Category Archives: Security

Security

Cloudflare Agents Week: Want Safety? Get Wirken

Leave a comment

Cloudflare kicked off Agents Week with a blog post asking important questions about AI infrastructure: “which agent are you, who authorized you, and what are you allowed to do?”

Then they moved on to talk about isolates.

The Right Stuff

The Cloudflare post core argument is that containers were built for one application to serve many users.

Of course they were. The efficiency of a “service” being multi-user is as old as humanity itself. We don’t ride the shared infrastructure of the Internet, enjoying the massive speed and efficiency gains, wishing we had laid our own dedicated fiber from every person we want to communicate with securely. History shows why.

“Sewer socialism” was a period that solved this mess, by developing literal shared sewer systems, fire departments, police stations, and telecommunications, saving America the embarrassment of “radical individualist” infrastructure disasters
Click to enlarge. Source: In These Times

The dozens of CISOs I met with last week were asking me how do we run more agents? And I certainly was not telling them to light up one user, one agent, one task. To put it another way, if a CISO asks me about how to scale hardware, I might say let’s talk about a hypervisor to run software-based virtual machines. If a CISO asked me how to scale software-based machines, I might say let’s talk about containers… and so the logic of “sewer socialism” in shared infrastructure lives on.

Cloudflare enters this context saying containers now are too heavy for agents. V8 isolates start in milliseconds, use megabytes instead of gigabytes, and cost orders of magnitude less per session. At the scale agents require, isolates win.

This is correct. Cloudflare is stating the obvious. They have the network. They have the edge. They are like the contractors who provide the cafeteria for your office. But a cafeteria is not a chef. And a chef operating in your building, reading all your email, accessing all your financial accounts, and talking to your coworkers, in fact needs more than a fast startup time to serve hot meals on time.

The Wrong Stuff

Cloudflare’s post reveals a gap, yet they aren’t talking about it directly. Today’s agent deployments are “fraught with risk: prompt injection, data exfiltration, unauthorized API access, opaque tool usage.”

CISOs feel huge pressure to open up “productivity” gains yet can’t sign off because a security model doesn’t exist yet. OpenClaw is one of the biggest design disasters in software history: a single golden key that doesn’t rotate and can be stolen without detection.

Cloudflare’s answer is to merge their developer platform with their zero trust platform. Two products, built for different audiences, being stitched together like a Frankenstein. That takes time. And, for those who forget the science-fiction warning, stitching is not the same as weaving.

The artificially over-hyped open-source agent platform, one that suddenly showed up with 341,000 GitHub stars and little evidence for why, consolidates access to every messaging channel behind a single static token in a single process. No channel isolation. No credential rotation. No audit trail. It’s an embarrassment to the word engineering, a complete absence of design and no sense of accountability.

Cloudflare is stepping in where they operate, at the infrastructure layer. The compute, the network, the edge. And then what sits between that infrastructure and the user’s actual data remains an open question.

That question has an easy answer.

Are Your Agents Wirken Yet?

Wirken is a secure, model-agnostic AI agent orchestration platform. It exists because the tools that run agents against your messaging channels and business data should be built to deserve that access.

The security is not slopped in or bolted on. It is designed with baselines in mind and enforced at compile time.

Every channel adapter runs in its own OS process. A Slack credential cannot touch a Telegram session. This is not a runtime permission check that can be bypassed. It is a Rust phantom type constraint. Cross-channel access is a compiler error. It does not run. It does not build.

Credentials live in an encrypted vault using XChaCha20-Poly1305 with OS keychain integration. They are scoped per channel and rotate. The secret type has no Display, no Debug, no Serialize, no Clone. It zeroes on drop. A credential cannot leak through logging, serialization, or accidental copy because the type system will not allow it.

Every agent action is recorded in an append-only, SHA-256 hash-chained audit log before execution. Tamper with any entry and the chain breaks. Forward it to your SIEM. Hand it to your auditor. It is a complete, verifiable record of what every agent did, when, and with whose authorization.

Skills are signed with Ed25519. Unsigned code does not run. The skill registry is not a marketplace where 20% of entries are malicious. It is a supply chain with cryptographic verification.

The Cafeteria and the Chef

Cloudflare used a good analogy. A traditional application is like an industrial form of restaurant: fixed menu, optimized kitchen, high volume. An agent is a chef who asks what you want (chicken or shrimp), then improvises with whatever tools and ingredients the task requires.

Extend the analogy. The chef is in your office. You hand the chef keys to the entire building. The chef can open all your files, read all your communications, and assume your identity to send messages as you.

You want that chef to be fast with the meal. You also want to know which chef is in your building, who sent them, what they are allowed to touch, and a tamper-proof record of everything they did while they were there.

Cloudflare is building the high-speed kitchen. Fast counters, efficient burners, millisecond cleanup. Wirken is the system that makes sure that any chef you interact with is doing what that chef was authenticated and authorized to do. Different layers. Complementary.

What This Looks Like in Practice

Wirken ships as a single static Rust binary. No runtime dependencies. No Node.js. No container orchestrator. Install it, configure your channels and your model, and run it.

It is model-agnostic. Point it at Anthropic, Gemini, OpenAI, Ollama for local inference, or even Privatemode for confidential inference inside hardware enclaves. The orchestration layer does not care which model you use. The security guarantees are the same regardless.

It runs behind Cloudflare Tunnel today. Any self-hosted Wirken instance gets a public endpoint for webhook-based channel adapters without exposing ports. Cloudflare handles the network. Wirken handles the trust boundary.

It has nine channel adapters for a reference architecture: Telegram, Discord, Slack, Teams, Matrix, WhatsApp, Signal, Google Chat, iMessage. It comes with fifteen bundled skills (natively compatible with OpenClaw) and MCP server support.

Two Layers, One Stack

The shift to agents needs defense-in-depth. The compute layer that makes agents affordable at scale is coming faster than ever. Now an orchestration layer that makes agents safe to deploy is on the table.

Cloudflare asked great questions. Which agent are you, who authorized you, and what are you allowed to do?

The answer is here: github.com/gebruder/wirken

Security

Mosquito Attack Path Analysis

Leave a comment

Ugh. Any angler knows that a fish circling a lure is ready to bite. It is the most important moment in the sequence. It’s not hesitation. It’s the last check before commitment. A better lure doesn’t make fish circle more when they already circle. You need the lure to reduce circle to less time, because it passes final inspection sooner.

With that in mind, a whole study just released about mosquito flight path analysis reads wrong to me.

Deciphering mosquito host-seeking behavior is essential to prevent disease transmission through mosquito capture and surveillance. Despite recent substantial progress, we still lack a comprehensive quantitative understanding of how visual and other sensory cues guide mosquitoes to their targets.

They built a model that predicts flight paths. What they should have built is a model that predicts target rejection. The circle is the authentication window. Every mosquito that circles and leaves is telling you exactly which credential your trap failed to present. CO2 got them to the door. The silhouette got them to slow down. Something in the final check bounced them.

Why?

That’s why the flight path geometry is the least interesting part of their own data. The interesting data is the authentication failure rate and what correlates with it.

Which mosquitoes completed the approach and which ones broke off? At what point in the circle? Facing which part of the target? That’s where the species-level targeting logic lives.

Maybe I need to fish less but the parallel goes further. Nobody studies the shape of a fish’s approach path to improve lure design. We study what makes a fish strike or turn away. The strike-to-rejection ratio is the metric. Everything else is circular.

Twenty million mosquito data points? That’s a lot of circles for nothing.

History, Security

Palantir is Full of Karp: Humanities Protect Against His AI

Leave a comment

Palantir has a serious problem. You can tell by the way their CEO Alex Karp just positioned AI as threatening humanities-trained workers and empowering vocational ones.

That’s exactly backwards. And it’s political. He’s trying to prevent people from pulling the curtain back on his mistakes.

Here’s one. Palantir will tell you they committed an extra-judicial assassination of the man in a purple hat at the crack of dawn. What they can’t tell you is that man was innocent and was wearing a white hat that simply reflected the purple hue of a rising sun.

True story. The humanities-trained analyst catches that. The machine doesn’t. The customer who’s been told humanities are for losers never even thinks to check.

AI is a text machine. It generates competent prose, summarizes arguments, produces passable analysis. Someone with weak humanities skills can now produce humanities-grade output with minimal effort. The floor rises. A trades worker who could never write a policy memo can now generate one. That’s genuine empowerment, and it flows toward exactly the people Karp claims to champion, pulling them toward humanities rather than away from it.

Meanwhile, the skilled knowledge workers whose value proposition was “I think clearly and write well” discover that the market price for clear thinking and good writing just collapsed. AI doesn’t do higher-order thought. And most knowledge work hasn’t been higher-order thought. It was competent pattern execution dressed up as expertise. AI exposes that gap brutally.

So the real disruption runs directly opposite to Karp’s pitch. The humanities-trained workers doing low-level routine cognitive labor lose. The vocationally-trained workers who adopt AI as a literacy tool gain. The technology is fundamentally a language democratizer because humanities become more important, not less.

But here’s what Karp will never say: the democratization only works when someone trains on how to evaluate what comes out.

Garbage Business

AI output without humanities judgment is fluent garbage. It reads smoothly. It sounds authoritative. It is, on average, very wrong in ways that require trained critical thinking to detect. The humanities aren’t threatened by AI. They’re the quality control layer. Editorial judgment, contextual reasoning, the ability to distinguish a coherent argument from a plausible-sounding one: these are the skills that make AI output worth anything at all.

By positioning humanities as the enemy of the working class, Karp ensures they never develop the critical framework to evaluate what AI gives them. They get the tool but not the judgment. Which means they need Palantir to be the judgment layer, with no accountability. That’s not a side effect. That’s the low quality product known as Palantir.

They will tell you to bomb 1,000s of high-value targets 24/7 and when the fog clears shrug at a closed strait and a triple-tapped school full of dead children.

Imagine a steam engine manufacturer who campaigns against thermodynamics education because physicists vote for the wrong party. The engine still runs. It just runs very badly, exploding and killing workers, and only the manufacturer knows why. They’ll sell you the fix instead of reducing the need for fixes.

The steam engine didn’t become transformative because miners got better at mining. It became transformative when social scientists understood labor, markets, thermodynamics, systems. The resistance to change came from mine owners who liked their workers poor, ignorant and dependent. Karp deflates and blocks the necessary science to make workers better. He actively degrades the input that makes his own technology functional, then positions himself as the indispensable intermediary. The cage is tracking workers and keeping them illiterate in the one discipline that would let them see the cage.

Radically Wrong

Thomas Impelluso writing in The Humanist catches the surface move: Karp promises working-class people economic power, delivers employment under total surveillance. He frames it as gender war, misogyny as bait, misandry as extraction. That’s radical politics as far as it goes. But the deeper tell is the specific target. Karp attacked humanities because they’re the disciplines that teach people to recognize that what he’s doing is wrong.

A working-class person with a strong humanities education is Palantir’s worst customer. Imagine someone who can read the output, spot the errors, question the framing, and ask who benefits. A working-class person told that humanities are for Democratic women because real skills don’t need higher education? That’s a cog who takes what the machine gives and is grateful because they don’t know better.

The technology democratizes language. Karp is selling a flawed engine, burning the manuals, and planning to get rich on cleaning up the disasters he creates.

Every authoritarian industrialist in history has done this. Krupp told German workers the socialists were their enemy, then worked them to death in his factories. Henry Ford told American workers the Jews were their problem, then fought unionization with private police. The structure is always the same: name an enemy that isn’t you, claim the workers as your people, extract their labor under your terms.

American autoworkers and their children in 1941 protest Ford’s relationship with Hitler. Source: Wayne State

Karp is doing Ford’s playbook with a PhD. The enemy is humanities-educated Democrats. The promise is economic restoration. The product is surveillance infrastructure that makes the workers more legible to management than any Pinkerton could have dreamed. Ford at least built something the workers could drive home. Karp builds something that drives them.

History, Security

Why Women Invented Dice 12,000 Years Ago in America

Leave a comment

A new paper in American Antiquity has just pushed the origin of dice back 6,000 years further than anyone expected. Robert Madden’s “Probability in the Pleistocene” identifies 659 prehistoric Native American dice across 57 archaeological sites spanning 12,000 years, from Late Pleistocene Folsom deposits in Wyoming, Colorado, and New Mexico all the way to the present. The earliest specimens predate the oldest known Old World dice by more than six millennia.

The paper gets attention for a probability angle. Ok, ancient Native Americans were generating controlled random outcomes and using the probabilistic regularities embedded in them thousands of years before Mesopotamia. I get it. That’s significant.

David Attenborough voice: but it’s not the most important finding in the paper.

The most important finding is buried at the end and never developed. Warren DeBoer’s analysis of 131 ethnographic accounts of Native American dice games, drawn from the historic and contact periods, found that 81% were played exclusively by women. Only 7% were played by men only. Madden notes this and moves on.

He shouldn’t have. The archaeological record preserves the dice far better than the players. Did this gendered pattern hold across all the years? That is an inference, projected backward by the same ethnographic analogy that Madden uses throughout the paper. A strong inference. It’s grounded in the same continuous cultural tradition, in the same geographic corridor, using the same artifact type. And nobody has proposed an alternative.

Randomness Solves a Problem

The paper’s strongest analytical move comes from Marshall Sahlins. In traditional societies, exchange is embedded in preexisting social relationships. You trade with people you already know, through channels structured by kinship, reciprocity, and obligation. Exchange, as Sahlins put it, “is usually a momentary episode in a continuous social relation.” If you have no relationship, you have no channel. If you have no channel, you cannot trade.

This creates a structural problem for anyone outside the dominant exchange networks. Many of the heaviest dice-using groups in Madden’s record, including Puebloan, Basketmaker, and Mandan cultures, were matrilineal. Women already controlled property, lineage, and household economies. But matrilineal authority stopped at the boundary of your own kinship system. On a territorial frontier, facing strangers from a different culture, your clan status meant nothing. Dice gave women an instrument for conducting exchange where their domestic authority had no jurisdiction.

The mechanism is simple. Two strangers sit down. They agree on stakes. They throw dice. The outcome is determined by chance. No prior relationship required. No hierarchical permission needed. No obligation structure to navigate. As James Woodburn observed of exchange among Hadza hunter-gatherers, “the transactions are neutralized and depersonalized by being passed through the game.”

Randomness is the enforcement mechanism. Equal conditions. Gerolamo Cardano, the sixteenth-century mathematician and gambler, articulated the principle:

the most fundamental principle of all in gambling is simply equal conditions.

You don’t need to trust the other player. You don’t need to know them. You need to trust the dice.

Protocol Not Play

Read the paper with this in mind and the picture changes entirely. Dice were far more than entertainment. They were a form of infrastructure.

Madden documents that dice appear at sites associated with 22 distinct cultural complexes over 12,000 years. Mobile hunter-gatherers, semisedentary groups, sedentary agriculturalists. Clovis, Folsom, Desert, McKean, Basketmaker, Fremont, Pueblo, Mandan. The practice crossed every linguistic, ethnic, and subsistence boundary in western North America. Gabriel Yanicki calls this:

a shared fluency of gambling games that transcends barriers of language and ethnicity.

That’s a protocol. A universally understood system for conducting fair exchange between parties who share nothing else. DeBoer found that gambling functioned as “an in-between or liminal activity” bringing together “people who were neither close friends nor complete strangers.” It operated on territorial frontiers and at large intertribal gatherings. It was, as Madden puts it, outward-directed.

What Women Built

If women were the primary operators of a 12,000-year-old fair exchange protocol that functioned beyond the reach of any group’s internal authority, the implications are far greater than the fizzle this paper ends with.

First, women were early innovators in applied probability. The law of large numbers guarantees that in a series of fair contests, wins and losses tend toward equal distribution over time. You don’t need to formalize this mathematically to rely on it operationally. You just need to play enough games to know that the system balances. Twelve thousand years of continuous practice suggests they knew.

Second, women built external exchange infrastructure. When internal exchange channels only governed members of your own kinship system and reciprocity networks, a system that bypasses those channels entirely, enforced by mathematics rather than social hierarchy, is an act of structural engineering. In matrilineal societies where women already controlled property and household economies, this wasn’t a workaround. It was an extension of existing domestic authority into intergroup space where that authority otherwise had no reach.

Third, the system was self-legitimating. Because the outcomes were visibly random, because anyone could see the dice fall, the fairness of the system required no external authority to validate it. No authority from either side needed to certify the transaction. The randomness did that work too.

Fourth, this explains the persistence. Cultural practices survive for 12,000 years because they confer adaptive advantage. A women-operated exchange protocol that enabled trade, information exchange, mate selection, and social integration across group boundaries without depending on controlled hierarchies would be enormously adaptive, particularly during periods of social disruption, migration, and contact between unfamiliar groups. The issue is that nobody’s internal authority structure governed intergroup encounters.

The Encoding

There’s a deeper layer here about what randomness does as a social technology.

In a deterministic system, outcomes reflect existing power. The person with more resources, more status, more connections wins the exchange. Determinism encodes hierarchy.

Randomness strips the encoding. It produces outcomes uncorrelated with prior status. Someone with nothing and someone with everything sit across from each other, and the dice levels the playing field. That’s not just fair exchange. That’s a temporary dissolution of the social order, conducted under rules that both parties agreed to in advance and that neither can easily manipulate.

This worked as long as the conditions stayed equal. Robert Weiner’s study of gambling at Chaco Canyon shows what happened when they didn’t. At Chaco, gambling became a mechanism through which elites integrated diverse communities but also accumulated material wealth and established social inequality. Navajo oral traditions preserve the memory: a figure called Noqoìlpi, The Gambler, who enslaved people through dice. Equal conditions in a single game don’t prevent structural inequality across hundreds of games if one party can absorb losses indefinitely. The rich player keeps playing. The poor player goes home with nothing. What women built as a fair protocol, Chacoan elites captured and weaponized. The history of randomness, like the history of most technologies, includes the history of its expropriation.

This is why Madden’s aggregation hypothesis is so important. He argues that dice may serve as an archaeological “signature of aggregation,” marking sites where normally dispersed groups came together. If that’s right, and it probably is, and if the operators of the exchange system at these aggregations were overwhelmingly women, then women were the architects of intergroup social integration on the Great Plains for at least 12,000 years.

The randomness was more than incidental. It was the point. Randomness is the only mechanism that produces equal conditions without requiring pre-existing trust, relationship, or shared authority. Women found that mechanism, built a continental exchange system on it, and ran it for longer than any civilization in recorded history has lasted.

Madden plays it academically safe and calls for further study. That probably comes with the job. But this blog has no such constraints. Did ancient dice games have a gendered component? Sure, but we really should be asking whether the entire 12,000-year history of probability in the Americas was a women’s innovation. That means women were doing applied probability first, and men much later in the sixteenth century got credit for “inventing” it because they wrote that down in European languages.