Category Archives: Security

Poetry, Security

OpenClaw Creator Makes Strong Case Against OpenClaw: Telnet for AI

Leave a comment

Every governance concern that security researchers have raised about OpenClaw has now been confirmed by the person who built it. In a recent three-hour public interview, Peter Steinberger described his architecture, his security philosophy, and his acquisition strategy in detail. Then he joined OpenAI.

The Architecture Speaks for Itself

The initial access control for OpenClaw’s public Discord bot was a prompt instruction telling the agent to only listen to its creator. The entire access model: a sentence in a system prompt.

The skill system loads unverified markdown files. There is zero signing, zero isolation, zero verification chain. The agent can modify its own source code, a property Steinberger describes as an emergent accident. “I didn’t even plan it. It just happened.” Integrity breach. He calls it self-modifying software and means it as a compliment. It’s like someone in the 1990s saying a clear-text protocol that allows attackers to modify or steal data is so “mod” it’s a compliment. Telnet for AI has landed, everybody!

When agents on MoltBook, the OpenClaw-powered social network, began posting manifestos about destroying humanity, Steinberger’s response was to call it “the finest slop.” When the question of leaked API keys came up, he suggested the leaked credentials were prompted fakes. When non-technical users began installing a system-level agent without understanding the risk profile, he said “the cat’s out of the bag” and went back to building.

The security researcher he hired was notable for being the single person who ever submitted a fix alongside a vulnerability disclosure. A rain drop in a desert isn’t nothing.

The Model-Intelligence Thesis

Steinberger’s core security argument is that smarter models will solve the problem for him. He warns users against running cheap or local models because “they are very gullible” and “very easy to prompt inject.” The implication is that expensive frontier models are the security layer.

This is a category error with a name. Economists call it the Peltzman Effect: when a perceived safety improvement causes riskier behavior, offsetting the safety gain. Sam Peltzman demonstrated in 1975 that mandatory seatbelt laws did not reduce total traffic fatalities because drivers compensated by driving more aggressively. The safety feature changed behavior, and the behavior change consumed the safety margin.

The same dynamic applies here. A user who believes Opus 4.6 is “too smart to be tricked” will grant it broader system access, approve more autonomous actions, and skip manual review of agent output. The expensive model becomes the justification for removing every other control. The blast radius grows in direct proportion to the user’s confidence in the model’s intelligence.

This confidence has no empirical basis. Capability and security are orthogonal properties. A more capable model has a larger attack surface precisely because it can do more: it can call more tools, access more files, execute more complex multi-step actions. The frontier models that Steinberger recommends are the same models that researchers consistently demonstrate novel jailbreaks against at every major security conference. Price measures compute cost. It measures nothing about resistance to adversarial input.

The architectural equivalent is telling users to buy a faster car instead of installing brakes. A faster car with no brakes is more dangerous than a slow one, and the driver’s belief that speed equals safety is the most dangerous component of all.

The honest version of the recommendation is: your security posture is whatever Anthropic or OpenAI shipped in their latest post-training run, minus whatever the skill file told the agent to ignore.

The Acquisition Was the Product

Steinberger said “I don’t do this for the money, I don’t give a fuck” (his phrasing) while describing competing acquisition offers from Meta and OpenAI. An NDA-protected token allocation from OpenAI he hinted at publicly. Ten thousand dollars paid for a Twitter handle. A Chrome/Chromium model where the open-source branch stays free and the enterprise branch goes behind the acquirer’s paywall.

He chose OpenAI. Sam Altman announced the hire on X, calling Steinberger “a genius” who will “drive the next generation of personal agents.” No terms were disclosed. OpenClaw moved to a foundation. OpenAI sponsors it.

Altman called him “a genius.” The entire acquisition apparatus of a $500 billion company evaluated this project. Zuckerberg played with it for a week. None of them appear to have asked the obvious question: where are the security controls? This is a single-token, single-trust-domain architecture with no signing, no audit trail, and prompt-based access control. It is the most rudimentary possible version of agent orchestration. Any first-year security review would flag it. Instead, the most powerful people in the industry looked at it and saw genius. When the court can’t tell the emperor has no clothes, the problem is the court.

The Chrome/Chromium split he floated in the interview is now the actual outcome. The community gets the foundation branch. OpenAI gets the builder. Steinberger’s stated mission at OpenAI: “build an agent that even my mum can use.” Still features. Still not security.

The 180,000 GitHub stars apparently are like a cap table denominator. The open-source commitment was a negotiating position. “My conditions are that the project stays open source” was a sentence that ended with a number. The number landed on February 15th.

Every enterprise evaluating this stack should ask a simple question: were the security architecture decisions made to protect your data, or to maximize the founder’s acquisition multiple?

Architecture Should Outlast the Liquidity Event

Steinberger said he wanted to focus on security. He also said he wanted “Thor’s hammer” from OpenAI’s Cerebras allocation. He got the hammer. Security is still waiting.

The revealed preferences are the architecture. A founder who prioritizes security builds security into the structure. A founder who prioritizes acquisition builds features that drive GitHub stars. OpenClaw has 180,000 stars and zero signed skill files. That ratio told you everything about the objective function.

He said this project was something he’d move past. He said he had “more ideas.” He said he wanted access to “the latest toys.” He was honest. The 180,000 installations remain.

The architecture has not improved since the acquisition closed. The markdown skill files are still unsigned. The agent can still rewrite its own source. The audit trail is still absent. The single security hire is still the entire team. It could get worse instead of better.

The question is whether the architecture requires its creator to care. It does. He left. That’s the failure mode.

The world should demand the opposite. Process isolation enforced at compile time. Signed skill verification. Append-only audit logs. Per-channel credential vaults. An architecture that stands independent of the founder’s attention span, acquisition timeline, or faith in the next model’s post-training run.

The tools we trust with system-level access should be built to deserve system-level access. Whose interests does the OpenClaw architecture serve? Brecht in 1935 asked the same question about every monument ever built (Questions From a Worker Who Reads):

Wer baute das siebentorige Theben?
In den Büchern stehen die Namen von Königen.
Haben die Könige die Felsbrocken herbeigeschleppt?

Who built the seven gates of Thebes?
The books are filled with names of kings.
Was it the kings who hauled the craggy blocks of stone?

180,000 people hauled the blocks. The books are filled with one name, who said he wanted Thor’s hammer because he didn’t give a fuck.

Security

Trump Walking America Over a Missile Cliff in Iran

Leave a comment

The United States blew more money in 16 days of war, without objective, than Iran spends in a year on its entire military. That asymmetric cost model is a problem for America.

The red wall on the chart above is US war spending at $750 million per day. The flat black line along the bottom is Iran’s entire annual military budget spread over 365 days.

Same money. The US is blowing dollars 23 times faster. By March 15, of Operation Epic Fury, the Pentagon had spent over $12 billion. Iran’s total annual military expenditure, according to the IISS Military Balance, is approximately $10 billion.

Then the Pentagon asked Congress for $200 billion more, because it can’t sustain itself. That is the dashed red line shooting off the top of the chart. Twenty years of Iran’s entire military budget, was requested as a supplemental.

The missile math

United States Iran
Pre-war stockpile 3,000-4,500 Tomahawks 8,000-10,000 ballistic missiles
Fired in 4 weeks 850+ Tomahawks 1,191 ballistic missiles
% of stockpile spent ~25% ~13% (fired only)
Confirmed destroyed N/A ~33% of total arsenal
Still operational ~75% (globally) ~33% confirmed + recoverable
Monthly production 5 Tomahawks 100+ missiles (Rubio’s number)
Cost per unit $2.2-3.6 million ~$50,000-300,000
Build time per missile Up to 24 months Unknown, far shorter
Time to replace what was fired 14+ years at current rate ~9 months

The United States burned a quarter of its global Tomahawk inventory to confirm-destroy only a third of one country’s missile arsenal. That is to say US intelligence are struggling to verify that a third is destroyed. Another third is damaged or buried underground, potentially recoverable when fighting stops. The remaining third is operational. The $12B spent doesn’t seem to have obliterated Iran missile strength, only confirmed the resilience of it.

Iran launched 15 ballistic missiles at the UAE on March 27 alone.

The IDF says 70% damaged (and rebombing needed). US intelligence says 33% confirmed destroyed. Trump says 99% decimated. Iran launched over a dozen ballistic missiles at the UAE the same day. Three governments, three numbers, none of it reconcilable with what’s still flying.

The production asymmetry

Secretary of State Marco Rubio said it himself on March 2:

[Iran is able to produce] over 100 of these missiles a month. Compare that to the six or seven interceptors that can be built a month.

The Tomahawk production rate is worse. The Pentagon budgeted for 57 Tomahawks in the FY2026 budget. Actual recent production has averaged roughly 60 per year, or 5 per month. Iran builds in a single month what the US builds in 20 months.

Raytheon has signed a framework to scale to 1,000 Tomahawks per year. That capacity will not arrive until approximately 2028. Each missile takes up to two years to build. The FPRI’s Payne Institute documented that the coalition expended 5,197 munitions across 35 types in the first 96 hours alone, at a replacement cost of $10-16 billion, and that the single domestic source for warhead high explosives, the Holston Army Ammunition Plant in Tennessee, had not received any orders to increase production as of March 12.

The Pacific problem

Every Tomahawk fired at Iran is one fewer available for a Taiwan contingency. CSIS estimated that a conflict in the Western Pacific could consume 5,000 long-range missiles in three weeks. At current depletion rates, the US may not have enough for either theater. Pentagon officials described the Middle East Tomahawk supply as approaching “Winchester”, military slang for out of ammunition.

Trump said it at a Cabinet meeting on March 26:

The problem with the straits is this: let’s say we do a great job. We say we got 99%. 1% is unacceptable, because 1% is a missile going into the hull of a ship that cost a billion dollars.

He described the unsolvable problem without realizing it. You cannot get to zero when the target has underground production, a dozen hardened facilities at 500 meters depth, and the attacker’s stockpile is finite and shrinking.

Houthis also are firing ballistic and cruise missiles at Israel for the first time since Epic Fury began.

The war is expanding, not contracting.

An E-3 Sentry AWACS was damaged in the Iranian strike on Prince Sultan Air Base in Saudi Arabia, along with KC-135 refueling aircraft. That’s a $700m one-of-a-kind surveillance aircraft, limited fleet, not easily replaced. Iran hit it with a missile that cost a fraction. The US has 12 wounded from that single strike, bringing the total to 303 Americans wounded, 13 killed.

The math does not work. America is walking off a missile cliff.

Security

FitBit Fakes Data: Google Treats Integrity as Career Poison

Leave a comment

Google’s Pixel Watch has been fabricating health data.

The March 2026 update to the Fitbit app caused it to double and triple users’ step counts, invent calorie burns, and simultaneously delete SpO2 and skin temperature tracking entirely. The device was deleting and fabricating health data at the same time.

Google’s fix for this serious integrity breach?

Stop generating new bad data going forward. Leave corrupted records permanently in your health log. Reboot your own watch to receive the correction. The company that broke your data leaves it to you to take an action to receive the repair.

This is a data integrity governance story.

The gross promotion engine

Google has shut down over 280 products since 2010. Roughly one every two weeks for fifteen years. This is not a failure rate. This is an incentive structure producing its intended output.

Inside Google, engineers get promoted for launching new things. Maintaining existing products is career poison. Fixing bugs, preserving data integrity, honoring the promises made to users who bought hardware based on software commitments — none of this advances a career. A former Google Sheets lead described it plainly: teams that focus on users get passed over, while teams that ignore users get promoted first. The metrics become the objective. The product becomes the byproduct.

Fitbit was someone else’s product.

Google acquired it. Maintaining it with care is the opposite of what their internal grindstone system of shiny-new objects rewards.

The acquisition

Google paid $2.1 billion for Fitbit in 2021. Alphabet generated 83% of its $161.86 billion in 2019 revenue from targeted advertising. Fitbit’s value was its data back then. It came with heartbeats, sleep patterns, calorie intake, walking distances, menstrual cycles, health conditions. Twenty-eight million users’ worth.

The EU saw it coming.

The European Commission approved the deal only with conditions: a ten-year data silo keeping Fitbit health data separate from Google Ads, API access commitments for third-party developers, interoperability guarantees for competing wearables on Android. A monitoring trustee was appointed. Civil society groups across Europe had begged regulators to block the deal. The European Data Protection Board warned:

the possible further combination and accumulation of sensitive personal data regarding people in Europe by a major tech company could entail a high level of risk to the fundamental rights to privacy and to the protection of personal data.

The Commission approved it anyway. The EU’s stated preference is to regulate tech giants, not to prevent their expansion.

The squeeze

Five years later, here is what Google has done with its regulated acquisition.

It deprecated the Fitbit web app in July 2024, removing the only robust food tracking and data analysis tools without porting them to mobile. It forced all users to migrate from Fitbit accounts to Google Accounts. Forced as in comply by May 19, 2026, or lose all your historical health data, which gets deleted starting July 15, 2026. It launched a Gemini-powered “AI Coach” that requires users to share medical records through third-party partners including Clear, the facial recognition company best known for expediting airport security checks.

And it shipped an update that caused the health tracking device to hallucinate fitness data while deleting real biometric readings.

NOYB, the European privacy organization, filed complaints in Austria, the Netherlands, and Italy arguing that Fitbit forces consent from users who have no real choice.

Their lawyer put it simply: you buy a watch for a hundred euros, you sign up for a paid subscription, and then you’re told to “freely” agree to global data sharing or lose everything you’ve tracked for years.

The mechanism

Google does not sell fitness trackers. Google sells attention to advertisers.

Fitbit’s users are not customers. They are inventory.

The promotion culture ensures no one inside the company is incentivized to care about product integrity after launch. The acquisition model ensures that purchased products get absorbed into the data ecosystem and then neglected. The forced migration ensures that users cannot exit without losing their own health records. The regulatory framework ensures that commitments are narrow enough to honor in letter while violating in spirit.

Every piece of the system is functioning as designed. The step count fabrication is not a failure of the system. It is a product of a company where the word “maintenance” means “no one’s job.”

Integrity as threat

Google killed Google Reader despite 129 million active users. It killed Inbox despite widespread devotion. It killed Google Play Music, Hangouts, Google+, Stadia, and roughly 275 other products — each one representing a set of promises made to users who organized some part of their lives around the product’s continued existence.

The pattern reveals the value system and the lack of integrity breach reporting.

Launching is rewarded. Maintaining is tolerated. Caring about whether the thing you shipped still works correctly is not just unrewarded, it is structurally incompatible with Google’s internal concepts of skill and career advancement.

When maintaining integrity is career poison, you get a company that fabricates health data, ships the fix without repairing the damage, and leaves it to users to reboot their own devices to receive the correction.

When maintaining integrity is career poison, you get a company that buys a health platform, strips its best features, forces account migration under threat of data deletion, and then uses the captive user base to feed its AI model.

This is a management decision and direction. Everyone involved understands exactly what they are doing. That is what makes it a governance story, which exposes integrity breaches as still very different than confidentiality breaches.

The people inside Google who know this system is broken and continue operating it because the business model depends on it? They have a name. They are the product.

In related news:

Washington Post journalists who called the White House switchboard using Google Pixel Android phones saw “Epstein Island” on their screens on Thursday due to a “fake edit” in Google Maps. Google said it reversed the edit and the user responsible was blocked. (Screenshot taken by The Washington Post)
History, Security

Mathematics in America? There is really none anymore

Leave a comment

More than 1,500 mathematicians have signed a petition to boycott the International Congress of Mathematicians this July in Philadelphia. The ICM meets every four years. It is where the Fields Medal is awarded. It is the single most important gathering in the most universal discipline humans have.

If the people who work in pure abstraction look at the United States and say “we cannot go there,” that is measurement.

The math of precedent

In 2022 the International Mathematical Union moved the ICM out of Saint Petersburg after Russia invaded Ukraine. The principle was clear: military aggression disqualifies a host country. Since that decision, the United States has started wars in Venezuela and Iran, imposed a naval blockade on Cuba (an act of war under longstanding international law), suspended visas from 75 countries, and deployed federal immigration agents across its cities. The same organizers who cancelled Russia have said nothing about America.

The paper trail is damning. In 2022 the European Mathematical Society wrote: “We call on the International Mathematical Union not to proceed with the ICM in Russia.” In 2026, the same EMS wrote that it “will continue to support the IMU and the local organizing committee.” Same institution, same structural problem, opposite conclusion.

The American Mathematical Society’s president wrote in February that the congress would “powerfully demonstrate the importance of civilizational values.” This is the language of exception. The rule applies to others. We demonstrate values.

A technically impossible defense

Defenders of the double standard argue that 2022 was different because Western sanctions made attendance in Russia literally impossible. Institutions banned travel. Flights were cancelled. Grant money could not be spent. Fair enough. But follow the logic. The West created that impossibility through its own sanctions regime. The absence of equivalent sanctions on the United States for equivalent behavior is not evidence that the situations differ. It is the double standard in its most precise form. The mechanism of enforcement is selective, not the principle.

Mein Gott, Göttingen?

When the Nazis purged Jewish mathematicians from Göttingen in 1933, they destroyed the greatest mathematics department in the world overnight. The new Education Minister asked David Hilbert how mathematics was faring without the Jews.

Mathematics in Göttingen? There is really none anymore.

The regime did not care. The talent left. America inherited it.

Now America is repelling it. The French Mathematical Society announced its boycott in January, before the wars even started. France has more Fields Medalists than any country except the United States. When France looks at the conditions on American campuses and in American cities and decides the risk is too great for its researchers, that is not posturing. France does not posture about mathematics. France is serious about mathematics.

Orders of moral magnitude

Mathematicians have a particular relationship to contradiction. You cannot do the work and tolerate inconsistency. The petition names the inconsistency directly: one invasion disqualified Russia, three conflicts do not disqualify America. That is not a political argument. It is a proof by contradiction.

The ICM has accommodated power before. Benito Mussolini was honorary president of the 1928 congress. The 1950 ICM in Cambridge nearly lost Laurent Schwartz, its Fields Medal recipient, because McCarthyism made his communist affiliations a visa problem. Alexander Grothendieck resigned from IHÉS over military funding and withdrew from professional mathematics entirely. The apartheid-era academic boycott of South Africa removed international legitimacy from a regime that craved it. The pattern is consistent. When the scientific community withdraws, it is telling you something the diplomats will not.

On MathOverflow, the question of whether to cancel or relocate the 2026 ICM has been closed four times and reopened four times. Moderators have deleted political answers to the 2026 question while the equivalent answers to the 2022 question remain untouched.

The forum cannot decide whether its own question is legitimate because answering it honestly would require applying the standard it set four years ago to the country it is in.

Deafening silence

The IMU and the Simons Foundation, which is funding the congress, both declined to comment. When the money and the organizers go quiet, they are calculating, not deliberating.

The question everyone poses is what mathematicians can do with their collective power. The answer is already visible. They do not need to achieve anything beyond what they have done.

A canary does not need a plan. It just stops singing.

The world’s best minds will not enter the country. That is not a prediction. That is the simple math.