intent for genocide flow on networks. They take a reverse granular approach to find and support Nazis at risk of being held accountable, setting them free to do more harm. However, Cyber Trust Mark is suddenly their granular, case-by-case government evaluation standard we should get behind for devices that control speech? Why not apply that logic to content on them? The Cyber Trust Mark literally could judge whether the router is capable of filtering Nazi speech.

The Cyber Trust Mark evaluates a product’s security properties on a case-by-case basis. Content moderation evaluates speech properties on a case-by-case basis. How different are they?

Hello, is this thing on? Can you hear me?

Is your router blocking me? I joke but UK Virgin routers literally block this blog by default as unsafe content because… I talk about Nazis being bad. That’s true.

EFF champions and rejects the same thing without a logic to sustain the contradiction. The router that passes Cyber Trust Mark certification could enforce the content standards EFF says nobody should enforce. The hardware and the speech run through the same device, and EFF has now argued for granular government authority over the device while arguing against granular authority over what flows through it.