Category Archives: Security

History, Security

This Day in 1381: Biometric Age Verification Leads to Beheadings

Leave a comment

In the spring of 1381 the English crown levied a poll tax on everyone aged fifteen and over. To verify age the collectors were said to need to inspect bodies directly. The story goes, perhaps exaggerated, perhaps a metaphor to expose state-sanctioned rape, that there would be official measuring of pubic hair, meaning the cost of dignity was about to land hardest on poor young girls.

If you’re already thinking wow this sounds like modern age-gating, ID checks, facial-age estimation, using the body as the verification surface, you’re on the right path. The people in the position least able to refuse were being targeted with the most invasive and permanent “classifier” system, hundreds of years ago.

As collection in early 1381 began to roll-out it became so dangerous, due to protests, that collectors refused to work in London, and on the 30th of May two of them were assaulted in Essex.

Two weeks later, on this day, the 14th of June, it really blew up. Before the crown could muster a coherent response, tens of thousands had marched on London. The 14-year old Richard II rode out to meet them on open ground at Mile End, where he conceded a charter abolishing serfdom and granted a blanket pardon. Around thirty clerks were put to work writing sealed manumissions for every manor and shire, and the king’s own banner was sent to each county as warranty of his word. He sent most of them home believing him. It was a trick. He rode to Waltham, declared the charters all null and void because they had been extracted from him under duress, and told the peasants on June 22 “rustics you were, and rustics you are still.” His word was worthless, and he kept none of it, instead escalating and hanging some 1,500 people.

You wretches, detestable on land and sea; you who seek equality with lords are unworthy to live. Give this message to your colleagues: rustics you were and rustics you are still: you will remain in bondage, not as before but incomparably harsher. For as long as we live we will strive to suppress you, and your misery will be an example in the eyes of posterity. However, we will spare your lives if you remain faithful and loyal. Choose now which course you want to follow.

With that kind of state treachery in mind, I have to point out a notable difference from protests in England back then versus today. There is no single neck carrying the decision today for pushing biometric age verifications on children, unlike Sudbury, Hales, and Legge, upon whom the crowd focused their rage. Sudbury was Archbishop of Canterbury and Chancellor of England; Hales was Treasurer, Grand Prior of the Knights Hospitaller, a crusader. Legge ran the commission that reassessed the tax. The public removed them all from the Tower and beheaded them on Tower Hill, to parade their heads through the streets on poles.

So now you know how things turned out for England’s council of a 14-year old King that tried in 1381 to enact biometric verification of other teenagers.

History, Poetry, Security

Why We Need a Separation of AI Church and State

Leave a comment

Margaret Hu has been making this argument for years, before I caught up to it. She is a professor of law at William and Mary, directs the Digital Democracy Lab, and has testified before Congress on AI regulation.

She just mentioned the separation of AI Church and State has been a rising topic for several years, most recently on the Federal Newswire podcast.

She pointed out separation of Church and State rhymes with separation of AI and State. The Church minted the coin and then charged for salvation. The labs mint the token and charge for salvation. Same institutional makeup, eight centuries apart. That got me thinking:

Church Coin AI Token
The instrument Placed on the altar Submitted via API
Who mints Empire grants it, commune holds it, the Church absorbs it and the ius monetae migrating across one disc of metal The lab holds it, ungoverned
Booked twice The offering in the box, plus a credit struck against purgatory Compute revenue, plus a mark-to-market gain on the same dollar
The salvation sold Time taken off the afterlife AGI, alignment, civilization rescued, cure disease, reduce labor, blah blah blah
The half you can audit 70,000 coins found beneath Scandinavian church floors Amazon’s 16.8 billion dollar mark, booked in the open
The half you cannot The grace. Never recoverable The capability claim. Never independently proven
The trinity Mints the coin, sells the salvation, writes the law of usury Mints the token, sells the salvation, writes the safety framework

Where This Ends is Ugly

An institution that mints the money, sells the salvation, and writes the morality of money holds all three levers with no independence or separation. Nothing inside would work to pry them apart. The medieval version did not reform by memo. It was Luther who nailed the indulgence (the AI double-booking of his day) to a door in 1517. Then a brutal correction unfolded over the next hundred and thirty years. Princes seized the mints and the monastery lands. The wars of religion ran into the Thirty Years War, which emptied as much as a third of the German lands in the worst regions.

The act of “disestablishment” (prying mint and salvation away from the sword) was Westphalia in 1648.

The AI labs clearly are bringing back the trinity and infusing it into the state: we just saw an export ban on who may run a model, we just saw empty warehouses permitted as datacenters and ruled as critical infrastructure, with the national-security frame doing all the consecrating. They may as well say national holiness. Elon Musk may as well be called the holy emperor of SpaceX, presiding over what looks like the biggest fraud in history. The records are blunt about the very high price of undoing the Church coin collapse. Elon Musk isn’t going to disestablish himself any sooner than he will admit he isn’t going to achieve driverless by 2017 or land on Mars by 2018.

Someone has to seize the AI tokens before more people die from AI. Or to put it how was said a very long time ago:

Doch schweig ich noch von dem, was ärger als der Tod,
Was grimmer denn die Pest und Glut und Hungersnot:
Daß auch der Seelen Schatz so vielen abgezwungen.

Andreas Gryphius wrote that in 1636, mid-war, which reads: “and yet I stay silent on what is worse than death, grimmer than plague and fire and famine: that the treasure of the soul was wrested from so many.”

The AI token is today’s Seelenschatz: sold as salvation, never proven, never refunded. The medieval fix wasn’t a stronger emperor. That kind of escalation always fails. It was prying the mint, the salvation, and the sword into separate hands and holding the line. Separate the AI Church from the State before the unauditable claim bills us in death again.

Security

Amazon Told the White House to Kill Anthropic Fable Model Running on AWS

Leave a comment

The official account of the Fable takedown is bizarre. Anthropic says it got a 1:30 p.m. call giving it 90 minutes to take the models down, no details on the threat. They added that there was never any begging or asking to work together, just a deadline.

You don’t have to take Anthropic’s word for it. Axios, reporting the episode separately, landed on the same 1:30 call, the same 90 minutes, the same blank where the threat details should be. Two newsrooms confirmed Anthropic’s timeline.

And then? The government’s own story popped up, as an outlier. A senior White House official told Politico the export controls were “a last resort after begging them for hours to work with us.” When the neutral account backs your opponent and not you, “we begged them for hours” reads like something spun up after the fact as propaganda to dress up a decision that already had been made.

The decision rested on a report almost nobody was allowed to read.

The henchmen who pulled the trigger (Bessent, Cairncross, Sacks) spoke gravely about the danger, yet not one of them apparently read the thing they were rambling about. The administration says Amazon’s findings went past the NSA and that it had “proof,” which it has declined to describe.

How Kafkaesque.

The one outside expert who actually read the report, my good friend Katie Moussouris, says the response was wildly out of proportion to its contents, and that Amazon’s researchers found the flaw by asking the ordinary questions a defender asks, which is the entire job the model was built to do.

Yeah, this story is more and more bizarre. So a product used by hundreds of millions of people was yanked off the global market in an evening, on the strength of a document the deciders hadn’t read, written by Anthropic’s largest investor, at the government’s own request, and the only person who read it and spoke publicly says it justified none of it.

America makes no sense right now.

So let’s take the new rule at its word. Software, when asked the questions an attacker might ask, is a national security threat if it returns something an attacker could use. In the interest of saving America, the following should also have been shutdown by Friday night.

Product The actual national security risk Status
Anthropic Fable / Mythos A non-universal jailbreak the one outside reader called minor. Crime: answered the questions defenders are supposed to ask. Pulled worldwide in one evening
Atlassian Confluence CVE-2022-26134 and CVE-2021-26084: unauthenticated remote code execution, mass-exploited as zero-days, both on CISA’s must-patch list. An actual hard case of failure. Still shipping. No letter.
Atlassian Bitbucket CVE-2022-36804: command-injection RCE, added to CISA’s known-exploited catalog after crews walked through it in the wild. Still shipping. No deadline.
Atlassian Jira Template injection and access-control flaws used in real intrusions against real organizations. Still shipping. No NSA review.
Microsoft Teams A default-trust attack surface pre-installed inside every enterprise in the country, with documented token-theft and phishing pathways. Still shipping. Pre-installed, in fact.
Oracle NetSuite Default configurations that have exposed customer records at scale. Still shipping.
Salesforce The 2024–25 social-engineering campaigns that walked data out of live production orgs by the gigabyte. Still shipping. As a way of life.

Notice that column on the right. Every product below Fable on that list has been the actual vector in actual breaches, not some hypothetical. All of them. Fable was sold to help defenders and got recalled for it, despite it not even being usable. The software that poses actual danger just keeps shipping without any Treasury letter, without the Trump-telltale high pressure UFC 90-minute clock.

If national security mattered, the list goes first and the defensive model is basically ignored. The order was exactly reversed with all the eyes on Anthropic. So the standard isn’t the standard because … it’s a lie.

This seems like an abuse thing, and that’s all. There’s nothing more to it. The one company that got pulled into an angry rant about safety is also the one already being bullied about its stance on American citizen rights against surveillance and autonomous weapons. The White House was apparently just waiting for a reason to be more abusive of Anthropic. The report is an empty excuse for Trump to punch down, to alert the world that American tech is within reach of his personal whim and abuse.

In completely unrelated news, which obviously has nothing at all to do with any of this, nothing, Jeff “Melania” Bezos just announced his new AI company.

Energy, History, Security

AI Is Not a Fascist Artifact

Leave a comment

Several people have asked what I thought when Jürgen Geuter, writing as tante, argued that AI is a fascist artifact.

He’s not saying AI is being deployed badly. He’s saying AI is inherently fascist. He places it in the category Langdon Winner reserved for technologies that demand a particular social order, the way the atom bomb demands a centralized command state. You cannot run that particular bomb democratically. In that sense, tante wants the model in the same classification.

I get it. I typically talk about minefields or cluster bombs as inhumane, and therefore a crime. If we can classify a weapon off limits, we can feel comfortable saying it crosses a bright line.

The problem for me is how his argument refutes itself.

He leans on Stafford Beer’s maxim that the purpose of a system is what it does. As such, tante reads the purpose of AI off its most disgusting and reprehensible deployments. Palantir, an overtly fascist company out to destroy democracy, markets its software as a weapon for kill decisions. Andreessen, an inhumane mockery of tech, demands the right to build without regulation while also demanding regulations that erase its critics. Image models infamously inherit the racism of the data scraped to train them. These deployments are all good examples of the bad, and they are reactionary.

The lean into Beer comes from tante saying he is an admirer. Beer built Project Cybersyn, a centralized computer system meant to coordinate the nationalized economy of Allende’s Chile.

Stafford Beer’s VSM (Viable System Model)

That’s interesting because it’s in the similar class as the bad examples above. Centralized computational coordination of an economy. By tante’s own logic a system is whatever it does, so Cybersyn was socialist because it served socialism. The politics are defined by the person in control and to what end they are aiming.

Record scratch.

This is the applied, contingent politics tante insists does not exist. He cannot endorse the principle that a system is what it does and condemn the model class as fascism in the same breath. That principle is what makes Cybersyn liberatory, and it puts the politics in the operator of the system.

Going back to Winner instead, we should separate two kinds of political technology. For example, when Robert Moses built overpasses so low that large buses carrying poor families could not reach the beach, that was politics by design.

Jones Beach was made inaccessible by bus due to the intentionally low overpasses, like this one. Source: Pin-Up

The bomb is different from the overpass. Its politics are in the functional necessity. In other words, the evidence tante uses is all about the overpass. The frontier vendors would concentrate power because of how it is financed and owned, not because a working model can only exist in a form that prevents poor families from going to the beach.

On that point, we have evidence of models that pass the test. Apertus, from ETH Zurich and EPFL, was pretrained from scratch on rights-clean data. Pleias built its models on the Common Corpus the same way. Run the weights locally through Ollama with no telemetry and no API, and the capability should be free of fascism. And this trend seems like common sense. The model does not need its lab, while the bomb always and still needs the state.

M28/M29 Davy Crockett entered service in May 1961. It fired an “atomic watermelon” with 20 tons of force up to 2.5 miles away, bad news for the operators.

What the bomb actually requires is not centralized command but a centralized means of production: a secret, capital-heavy, state-scale enrichment and weapons base. The Davy Crockett above makes the case clear. The Army handed the trigger to a three-man crew, the most decentralized nuclear launch ever fielded, and it still came out of Los Alamos and the Atomic Energy Commission. You can decentralize the distribution. You cannot decentralize production. Every warhead that has existed came out of that base.

The simple contradictions by tante make me wonder why he didn’t see them. He grants that oppressive tools can be turned against their makers. Ok, so they become good? But then he still tries to land the campaign to destroy AI. Destruction doesn’t follow from the premise that the tool is dual-use. If the politics is in the ownership and operation, the answer is to take ownership and operate another way: public compute, worker control over deployment. Destroy AI foolishly tries to name an enemy, which unfortunately could be the self.

The reactionary political economy of frontier AI is a real problem. The firms deserve the harshest criticism, especially Palantir. Calling the company fascist makes perfect sense to me, but their tools don’t carry the same labels. I’m no more likely to say an LLM has to be fascist than the rest of their compute infrastructure. And I say that because if you follow tante’s very broken and self-defeating logic, we start signaling that to build the alternative is forbidden if not impossible. And that’s simply not true.

The Amish refuse the public grid. The line to the utility is a tether to the outside world, and that relationship as dependence is what they reject. Electricity itself is fine. Build your own windmill, run it locally, and no one objects. The objection was never to electricity itself, which has no political stake. It was to the politics of someone else taking control.