Category Archives: Security

Security

Alisa Esage Throws Mythos Under Zero Day Bus

Leave a comment

I’ve been trying to get real work done, but the Mythos disaster keeps landing in my inbox, so here’s a quick nod.

Remember Cybernews framing of the CVE-2026-5873 demo? The researcher “intervened when the model became stuck, redirecting it and providing debugging feedback.” That’s Clever Hans. The horse isn’t counting. The handler is cueing the horse. Clever Mythos.

Gather around everyone as the future of security research is about to change. Behold Mythos, a counting horse!

Now Alisa Esage has posted claims of a Google Chrome exploit she found that proves the case. “Zero dupes so far” with Mythos. If Anthropic’s disclosures to Google covered the frontier, we should expect overlap with what she is reporting. She reports none.

That throws Glasswing under the big vulnerability bus. The April 7 Mythos rollout positioned the model as discovering apex-target bugs at scale. CVE-2026-5873 in V8, multi-chain renderer-plus-OS sandbox escape, the “too dangerous to release” label. If the model were operating where Esage operates, the two sets would intersect. They don’t.

Her business depends on the market for human-found Zero-days. Anthropic’s Mythos narrative attempts to price her out by running a cartel. She made a falsifiable claim anyway, timestamped, in public. Anthropic holds the disclosure set that would settle the dispute in one post. Let’s see it.

I write about this because I’ve spent a long career finding, reporting, triaging and managing vulns, and because the industry needs to take a hard look at the sudden threat to common sense from an AI corporation, lacking security expertise, trying to corner the security market. My business of putting out fires isn’t threatened by a sloppy fire-starter like Mythos. If anything they are generating a boom for security professionals who have to clean up their mess. I appreciate what Esage is saying and why, because she’s proving the mess.

Anthropic is clearly attempting to fence the entire security industry. Controlling what counts as a finding. What gets disclosed. Which CVE numbers get briefed to press. How the resulting narrative gets shaped.

Google receives the submissions. Reporters write the receipt. Nobody in the corrupted loop of the Church of Anthropic has to demonstrate that disclosed bugs sit anywhere near the actual exploitation frontier. The resolution mechanism sits inside the claimant. Centuries of enlightenment spent building external verification, abandoned for a press release.

Every time a CISO brings their entire team to me and asks “what is this AI speedup of vulns about?” I point them to the above analysis. Read and weep. It’s disinformation and narrative control by a get-rich-quick corporation, top-heavy with PhDs, that doesn’t understand risk management.

The next Anthropic step is probably to trick private equity muscle to act like enforcers and shove “enterprise-ready AI” into places it can’t work and doesn’t belong. This is radical capitalist predatory market behavior, completely decoupled from measures of engineering quality. It’s how you end up with a Tesla on your road, the worst piece of shit in automotive history killing hundreds of people with defective AI. Oops. Hard failure with actual deaths as a result, while some talent-less 2016 AI windbag vacuums up dollars for a decade on broken promises.

Look at the “call 0x41414141“.

Source: Mastodon

She landed the hardest primitive class on a target where the mitigation stack is designed to prevent exactly that. That’s damning evidence. Zero dupes from someone demonstrating that level of control is a substantive technical smackdown on Anthropic’s capability. Esage posted a view of the unassisted frontier for a reason. Mythos is NOT on it.

Sorry Clever Mythos, you’ve been served.

History, Security

Louisiana White Supremacist Gov Passes Bill to Prevent American Black From Holding Office

Leave a comment

Calvin Duncan spent 28 years in prison for a murder he did not commit. During those years the Orleans Parish Clerk of Criminal Court office repeatedly denied him access to the records he needed to prove his innocence. He taught himself law inside the prison. He earned a paralegal bachelor’s degree after release. He graduated from Lewis & Clark Law School at age 60. In November 2025 he won 68 percent of the vote to become Clerk of Criminal Court in the same office that had helped keep him wrongfully imprisoned. He’s an American hero.

Calvin Duncan is the founder and director of the Light of Justice program in New Orleans. Zack Smith Photography/Penguin Random House

On April 23, 2026, the Louisiana House voted 63 to 28 to dissolve the office.

Senate Bill 256 shutters the entire criminal court clerk system in a week and folds it under the Clerk of Civil Court. No election will be held for the consolidated position. Nobody in New Orleans has ever voted for an Orleans Clerk of Court. Duncan was scheduled to take office May 4.

Governor Jeff Landry is expected to sign the bill before that date. Why?

  • As Attorney General in 2018, opposed the voter referendum requiring unanimous juries for felony convictions. Louisiana’s non-unanimous jury rule came out of the 1898 constitution, designed to nullify Black juror votes.
  • As Attorney General in 2023, opposed Calvin Duncan’s petition to be compensated by the state for 28 years of wrongful imprisonment.
  • Fought the federal court order creating a second majority-Black congressional district under the Voting Rights Act. Signed SB 8 only after courts ran out the clock. His AG Liz Murrill is now in Louisiana v. Callais asking the Supreme Court to gut Section 2.
  • Pushed legislation to release juvenile offender records, targeted to the three Louisiana parishes with the highest Black populations.
  • Ran a sustained campaign against police reform in New Orleans and Baton Rouge, including moving to terminate the NOPD federal consent decree.
  • His Department of Justice created a legal fellowship named for E.D. White, the Louisiana Supreme Court justice who wrote in favor of “separate but equal” in Plessy v. Ferguson.
  • Won a federal lawsuit permanently blocking the EPA from considering race when regulating pollution in Louisiana, including in Cancer Alley. This goes right back to the Civil War continuing through 1873 Slaughterhouse pollution cases.
  • In 2016 helped craft legislation to block sanctuary cities from state bond money after New Orleans police adopted a policy preventing officers from inquiring about immigration status.
  • Called Black Lives Matter protesters “armed thugs.” Named an anti-racial-profiling policy “Hug-a-Thug.”
  • Sat on the executive committee of the Rule of Law Defense Fund, which summoned Trump supporters to the Ellipse on January 6, 2021.
  • April 2026: directed Senator Jay Morris to introduce SB 256, dissolving the Orleans Parish Clerk of Criminal Court office before Calvin Duncan could take it.

Senate author Jay Morris of West Monroe has acknowledged that Landry asked him to introduce the bill to remove the seat for Duncan. And I’ll say it again, Landry opposed Duncan’s petition for wrongful-conviction compensation when Landry was Attorney General in 2023. His successor Liz Murrill denied Duncan’s exoneration throughout the campaign, despite more than 160 legal professionals signing a public letter confirming it.

This is a long game of structural, systemic, racism.

Mardis Gras 2024 Krewe du Vieux float showcases the Landry laundry: “Klan robes washed free” and “Coloreds must be separated from whites”

You have to see Landry for the piece of racist shit that he is. Look at who is using state power to repeatedly attack an American Black man to hold him down based on his race alone.

Laundering in seersucker

Representative Dixon Wallace McMakin of Baton Rouge carried the bill on the House floor. He described dissolving a municipal court system as continuity through modernization. It isn’t, and that’s a specific phrase with a racist history. Typically “modernization” is the coded language for dismantling Black institutions and political power.

He cited the consolidation of the New Orleans tax assessors’ offices as precedent. It wasn’t. When Democratic Representative Delisha Boyd asked him how long that consolidation took, he said he did not know. Boyd told him the answer. Four years. This bill says it will bomb the office out in six business days, just so no Black man can have it.

Have you been to Baton Rouge?

Can you imagine a neighborhood today in Germany with all its streets named for Nazi generals? No, because the Allied occupation forced renaming. Back in America, however, its enemies are busy shoving racist propaganda onto every street corner.

Representative Denise Marcelle of Baton Rouge asked McMakin whether he would accept the governor eliminating Marcelle’s district before she could take office. He said he would be fine with it, presumably as it would keep whites in power and still block any Black from office.

McMakin acknowledged on the floor that there is no precedent for eliminating an elected office before the duly elected person can take their position. He then apologized. Not to Duncan, for being racist. To his fellow Republicans. For being called racist.

Hate holding longer than the state constitution

Louisiana is known for this.

In 1868 Oscar Dunn became Lieutenant Governor. In 1872 P.B.S. Pinchback served as acting governor. By 1898 the state had written a new constitution whose framers openly declared its purpose: eliminate Black political participation. The mechanism evolved across a century. Poll taxes. Literacy tests. Grandfather clauses. White primaries. The Voting Rights Act struck most of them down. The losing white supremacists taught their children to repeat the hate generationally.

Thus the current move is identical. A Black official wins an election by a 36-point margin. The state invents an administrative reason to eliminate the victory by declaring the seat erased. Sixty-three legislators vote for white supremacist power. The governor signs to keep hate alive.

McMakin called it modernization, because that’s a whistle to white supremacists. They are hiding records of their past crimes by committing new ones.

The archaeological detail

Duncan ran for this office because the office had wronged him. The records that would have proved his innocence sat inside the Clerk of Criminal Court’s files. He was denied access to them for years. When the Innocence Project of New Orleans finally pried the documents loose through litigation, the files showed police officers had lied in court. That is what a functioning records office is supposed to prevent and what a captured one enables.

Duncan’s victory threatened to put a man who understood the records system’s failures in charge of fixing them. The people holding racist power, who corrupted records and denied justice, preferred to dissolve the system before it could be fixed.

That is integrity breach as policy. Failure by design, like a ladder thrown down so others can’t climb the wall.

“Throwing Down the Ladder by Which They Rose.” Thomas Nast, 1870, for Harper’s Weekly, New York, New York. The “Know-Nothing Party,” a nineteenth-century nativist political party, throws down the ladder “by which they rose” in an attempt to deny entry. The hypocrisy of the descendants of immigrants denying citizenship to new immigrants is fundamental to American history.

Office, what office?

The accountability mechanism was working. Voters elected a true American reformer by a landslide. The white supremacists responded by removing the mechanism rather than accepting the accountability. Because white supremacists by definition are people who can not accept accountability.

Representative Candace Newell of New Orleans said it plainly before the vote. The rights they eliminate today are a template for the rights they eliminate tomorrow. And that has a specific history in Louisiana, with a specific “modernization” term used to enact state-level white supremacist doctrine.

Security

Hot Bet: Terror Finance Platform (Polymarket) in French Criminal Probe for Integrity Breach

Leave a comment

A confidentiality breach, loss of privacy, is well known since California delivered landmark legislation in 2003 called SB1386.

The amount of money that criminals made by breaching privacy was, well, criminal. And more importantly, laws changed to make platforms enabling a privacy breach illegal.

Today we have a similar crisis with integrity breaches. Polymarket is clearly and effectively organizing an explosion in criminal behavior, already rising to terrorism, by making crime pay.

In one obvious example, someone artificially heated a weather sensor at Charles de Gaulle airport to profit on a Polymarket bet about temperature.

Twice.

Polymarket is paying attackers to breach the integrity of critical infrastructure. Public loss is being platformed as private gain.

BFMTV reports that on April 6 the Météo France sensor at CDG spiked from 18°C to over 21°C around 19h, then dropped back.

That’s the integrity breach. And it matters.

A Polymarket account created two days earlier won $14,000 on a bet that the daily maximum would cross 21. On April 15 the same sensor briefly registered 22°C while the surrounding days held at 18 and 19. The contract probability moved from 0.1% to 95% in thirty minutes. That winner took over $20,000.

Météo France filed a criminal complaint with the Roissy airport gendarmerie for altération du fonctionnement d’un système de traitement automatisé de données, tampering with an automated data processing system.

I’ve warned and written about public sensor integrity breaches like this for over a decade, yet the profit platform angle makes it more alarming than ever.

The agency performed physical inspection of the instrument and analyzed the sensor data. Meteorologist Ruben Hallali told BFMTV the variations are implausible at these dates over such short durations, and that someone with good knowledge of how the sensors work would have had to intervene physically, likely with a heating device held briefly next to the instrument.

The instrument is at an international airport. The same sensor that settles a Polymarket contract feeds weather data to aircraft on departure and arrival at Charles de Gaulle. Météo France declined to say whether the tampering affected aviation telemetry. But the obvious elephant in the room is that someone could bet a lot of money about an airplane crashing and then cause it to happen.

Polymarket’s response was to silently switch the reference sensor. That’s the kind of complicit response you would expect in a privacy breach where the company at fault said they switched to a new database. just as vulnerable as before. It’s a security failure of the worst kind.

Since Sunday the Paris temperature oracle is read from Le Bourget airport instead of Charles de Gaulle.

That is NOT a fix. That is an invitation for targeting and attack of another sensor.

Polymarket CEO Coplan has pitched illegal insider information as a “cool” feature of his platform, the mechanism by which prices “discover truth.” A temperature sensor is the physical-world equivalent of such criminal intent. Someone who walks up to a Météo France instrument with a heating element becomes an insider, and the thirty-minute probability spike from 0.1% to 95% is the insider divulging corrupted, tampered, information to the market.

By Coplan’s own definition, this is the Polymarket system working as designed.

The resolution mechanism (one sensor reading tampered to make false claims for profit) is cheaper to corrupt than the underlying event (the weather over Paris measured by integrity-safe systems). Every sensor Polymarket chooses becomes a criminal attack surface, an integrity breach for profit. The platform is now underwriting physical attacks on civil aviation weather telemetry to settle criminal gambling contracts.

France banned Polymarket, for obvious reasons. The sensor in France at Charles de Gaulle was tampered with intentionally, by bettors using VPNs the platform makes no serious effort to defeat. The criminal complaint will proceed against whoever held the heat source. The platform that paid out $34,000 on tampered readings, at an airport it is not legally allowed to operate in, so far will not be investigated.

Integrity breach is the business model. Just like privacy breach used to be. before trading on stolen PII was properly treated as a crime.

Let me be clear. This is not about gambling regulation.

Polymarket is terrorism financing infrastructure.

The CEO is a criminal. France should charge him and issue an Interpol red notice. The platform he built and runs creates financial incentive for physical attacks on critical infrastructure. This sensor is inside a safety-critical system. Courts need to hear Polymarket in America not only enables global terrorism, it incentivizes and rewards it by design with zero accountability for harms.

History, Security

Designated Felon: How Polymarket CEO Stays Out of Jail

Leave a comment

Polymarket CEO tells insiders to leak. So cool, he said five months ago. Do it, for the market.

…what’s cool about Polymarket is that it creates this financial incentive for people to go and divulge the information to the market and the market to change, and all of a sudden…

Insider leak is the entire product. Harvard researchers estimate more than $143 million in Polymarket profits may be linked to individuals with access to nonpublic information. I’m surprised it’s not 100%, given the CEO statement.

And now, as you might expect, Polymarket says insiders who leak will be selectively reported to law enforcement.

Source: Twitter

Proof? Arresting the CEO would be the only acceptable proof.

The insider-leak-harvesting system is sacrificing one publicly identifiable service member, without explaining how, to preserve the Polymarket platform as a pipeline of crime. The referral is compliance theatre that protects the CEO, who is in bed with the government and will victimize again.

Inducement to crime is the business model. Selective corrupted enforcement is the margin.

An insider named Van Dyke did exactly what Coplan advertised he made Polymarket for, and was held out as the “not cool” kind of leaker once the political cost of privacy exceeded the marketing value of generating leakers to sacrifice.

How many Polymarket users will be trapped and burned so that the CEO may continue his crimes?

The resolution mechanism (who gets prosecuted) is cheaper to corrupt than the underlying event (controlling who leaks). Polymarket positions itself now as above the law, as it chooses which leakers to expose and which to hide for profit. That selection power is worth more than any individual trader’s profit, and it is apparently corrupted.

The “Eddie Murphy Rule” charge is novel and narrow. It punishes Van Dyke’s misuse of classified information. It does nothing to the platform that monetized his misuse, or to the CEO who described the misuse of classified information as a core feature of his business.

The FBI raided the Polymarket CEO’s apartment in November 2024 as part of an investigation into US users trading on the platform. Trump’s DOJ and CFTC abruptly dropped both investigations in July 2025. Then in September 2025 Polymarket bought a CFTC-registered exchange to go onshore. Talk about insiders. Coplan was on a call from Mar-a-Lago the same week as the raid. The acting Attorney General applauding “our men and women in uniform” on the Van Dyke arrest is Todd Blanche, Trump’s former personal defense attorney. The FBI Director praising the indictment is Kash Patel.

The arrest is entirely political.

The system got the wrong guy, on purpose.

Critical OPSEC integrity failure, by design.

The Van Dyke arrest is the only visible prosecution against a backdrop of total federal withdrawal, on both sides of a rigged competition the First Family is paid to sit atop like President Andrew “genocide” Jackson would have wanted.

President Jackson was one of the most, if not the most unjust, immoral and corrupt men in American history.

Donald Trump Jr. is a paid advisor to both Polymarket and Kalshi, the two largest prediction markets competing for the same regulatory carve-out. At an April House Agriculture Committee hearing, Representative Jim McGovern asked CFTC Chair Mike Selig whether the White House had pressured CFTC to drop its Polymarket probe. Selig refused to answer. Selig also runs a CFTC with one commissioner out of five, a quarter of its staff cut, and a public admission that AI is covering the enforcement gap. On April 2, that same CFTC joined DOJ in suing Arizona, Connecticut, and Illinois to block state enforcement against prediction markets. One of the DOJ attorneys on the case is Yaakov Roth, who represented Kalshi in the 2023 lawsuit that opened the door for these platforms in the first place. Blanche meanwhile issued his “cease cryptocurrency enforcement” memo while still holding between $159,000 and $485,000 in crypto, despite an ethics pledge not to act on matters affecting those holdings. He divested after.

In case you like historical parallels

Year Case Sacrificed Protected
1720 South Sea Bubble Company directors Court and ministry (Walpole, “the Screen”)
1872 Crédit Mobilier Two censured congressmen Railroad directors, federal subsidy pipeline
1875 Whiskey Ring Treasury clerks Orville Babcock, Grant
1921–24 Teapot Dome Albert Fall Harry Daugherty, Harding cabinet
1986–87 Iran-Contra Oliver North Reagan, CIA chain of command
1995–96 Loans-for-shares Russian public assets Yeltsin family, seven bankers
2026 Polymarket Gannon Van Dyke Shayne Coplan, Trump family