Category Archives: Security

Security

FreeFable Says the Mythos Monster They Sold You Is a Mouse

Leave a comment

We all know the story by now. Last Friday on 12 June the Commerce Department issued an export control directive on Anthropic’s Fable 5 and Mythos 5, citing national security, and both models were pulled from every customer the same evening.

Two days later a lobby group at freefable.org asked the government to lift it. Their letter argues that these models are nothing special. That’s essentially what I’ve been saying on this blog since the start, so you’d think I’d be excited to see the lobbyists bring the industry to where I’ve always been.

The problem is, nine weeks earlier I saw many of the same people argue the exact opposite, in writing, at length, and for money.

That’s not right.

Who You Gonna’ Call?

In April the Cloud Security Alliance published The AI Vulnerability Storm: Building a Mythos-ready Security Program, led by Knostic CEO Gadi Evron with Rich Mogull of CSA and Rob T. Lee of SANS. It warned security leaders their ground had moved suddenly and they needed to panic. It named an entire era after one single Anthropic model. It sold readiness, in person, with events booked through June.

In June the Free Fable letter told Secretary Lutnick the same capability is nothing more than commodity, replicable on GPT-5.5, Opus, Sonnet, and Kimi 2.7. Basically anything. And that the research that triggered this new ban was defensive all along.

Four Horsemen of AI-pocalypse

Looking at the list, I see four people signed both. Gadi Evron, who led the April paper. Rich Mogull, who co-wrote it. Katie Moussouris and Joshua Saxe, who contributed to it. Two documents, two months, two opposite arguments, same four names on each.

Table Time

April: AI Vulnerability Storm! June: Free Fable
The capability “AI-driven offense is the new baseline.” Attackers gain the asymmetric benefit. Defensive code review that “should not be considered an offensive capability.”
Its size A step change. An era named after the model. Not uniquely good. Replicable on GPT-5.5, Sonnet, and Kimi 2.7.
The clock Discovery to weaponization collapsed to hours. Defenders cannot keep pace. The model lets defenders find and fix flaws faster than adversaries.
The stakes Re-architect now. Glasswing disclosures are the first of many waves. Removing the model carries no real risk worth the action.
Proliferation Broad availability of machine-speed discovery is the storm itself. Adversaries are advancing, so defenders must keep ours in hand.
The safeguards A capability potent enough to require an invite-only, managed rollout. Safeguards so aggressive they were a joke in the community on launch day.

What Is Our Industry Doing?

Nothing about the capability changed between April and June. The model is the same model. The code-review behavior the letter now calls defensive is the same behavior the April paper filed under “AI-driven offense is the new baseline“. Being accurate should be the goal, not picking a side based on payoff. In April the threat was called large and in charge, because that sells a Mythos-ready program, sells SANS seats, sells the consulting that follows a board briefing.

Evron sells a posture product. He needs a monster to sell monster services.

In June the threat was completely drained, because a small threat defeats an export control that pulls the model out of vendors’ hands and freezes a market.

From large to small, depending on whatever helps sell, sell, sell.

Somebody Isn’t There

Notably, I was disappointed to see people sign on in April. I since have had CISOs admit in person that they were heavily pressured, and felt they had to sign the campaign, or even attend a conference. Vendors herding CISOs into a purchasing barrel is as bad as it sounds.

Look also at Jen Easterly, former director of CISA. Rob Joyce, former cyber chief at NSA. Chris Inglis, former National Cyber Director. Bruce Schneier. Rob T. Lee of SANS. All of them lent the April paper its gravity. I mention it because none of them, so far, have put their name to the June lobby letter. Signing it contradicts their April selves. So perhaps it’s notable that reputational capital still seems anchored to the initial FUD. I see only commercial capital personalities flipped and signed the new letter.

I know some will say that the April paper hedged, that it wasn’t really about one model and that the capability predated Mythos. True, but misleading. The paper mentioned one vendor and one vendor only repeatedly, page after page. So the advice to “prepare for a real and spreading capability” is defensible, except “do not export-control one vendor of it” goes back to the same sole vendor that the April report hammered on too.

And while such hedging and liability vagueness could cover a general threat of AI, it does not cover the very obvious recategorization going on. In April the capability was offense, the new baseline of attack. In June it was a defensive code check that should not count as offensive. The same people flipped 180 on capability claims, based on what? Export control?

I have written that the ban itself is incoherent, an export control on a Tier 1 interaction over a capability Anthropic files under Tier 2. Now, I’m writing that the letter answering it is incoherent as a reflection.

The lobby letter is proof the April campaign was wrong, but it doesn’t land as a mea culpa among those running both. If the letter is to be believed, its signatories can’t be. Two incoherences are being pointed at each other, as if the public would want a coin-operated flip-flop laundry to lead America’s security industry.

History, Security

This Day in 1381: Biometric Age Verification Leads to Beheadings

Leave a comment

In the spring of 1381 the English crown levied a poll tax on everyone aged fifteen and over. To verify age the collectors were said to need to inspect bodies directly. The story goes, perhaps exaggerated, perhaps a metaphor to expose state-sanctioned rape, that there would be official measuring of pubic hair, meaning the cost of dignity was about to land hardest on poor young girls.

If you’re already thinking wow this sounds like modern age-gating, ID checks, facial-age estimation, using the body as the verification surface, you’re on the right path. The people in the position least able to refuse were being targeted with the most invasive and permanent “classifier” system, hundreds of years ago.

As collection in early 1381 began to roll-out it became so dangerous, due to protests, that collectors refused to work in London, and on the 30th of May two of them were assaulted in Essex.

Two weeks later, on this day, the 14th of June, it really blew up. Before the crown could muster a coherent response, tens of thousands had marched on London. The 14-year old Richard II rode out to meet them on open ground at Mile End, where he conceded a charter abolishing serfdom and granted a blanket pardon. Around thirty clerks were put to work writing sealed manumissions for every manor and shire, and the king’s own banner was sent to each county as warranty of his word. He sent most of them home believing him. It was a trick. He rode to Waltham, declared the charters all null and void because they had been extracted from him under duress, and told the peasants on June 22 “rustics you were, and rustics you are still.” His word was worthless, and he kept none of it, instead escalating and hanging some 1,500 people.

You wretches, detestable on land and sea; you who seek equality with lords are unworthy to live. Give this message to your colleagues: rustics you were and rustics you are still: you will remain in bondage, not as before but incomparably harsher. For as long as we live we will strive to suppress you, and your misery will be an example in the eyes of posterity. However, we will spare your lives if you remain faithful and loyal. Choose now which course you want to follow.

With that kind of state treachery in mind, I have to point out a notable difference from protests in England back then versus today. There is no single neck carrying the decision today for pushing biometric age verifications on children, unlike Sudbury, Hales, and Legge, upon whom the crowd focused their rage. Sudbury was Archbishop of Canterbury and Chancellor of England; Hales was Treasurer, Grand Prior of the Knights Hospitaller, a crusader. Legge ran the commission that reassessed the tax. The public removed them all from the Tower and beheaded them on Tower Hill, to parade their heads through the streets on poles.

So now you know how things turned out for England’s council of a 14-year old King that tried in 1381 to enact biometric verification of other teenagers.

History, Poetry, Security

Why We Need a Separation of AI Church and State

Leave a comment

Margaret Hu has been making this argument for years, before I caught up to it. She is a professor of law at William and Mary, directs the Digital Democracy Lab, and has testified before Congress on AI regulation.

She just mentioned the separation of AI Church and State has been a rising topic for several years, most recently on the Federal Newswire podcast.

She pointed out separation of Church and State rhymes with separation of AI and State. The Church minted the coin and then charged for salvation. The labs mint the token and charge for salvation. Same institutional makeup, eight centuries apart. That got me thinking:

Church Coin AI Token
The instrument Placed on the altar Submitted via API
Who mints Empire grants it, commune holds it, the Church absorbs it and the ius monetae migrating across one disc of metal The lab holds it, ungoverned
Booked twice The offering in the box, plus a credit struck against purgatory Compute revenue, plus a mark-to-market gain on the same dollar
The salvation sold Time taken off the afterlife AGI, alignment, civilization rescued, cure disease, reduce labor, blah blah blah
The half you can audit 70,000 coins found beneath Scandinavian church floors Amazon’s 16.8 billion dollar mark, booked in the open
The half you cannot The grace. Never recoverable The capability claim. Never independently proven
The trinity Mints the coin, sells the salvation, writes the law of usury Mints the token, sells the salvation, writes the safety framework

Where This Ends is Ugly

An institution that mints the money, sells the salvation, and writes the morality of money holds all three levers with no independence or separation. Nothing inside would work to pry them apart. The medieval version did not reform by memo. It was Luther who nailed the indulgence (the AI double-booking of his day) to a door in 1517. Then a brutal correction unfolded over the next hundred and thirty years. Princes seized the mints and the monastery lands. The wars of religion ran into the Thirty Years War, which emptied as much as a third of the German lands in the worst regions.

The act of “disestablishment” (prying mint and salvation away from the sword) was Westphalia in 1648.

The AI labs clearly are bringing back the trinity and infusing it into the state: we just saw an export ban on who may run a model, we just saw empty warehouses permitted as datacenters and ruled as critical infrastructure, with the national-security frame doing all the consecrating. They may as well say national holiness. Elon Musk may as well be called the holy emperor of SpaceX, presiding over what looks like the biggest fraud in history. The records are blunt about the very high price of undoing the Church coin collapse. Elon Musk isn’t going to disestablish himself any sooner than he will admit he isn’t going to achieve driverless by 2017 or land on Mars by 2018.

Someone has to seize the AI tokens before more people die from AI. Or to put it how was said a very long time ago:

Doch schweig ich noch von dem, was ärger als der Tod,
Was grimmer denn die Pest und Glut und Hungersnot:
Daß auch der Seelen Schatz so vielen abgezwungen.

Andreas Gryphius wrote that in 1636, mid-war, which reads: “and yet I stay silent on what is worse than death, grimmer than plague and fire and famine: that the treasure of the soul was wrested from so many.”

The AI token is today’s Seelenschatz: sold as salvation, never proven, never refunded. The medieval fix wasn’t a stronger emperor. That kind of escalation always fails. It was prying the mint, the salvation, and the sword into separate hands and holding the line. Separate the AI Church from the State before the unauditable claim bills us in death again.

Security

Amazon Told the White House to Kill Anthropic Fable Model Running on AWS

Leave a comment

The official account of the Fable takedown is bizarre. Anthropic says it got a 1:30 p.m. call giving it 90 minutes to take the models down, no details on the threat. They added that there was never any begging or asking to work together, just a deadline.

You don’t have to take Anthropic’s word for it. Axios, reporting the episode separately, landed on the same 1:30 call, the same 90 minutes, the same blank where the threat details should be. Two newsrooms confirmed Anthropic’s timeline.

And then? The government’s own story popped up, as an outlier. A senior White House official told Politico the export controls were “a last resort after begging them for hours to work with us.” When the neutral account backs your opponent and not you, “we begged them for hours” reads like something spun up after the fact as propaganda to dress up a decision that already had been made.

The decision rested on a report almost nobody was allowed to read.

The henchmen who pulled the trigger (Bessent, Cairncross, Sacks) spoke gravely about the danger, yet not one of them apparently read the thing they were rambling about. The administration says Amazon’s findings went past the NSA and that it had “proof,” which it has declined to describe.

How Kafkaesque.

The one outside expert who actually read the report, my good friend Katie Moussouris, says the response was wildly out of proportion to its contents, and that Amazon’s researchers found the flaw by asking the ordinary questions a defender asks, which is the entire job the model was built to do.

Yeah, this story is more and more bizarre. So a product used by hundreds of millions of people was yanked off the global market in an evening, on the strength of a document the deciders hadn’t read, written by Anthropic’s largest investor, at the government’s own request, and the only person who read it and spoke publicly says it justified none of it.

America makes no sense right now.

So let’s take the new rule at its word. Software, when asked the questions an attacker might ask, is a national security threat if it returns something an attacker could use. In the interest of saving America, the following should also have been shutdown by Friday night.

Product The actual national security risk Status
Anthropic Fable / Mythos A non-universal jailbreak the one outside reader called minor. Crime: answered the questions defenders are supposed to ask. Pulled worldwide in one evening
Atlassian Confluence CVE-2022-26134 and CVE-2021-26084: unauthenticated remote code execution, mass-exploited as zero-days, both on CISA’s must-patch list. An actual hard case of failure. Still shipping. No letter.
Atlassian Bitbucket CVE-2022-36804: command-injection RCE, added to CISA’s known-exploited catalog after crews walked through it in the wild. Still shipping. No deadline.
Atlassian Jira Template injection and access-control flaws used in real intrusions against real organizations. Still shipping. No NSA review.
Microsoft Teams A default-trust attack surface pre-installed inside every enterprise in the country, with documented token-theft and phishing pathways. Still shipping. Pre-installed, in fact.
Oracle NetSuite Default configurations that have exposed customer records at scale. Still shipping.
Salesforce The 2024–25 social-engineering campaigns that walked data out of live production orgs by the gigabyte. Still shipping. As a way of life.

Notice that column on the right. Every product below Fable on that list has been the actual vector in actual breaches, not some hypothetical. All of them. Fable was sold to help defenders and got recalled for it, despite it not even being usable. The software that poses actual danger just keeps shipping without any Treasury letter, without the Trump-telltale high pressure UFC 90-minute clock.

If national security mattered, the list goes first and the defensive model is basically ignored. The order was exactly reversed with all the eyes on Anthropic. So the standard isn’t the standard because … it’s a lie.

This seems like an abuse thing, and that’s all. There’s nothing more to it. The one company that got pulled into an angry rant about safety is also the one already being bullied about its stance on American citizen rights against surveillance and autonomous weapons. The White House was apparently just waiting for a reason to be more abusive of Anthropic. The report is an empty excuse for Trump to punch down, to alert the world that American tech is within reach of his personal whim and abuse.

In completely unrelated news, which obviously has nothing at all to do with any of this, nothing, Jeff “Melania” Bezos just announced his new AI company.