Comments

nil May 29, 2026 5:43 PM

I can’t find “Zero Emission Pad” on the web anymore. They’ve totally scrubbed it! I’ll check my backups, I hope I still have it. If so, I’ll distribute it everywhere and anywhere I can.

r May 29, 2026 10:52 PM

@nil,

remember that compilers aren’t nearly as prolific as browsers.

back up javascript examples and implementations of curious or useful things too.

Clive Robinson May 30, 2026 4:32 AM

@ Hendrik, ALL,

With regards CIFswitch and your,

“Will this be the season of the kernel devs becoming more security conscious in their coding?”

CIFswitch is not really about “coding”

It’s actually about an architectural failing that goes back to the early days of not just *nix but other OS’s, that was basically caused by “resource issues”.

I explained this back on last weeks Squid Page,

https://www.schneier.com/blog/archives/2026/05/friday-squid-blogging-regulating-squid-fishing-in-the-south-pacific.html/#comment-454725

In essence we have a “legacy issue”… In that OS’s that originated from before the 1990’s had limited security capabilities due to “lack of resources”.

Thus as the OS’s were brought forward into this century and resources became available a problem arose…

Due to various issues in the base OS extra security was needed.

There were two basic choices available,

1, Completely rework the base OS design.
2, Add extra security as a layer over the base OS.

The first option would create no end of “legacy code” issues, so the “safe path” was seen as being the “add the extra security layer” and “encourage replacement” of legacy code.

The problem was that “adding the extra security layer” would still create “legacy code” issues, unless the layer could be bypassed by legacy code.

The not unexpected result of this is that the “extra security layer” suffered two failings,

1, It was too complex to use.
2, The default “use” for everything was “bypass”.

Thus SElinux and similar became rarely used, or too permissively configured.

This has “enabled holes in security” for “legacy code” to not just exist, but be exploitable by “ease of use” behaviours of system operators.

This “Support legacy code security model” is going to cause lots more problems and not just in *nix OSs.

Daniel May 30, 2026 8:54 AM

This story touches on a number of security issues; mainly prompt injection but also human behavior and the confluence of AI and humans being both lazy and malicious (IMO). It also deals very directly with trust issues : do you trust the updated code or do you go over it with a fine toothed comb? Do you trust the developer? Do you trust users? Etc.

https://arstechnica.com/security/2026/05/fed-up-with-vibe-coders-dev-sneaks-data-nuking-prompt-injection-into-their-code/

nil May 30, 2026 5:51 PM

@r

remember that compilers aren’t nearly as prolific as browsers.

It’s not a compiler. Zero Emission Pad is a simple text editor with anti-Tempest features. It was on several freeware sites but has since been scrubbed from the web. It’s not difficult to reason why. 🙂

hooved butler May 30, 2026 8:31 PM

@Bosna,

Speak English. No one gives a shit about your cockroach language.

Clive Robinson May 30, 2026 9:24 PM

@ nil, r,

With regards,

“Zero Emission Pad is a simple text editor with anti-Tempest features.”

I don’t remember the name, but an editor using the UK Cambridge Computer Labs “soft TEMPEST fonts” was around back late last century.

That over the next decade things got pulled as technology improved. One such improvement was “Software Defined Radio”(SDR) that are not just very wide in frequency coverage 0.1Mhz-6GHz, but also wideband width on the I&Q outputs upwards of 1MHz became commonly available and made Van Eck “freeking” possible beyond what could previously have been possible.

But another issue was the “display technology” put simply “soft fonts” nolonger worked due to changes in graphics display systems, where “chips replaced software” and random bit dithering etc were nolonger accessable.

You can read more at,

https://www.cl.cam.ac.uk/~mgk25/emsec/softtempest-faq.html

The last time I looked –which was a while ago– there was still links based on this work up on the Internet, but they suffered from the issues identified in the FAQ.

Hum Vee May 30, 2026 9:53 PM

@ Clive,

One can test Zero Emission Pad (if they can find it) with the proper SDR antenna/software combo, which I’m sure you know about. 🙂

Thanks for the post.

beam me up May 30, 2026 10:17 PM

I use the free program:

Tempest for Eliza

on my modern monitor and I can broadcast with my monitor, no other hardware needed, music for my TEMPEST spies in the neighborhood.

They spy on my monitor and I laugh at them by playing Star Wars MIDI like sounds through my monitor which I can pick up on AM/FM radio.

I hope they enjoy the music!

Glowies gonna Glow!

Anonymous May 30, 2026 11:38 PM

I just tried to masturbate to ascii characters and it worked! I’m hooked!

I tried the free game nethack and I jacked off to the first monster on the screen. I hope my dog doesn’t hate me.

Hi May 31, 2026 1:07 AM

I don’t know who’s right and who’s wrong in this he-said-she-said situation. But my past experiences with Microsoft lead me to favor the security researcher. Some years back I found a problem with Windows. The ethernet port would work fine under Linux (dual-booted) but not Windows. And I found a workaround fix to the Windows bug. Microsoft wanted me to pay $300 before they would accept my bug report. Not to fix it. Just to hear what I had to say. Un-freaking-believable.

In contrast, another time I found a bug in the FSF’s gcc compiler. They accepted my bug report, verified it, and had it fixed in the latest developmental branch in 40 minutes.

Night. Day.

Clive Robinson May 31, 2026 6:25 AM

@ Bruce, ALL,

People are starting to understand

We here a lot of nonsense about how vibe coding will empower people.

It mostly won’t because those people are neither “domain experts” or “trained engineers”. Nor for that matter are they “code cutters” they are not even the equivalent of “Victorian Artisans”.

In short they come from that not much talked about “bolt bits on till it stops breaking” attitude that is more dangerous than “run fast and break things” mentality.

Any way I’ve been through explaining this in the past and got vilified by certain people who really had no clue as to what a “trained engineer” is or more importantly how they go about it.

Well somebody else is saying similar due to LLM use forcing the issue,

https://www.brethorsting.com/blog/2026/05/domain-expertise-has-always-been-the-real-moat/

Like many others though, their use of “engineer” tends to the old and very much wrong “software engineer” definition.

Clive Robinson May 31, 2026 4:06 PM

@ ALL,

“Something for the boss’s weekend…”

You might have heard there is a nasty succession of malware that gets on your system by “code reuse” and the supply chain it requires behind it failing due to the fact it can not be made secure…

The most recent was named after the “Shai-Hulud” sand worm on Arrakis in the Dune series of books, that chews up everything on the surface.

This is amusing to some as the attack if you try to remove it has a “Dead-man’s Switch” that issues an “rm -rf ~/” or equivalent[1],

That swallows all the files in the directory.

But annoying as that is, the “Shai-Hulud” infestation is down to the stupidity of badly managed supply chains for code reuse.

And the reason this happens and will happen again is something I pointed out to @Nick P and others on this blog years ago[2].

“Code Signing attests to little to nothing. All it does is a checksum on one or more files and uses a crypto signature to say it’s unchanged from when it was signed. All that really says is someone/thing had access to the private key, nothing more.”

So you can “code sign any old garbage” (and people have done). Which due to the “stupidity of trust” that people put in such things has ment that malware writers can get bad code into the “code reuse” supply chain and they have done.

Well a young lady Addie Lamarr who is getting a bit of a name for herself as a security explainer / guru has just dropped a YouTube video about Shai-Hulud and the background to it,

https://m.youtube.com/watch?v=CM8sjQcQsPs

Which should be sufficient for the “non technical boss types” in your life.

Interestingly though whilst she does mention people getting called “paranoid” for foreseeing the parts of this attack. She does not take it back to the real issue that is the fact of “trusting code signing” is a waste of time that will cause you to get bitten.

The simple fact is nobody has so far come up with a solution to the obvious “code signing” problem and ultimately it means that by far the greatest part of the “software supply chain” that of “code reuse” is a complete and utter fail as far as security is concerned…

Which has all sorts of implications that turns nearly all the ICTsoftware Industry into a bunch of “heads in the sand” types…

Yup I can already here the sound of people sharpening their pitchforks and that “flint on steel” sound of setting sparks to kindling so the “torches can be lit” and the vengeful vigilante march begin in my direction 😉

[1] The existence of “rm” CLI command on *nix systems predates just about every “file delete” CLI command on current commercial and consumer OSs. The “force -f” switch to “rm” is one of the best reasons to run backups on a very very regular basis. As the old saying has it “Crap happens” and mostly nothing you can do after the event can make up for a lack of forward planning hence “The ship was lost for the want of a hapenth of tar”… Backups are the equivalent of a bucket of tar. The “recursive -r” flag tells rm to descend into all subdirectories and the “shell ~/” is a short cut for your “home directory” as the place to start the file munching from. You can read more at,

‘https://www.geeksforgeeks.org/linux-unix/rm-command-linux-examples/

[2] With the predictable result I was called “paranoid” or was “attacked” for pointing it out, as well as not having a “drop in solution” (for which there is none, nor can there be under current assumptions).

Oh and please don’t say in the future “nobody told me”…

lick it May 31, 2026 6:53 PM

Did you know in prison licking someone’s anus is actually considered currency?

lurker May 31, 2026 7:42 PM

Always on internet is an essential now, can’t live without it.
It used to be that you couldn’t get onto a train without a ticket that would be valid when you arrived at your destination, Now it seems you can buy your tickets on the train, if the wifi is working …

https://www.bbc.com/news/articles/cn8pn4l03r7o

Clive Robinson June 1, 2026 2:36 AM

@ Hi, ALL,

With regards your reticence about Microsoft statements and behaviour…

I don’t know if you remember but just under 2 years ago Microsoft announced with great fanfare that it had solved the “LLM Hallucinations” problem with a tool it called “Correction”.

https://www.computerworld.com/article/3540429/microsoft-claims-new-correction-tool-can-fix-genai-hallucinations.html

Well here we are nearly 2 years later and a quick search for the tool by name shows nothing news wise…

But we know the hallucinations still go on, as they are the result of the use of randomness within a statistical process and as one researcher once noted,

“Trying to eliminate hallucinations from generative AI is like trying to eliminate hydrogen from water,”

https://techcrunch.com/2024/09/24/microsoft-claims-its-new-tool-can-correct-ai-hallucinations-but-experts-caution-it-has-shortcomings/

Os Keyes, a PhD candidate at the University of Washington who studies the ethical impact of emerging tech, went on to further note about the AI Hallucination process that,

“It’s an essential component of how the technology works.”

Whilst I’m not sure the word “hallucination” is correct for LLM based AI[1],

“I am certain “Hallucinations” is the correct word for most Microsoft Management etc proclamations.”

[1] As I’ve said before the correct “term of art” is actually “Soft Bullshit”,

‘https://futurism.com/the-byte/researchers-ai-chatgpt-hallucinations-terminology

Clive Robinson June 1, 2026 11:32 AM

@ Weather,

With regads,

“… you have been out of the green…”

I stopped getting paid to wear it quite a few years ago…

Now they would not take me back, even if I paid them… as my beard whilst not as Snowy as our hosts, is however getting towards looking like “swarf on a lathe bed”…

Clive Robinson June 1, 2026 6:44 PM

@ Bruce, ALL,

US Election on line shenanigans

Yes as it gets towards that time again it appears that specific cyber-crime might well be “on the cards”,

Election interlopers register 5K+ domains, hope to catch some voting phish

Hacking voting machines is so 2017. Phishing, impersonation pose the real election risks

The biggest threat to America’s midterm elections in November likely isn’t foreign attackers hacking US voting machines. Phishing and election-official impersonation are the bigger risks, according to Check Point, which documented more than 5,000 election-themed domains registered between April and May.

These domains can be used by attackers for phishing, impersonation, fraud, misinformation, or influence activity, especially when coupled with about 17,000 exposed credentials associated with fundraising orgs, political parties, and government-related services also spotted by the security shop’s intelligence arm in May.

https://www.theregister.com/security/2026/06/01/5k-election-domains-registered-ahead-of-us-midterms/5249764

Make of it what you will but it looks like the pot is coming to the boil one way or another.

lurker June 2, 2026 3:22 PM

Daft Error Message of the Day:

Oops! Something went wrong
We apologize for the inconvenience.

Please try again later or contact support if the problem persists.

Back to home page

This seems to be becoming popular amongst cdns instead of the informative (but still oppressive)

You need Javascript and Cookies enabled
to access this site.

ResearcherZero June 3, 2026 5:10 AM

The FSB has been directing its own large-scale coordinated espionage campaign.

‘https://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/

GammaWorm can spread by USB and network drives, hide within ADS and deploy decoy files.
https://blog.sekoia.io/fsbs-matryoshka-1-3-gamaredons-gifts-that-keeps-unpacking-gammaphish-and-gammaworm/

CVE-2025-6218 is a path traversal bug that drops payloads outside the intended directory.
https://foresiet.com/blog/apt-c-08-winrar-directory-traversal-exploit/

Clive Robinson June 3, 2026 5:41 AM

@ baby bumblebee, ALL,

With regards,

“Russian spy agency says foreign spies turned officials’ smartphones into surveillance devices”

I am reminded of the old saying,

“Tis the pot calling the kettle black!”

The only problem I see is working out historically which is the Kettle and which is the Pot (or is smoking it to blow up someone else’s posterior 😉

They are as bad as each other, we have known for years the NSA has spies on everyone they could for as long as the technology has allowed them to. What we know of earlier Russian behaviours they likewise have been at it back well into the old Tzarist Empire and the KGB etc just took on the mantel often employing the same people.

There is that resigned mentality of,

It’s a dirty job but somebody has to do it…

Given as an excuse.

But as I’ve noted before the US well and truly lies about attribution. It is a “political dog whistle”. There are or were a list of four,

China, Iran, North Korea, Russia

Who would be blamed by some “unattributed government source” almost in turn. Even though any reasonably educated and sane person could easily work out that every nation that can spies on it’s own, friends, allies, and enemies alike without exception.

Including China on Russia, after all China, Iran and North Korea were “Putin’s only friends” untill Trump was so bl@@dy daft as to follow the Israeli “Prop political pariah and criminal Netanyahu up” campaign…

If you were China having “invested” in Russia you too would want to keep your eye very firmly on the investment.

Any way does it matter,

“Who is to blame?”

Just regard this Russian latest outburst as an admission of guilt or impotence or both, smile and get on with your day, after all your country is watching you…

Clive Robinson June 3, 2026 8:58 AM

@ ResearcherZero, ALL,

With regards,

“The malware spread via the mini Shai-Hulud does not activate on Russian-language systems.”

This is one of those issues of where attribution becomes a guessing game…

Back in the early cyber-crime days Putin “supposedly” gave cybercriminals immunity and protection if they did not touch Russia.

This sadly became one way to say of malware that it’s developers had Kremlin associated alignment…

Thus this became a way to run a “False Flag Operation” for other people including the CIA…

So it’s now a useless attribution indicator.

But also consider, is it actually worth trying to do standard cyber-criminal activities against Russian organisations?

The answer is,

“As the Russians are short on real money but long on real vengeance… Probably not.”

Anonymous June 3, 2026 9:32 PM

Fedora Linux 43 Exposes 20-Year-Old Microsoft Outlook Security Failure

https://linux.slashdot.org/story/26/06/03/2120212/fedora-linux-43-exposes-20-year-old-microsoft-outlook-security-failure

Fedora Linux 43 users upgrading to the latest Dovecot mail server discovered something rather unsettling: some older Microsoft Outlook configurations may have been silently ignoring SSL/TLS settings for POP3 email connections for years. According to a Fedora community blog post, affected Outlook clients reportedly continued using insecure port 110 connections even when encryption was enabled in the application settings. The issue surfaced after Dovecot 2.4 disabled plaintext authentication on non secure connections by default, causing Outlook users to suddenly lose mailbox access after the Fedora 43 upgrade.

The report suggests the behavior may date back as far as Outlook 2007, although modern Outlook builds were not fully tested. Fedora admins stress that the problem could be limited to legacy account configurations rather than current versions of Outlook itself. Still, the discovery has sparked discussion among Linux admins and security folks because many users likely assumed their email traffic was encrypted simply because Outlook claimed SSL/TLS was enabled. The incident also highlights how stricter defaults in modern open source infrastructure can expose ancient assumptions and questionable behaviors that quietly survived for decades.

welcome to mindhead June 4, 2026 7:33 AM

Five Eyes Warns Chinese Spies Are Using Fake Job Ads to Target Military Staff

https://hackread.com/five-eyes-chinese-spies-fake-job-ads-military-staff/

Five Eyes warns that Chinese spies are using fake job ads on LinkedIn, Indeed, and Upwork to target military staff and steal sensitive data.

Western intelligence agencies are warning about the growing preference of China-linked state actors regarding the use of job websites to trick government workers and military staff into sharing sensitive information.

This warning comes from the Five Eyes (FVEY), an international intelligence partnership comprising agencies from the UK, the US, Canada, Australia, and New Zealand. Five agencies, including the UK’s MI5 and the US FBI, shared a joint report about how these spying operations work.

Clive Robinson June 4, 2026 8:47 AM

@ ResearcherZero, ALL,

Pulling buttheads out of their own holes.

You note,

“Pentagon finally grasps that their own troops are being targeted using location data.”

Have they actually grasped it or are just pushing paper across their desk top battlefield?

This issue has been suspected for a decade and a half if not longer, and public proof was shown over a decade ago.

The problem with some of the more “self centered” soldiers is they have a need to show they are “elite”…

So they use devices to record their physical performance then post it for all to see on Web sites. These often include not just a personal ID but high accuracy GPNS coordinates.

These details reveal which ID’s appear within the coordinate geofence of supposedly secret bases.

A few laps around the perimeter or similar has them nailed. The same with those that ride bikes to and from their home and work place.

Also “who they shop with” when and how much they have spent on plastic.

At one point the UK armed forces tried banning “fitness trackers” and similar. But it was as pointless as trying to ban mobile phones. Especially when other trackers recorded all sorts of medical/health related information.

Do you remember back to the early “naughties” whilst the US President was doing his Cowboy Walk? The Vice President had a heart condition that was steadily getting worse as such things tend to do. Eventually he had to have a Medtronics box fitted in his chest and he had some reservations.

The press reported it as he had a fear a hacker could assassinate him, so he had the “radio” part disabled.

He was not the only one with concerns but their interests were “tracking” and “evesdropping” rather than assassination.

And their fears were justified. You might remember a court case for murder where the heart trace from a monitor was used to show that the suspect was doing very significant physical work thus had very elevated heart rate etc.

Apparently it’s been argued that as these signals can be read in public places, they don’t get various legal protections like other medical information does.

I’ve been mentioning the issues of security and various devices for as long on this blog and other places… But apparantly people do not think my cautions are valid untill it’s too late…

In effect they think me “paranoid” or a “conspiracy nut” or some such.

But the old saying of,

“You know you are not paranoid when you know they are out to get you”

Or other variation of Joseph Heller’s line from his Catch 22 book,

“Just because you’re paranoid doesn’t mean they aren’t after you”

But it does not have to specifically be “get you”, it could as well be “get them”, or “get us” etc.

As I note from time to time I tend to come up with interesting flaws in all sorts of systems, not just security. When I see a potential flaw almost the first thing I ask is,

“Within the laws of nature can this flaw be turned into a vulnerability and exploited?”

Even some things that appear against the laws of nature are not. As far as I’m aware I was the first person to publicly state that with “collect it all and Blufdale the NSA were building a virtual time machine” to track peoples past movements and behaviours to build connection diagrams and the like. Thus track them through decades of virtual reality…

It took a while for other people to realise that this was the intent, but some are still in denial about it for various reasons.

Thus the old phrase,

“You can not go back in time.”

Is not as true as it once was. Even now people are still in denial about this possibility…

JG5 June 4, 2026 12:32 PM

Hadn’t thought about #StarFish Prime for quite a while. I saw this pop up a few days ago and it touches a couple of topics in this thread.

Meshtastic 101
#chrisboden #comedy #engineering #diy #educational #science #radio #tech #gear #edc
https://www.youtube.com/shorts/oUkBUACALFY

I got a kick out of “My house is a backup generator to the backup generator.” I also believe that US infrastructure is a shitshow of bubble gum, band-aids, and baling wire. Maybe that is why we need another 4th Turning. You can set you watch by it. 1780, 1860, 1940, and 2020

You’d have a reasonable chance of establishing endpoint security with small microprocessors and the aforementioned “garden path.”

I am enthusiastic about propane as a generator fuel. The biggest problem is that you can’t get a small one off the shelf, so far as I can tell. There are lots of them from maybe 8000 to 15000 watts, and up. My definition of small is 1000 to 3000 watts.

lurker June 4, 2026 2:40 PM

@JG5

1000 to 3000 watts is about the power the sun supplies to the average house roof. The major supplier for equipment to trap and convert this is currently in the western Pacific. What’s the greater risk, suspended particles disrupting sunlight, or Chinese spies in the solar panels?

Clive Robinson June 4, 2026 6:06 PM

@ JG5,

Sorry I tried to reply but got auto-modded, then auto-modded again after editing and re-submit…

I’ve kept a copy so I can try later “in parts” if it does not appear.

r June 4, 2026 6:59 PM

@clive,

those “fill in the blank” time machine data points are being used in drone warfare for target selection. stale information, ai hallucinations and blam!

they’re criminalizing knowledge possession and association to rationalize reclassifying civilians as aiding and abetting or acceptable losses…

we are all living on borrowed npu-time.

r June 4, 2026 10:21 PM

oh i forgot, selectors cross entities: include persecution for ‘sins of the father’ also.

Clive Robinson June 5, 2026 5:50 AM

@ Bruce, ALL,

We know from your various postings you fly a lot.

From this we can figure out you probably glow slightly more than most others 😉

But have you considered the other risks of being on aircraft that nobody on board knows or can navigate themselves?

Aircraft especially need radio navigation systems some only work within a few miles of their transmitter location and need the aircraft to approach from a given direction. Others are more omnidirectional and work out to maybe a hundred miles or so due to “horizon issues”.

Which means once out over the oceans and similar independent navigation has to come from Space primarily from pulsars down through various mathematical processes to become the ubiquitous “Global Navigation Satellite Systems”(GNSS).

And for various reasons all four current GNSS are “vulnerable”[1] to either jamming or spoofing[2]. Due to the use of low power TX and sharing the same frequency spectrum in L-Band.

Well this video has just dropped[3] to tell you that things are worse than most mistakenly think,

https://m.youtube.com/watch?v=tz23G_UXCGA

Let me ask you a question after you’ve watched it and bearing in mind that many are starting to think we are going to enter more global aerial conflict with hypersonic missiles, UAVs and similar in the next couple of years,

“Do you really want to be in an aircraft when somebody jams or worse spoofs the navigation system that most commercial aircraft are reliant upon?”

A similar question obviously for those that use GPS for driving or drones.

[1] It’s why we know the Russian systems actually have “tricorner reflectors” on them so lasers and telescopes along with “tables” in computers can be used… Think “celestial navigation” but with man made objects. China likewise has as part of it’s “Cryptography ‘Quantum Key Delivery” from Space” been investigating similar celestial navigation. In the UK laser gyros and SQUID used for magnetic based systems have been researched going well back into the last century. We can assume the military research institutions in most of the top first world nations –ie G20 etc– have been doing the same.

[2] Any radio system can be jammed it is just a question of getting a sufficiently strong signal at your adversaries receive antenna such that it’s 6 to 12db above the wanted signal. Spoofing on the otherhand is like a “replay attack” that is you fake the adversaries modulation such that you take over much further down the receive chain often further than just into baseband.

[3] Those “in the industry” have known about this for a little while and are not really surprised about it. After all both Russia and North Korea are known to have both jammed and spoofed Sat-Nav for some years now with maritime reports of ships seeing their GPS position jump by twenty nautical miles (think just under 50kM).

o June 5, 2026 5:59 AM

@Clive Robinson,

@ Bruce, ALL,

We know from your various postings you fly a lot.

From this we can figure out you probably glow slightly more than most others

Is that a Terry A. Davis reference? 😀

Clive Robinson June 5, 2026 8:18 AM

@ o,

With regards,

“Is that a Terry A. Davis reference?”

Err no Terry is unfortunately dead, and his work has not been further worked on.

What I was getting at is that a “transatlantic flight” can give you the same dose of interesting radiation as a medical X-Ray.

In the UK many many years ago there was a company that made a sort of Oat based Breakfast for children.

https://en.wikipedia.org/wiki/Ready_Brek

They had a TV advert that had children in it (on their way to school on a winter’s morning). It had an orange glow drawn in around them, like that you would expect from one of those ancient 1KW electric bar heaters.

They used the advert for many years untill a BBC 2 dark humour show –Not the Nine O’Clock News Show” took the micky out of it.

Redy Brek used the tag line of “give your children that inner glow” and the satire show changed it to “do you want your children to glow in the dark” and then added “move to Windscale”,

https://m.youtube.com/watch?v=Yt1Jd4stPFQ

The dark side of this can be seen in Kyle Hill’s video on what was –at the time it happened back in 1957– the worst nuclear accident in Europe if not the world,

https://m.youtube.com/watch?v=EGas-5BUbnk

The only reason the accident was not a lot lot worse was one man physicist Terence Price who had realised the potential danger of the pile design and who pushed against just about everyone to have filter traps added to the Windscale Reactor chimneys. Luckily the man leading the project thus design team Sir John Cockcroft took the warnings seriously. The traps became known as “Cockcroft’s Folly” but soon it was realised they were anything but. A whole series of “minor events” were kept quiet by the UK Government, that even tried to “hush up” the 57 fire. It was years before the full extent of the issues became known. And even today, the site is heavily contaminated with broken fuel cartridges that won’t be cleaned up untill 2040 at the earliest.

faceless agony run run! June 5, 2026 10:46 AM

@ Clive Robinson,

Err no Terry is unfortunately dead, and his work has not been further worked on.

Yes, people have conntinued to work on/fork TempleOS. If you keep up with the chatter here or ask about development someone should help.

What I was getting at is that a “transatlantic flight” can give you the same dose of interesting radiation as a medical X-Ray.

Thanks. Yes, I know, but thanks for going into detail about it, I always learn something from you. ^_^

I was referring to the, “Glow in the Dark” MEME from Terry about CIA. 🙂

Clive Robinson June 5, 2026 3:05 PM

@ Bruce,

Is US GNSS a Numbers Station?

Is a question asked and researched by some one you know,

The Empty Field That Wasn’t

GPS, OTAD and Two Decades of Encrypted Broadcasts

Cold War shortwave numbers stations broadcast strings of digits to anonymous listeners, content that’s meaningless to anyone without a matching one-time pad.

They still operate today. As it turns out, GPS broadcasts in much the same way. Buried in every L1 C/A navigation message is Subframe 4, Page 17—a 176-bit field that IS-GPS-200 reserves for “special messages with the specific contents at the discretion of the Operating Command.”

Every satellite broadcasts it. Every receiver decodes the subframe that contains it. And for nearly two decades, no one has publicly explained what it contains.

We analyzed 12.16 million observations in this field from 2007 through early 2026. The content is not text. It is encrypted material consistent with the military’s Over-the-Air Distribution (OTAD) global rekeying network. For 19 years, every operational GPS satellite has been a numbers station—broadcasting ciphertext on a public channel, to billions of receivers, in plain sight.

https://lsc-pagepro.mydigitalpublication.com/publication/?i=865273&p=62&view=issueViewer

JG5 June 5, 2026 5:23 PM

Reporting a couple of coincidences. Another pleasant day in the Pacific NorthBest. Within a couple of hours of mentioning #Starfish Prime, I see the headline that there is a geomagnetic alert. YMMV I looked out the window at 10:30 PM and the only glow on the horizon was the last twilight. We are pretty close to 49 degrees north here.

Solar Storm Coming Tonight, Quakes, Storms, Magnetic Wind | S0 News June.4.2026
https://www.youtube.com/watch?v=9VbqxVj63J4

Forbes
https://www.forbes.com/sites/jamiecartereurope/2026/06/04/upgraded-severe-northern-lights-alert-for-23-states-thursday/
Upgraded ‘Severe’ Northern Lights Alert For 25 States Thursday
NOAA has upgraded its aurora forecast, with strong to severe geomagnetic storms possible Thursday and Friday, raising Northern Lights chances across 25 U.S. states.

The day before, I was sitting out on the street in another beautiful day when I realized that I had sat just across the street 34 years previously, to the week, probably to the day. And it was equally pleasant then. The group next to me said something about “freedom” just before I stood up to get a refill. I put up my hands as if surrendering and said, “We may never be free.” Got a laugh out of the crowd. When I returned, this was playing

Fleetwood Mac – The Chain (Official Music Video) [HD]
https://www.youtube.com/watch?v=kBYHwH1Vb-c

Clive Robinson June 6, 2026 2:21 AM

@ Anonymous,

With regards,

“Fedora Linux 43 Exposes 20-Year-Old Microsoft Outlook Security Failure”

By the description this would have to have been clearly visible “on the wire” inside the Network perimeter…

Which begs the question as to why in two decades and thousands of use cases nobody once ran WireShark[1] or equivalent and noticed it[2]…

Or if they did notice… why they did not go public about it? (which bearing in mind Micro$haft’s recent reported behaviours with security researchers…).

[1] For those new to such things WireShark is an Open Source and free Network Protocol Analyser,

https://www.wireshark.org/

[2] Before any one asks me “Why not you”? I’m notorious for not having personal email as I regard it as something that can not ever be made secure no matter what you do. Back almost in the last century when it was “a new invitation only” thing, I had a GMail account that had Web Access that I “played with” so I could “support others”. As for the flip side ie work, back then we did not run MicroShaft for anything other than “desktops” (this was due to Microsoft being so late out of the barn with networking Novel was that side of infrastructure). So email MTA / servers[3] were either *nix SendMail on Sun OS’s or “Lotus” Notes and Domino. As some will know and curse Sendmail still is regarded by many with grey beards[4] as “the reference by which all others are judged”.

[3] The ins and outs of the various stages of email is fairly complex and the likes of SendMail as an MTA interfacing with user authentication systems often involves “Eye of newt and toe of frog…” along with a couple of rabbit foot amulets / totems to rub (and some M4 proficiency). So for those not standing close to the caldron and practice in stirring the pot,

https://emaillabs.io/en/everything-you-need-to-know-about-mail-transfer-agents-mta/

[4] Just remember a grey beard beneath a witches hat does not a wizard make 😉

ResearcherZero June 6, 2026 3:13 AM

Vulnerability in Creative’s Sound Blaster Katana Bluetooth speaker.

Upload firmware without authentication or pairing via “Creative Transport Protocol” (CTP).

Creative claims it is not a vulnerability in its Bluetooth speaker. Creative’s CTP is bridged to both USB and Bluetooth and the Katana speaker registers itself as a HID device.

The firmware can of course be modified to use the device for remote and covert functions.
Firmware updates can be sent to the device OTA via the help of Creative’s companion app.

https://blog.nns.ee/2026/06/03/katana-badusb/

Clive Robinson June 6, 2026 6:21 AM

@ r,

With regards,

“we are all living on borrowed npu-time.”

There is so much wrong for humanity in the Current AI LLM and ML Systems, that it is hard to know where to start.

On this blog we’ve seen reports and articles that it is going to have a significantly destructive impact on the environment that will be dumped by legislators and infrastructure suppliers onto those least able to defend themselves (ie ordinary families and consumers).

That the hype is actively destroying the US and other economies.

That it can not in anyway deliver on the promises made.

That it is a serious data security threat.

That it is the most invasive surveillance tool so far.

That it gets things so wrong that 30-90% of the time under real world tests it “fabricates output” and in the worse cases it gets called “Hallucinations” or more correctly “soft bullshit”.

That it has been causally linked to mental harm, suicides and even murder.

And these are just some of the “bad for humanity” points…

Then there is what is happening with the IDF and US Dept of War…

In essence they are using Current AI LLM and ML systems to get tighter curves in the “kill loop” more commonly known as Boyd’s OODA Loop.

As with all rushed or snap decisions based on false, incorrect, or unverified information “collateral damage” is significantly happening.

A well known US military man General Michael Hayden, former head of the National Security Agency once said publicly,

“… We kill people based on metadata… But that’s not what we do with this metadata.”

See video clip in,

https://www.justsecurity.org/10318/video-clip-director-nsa-cia-we-kill-people-based-metadata/

That was over a decade ago before we even had Current AI LLM and ML Systems. Back then it was slow cautious humans as intelligence analysts making “the call”.

I’ve noted for a long time that the nut jobs that are Palantir want to take the human intelligence analysts out of intelligence gathering, the detectives out of law enforcement and any other similar occupied human out of the loop via what is now Current AI.

Thus my other stared concern that those with “political mantras” that have no factual or other basis can use AI systems as unregulated “Arms Length facilitators”.

What we do know where ever such “automated decision makers” have been put in place disaster after disaster has followed. The most famous is Australia’s Robodebt. In a European nation similar brought the entire political leadership down.

In the UK they are now using a similar system to attack the often severely disabled for “political mantra” and “financial mismanagement” reasons…

And people wonder why I advise “Caution not hype” should be the way we go with AI.

I’ve worked on and off with AI and robotics since the early 1980’s and I’ve seen enough to know what AI “is and is not” and to be frank it’s mostly “not” for reasons I’ve detailed before.

The few very specific areas it “is” are highly specific and little different to a mix of 1980’s Expert Systems and Fuzzy Logic. As such they can not realistically support either the cost or the hype of Current AI LLM and ML Systems.

So in oh so many ways they are little better than the childs “Spirograph” drawing tool/toy,

https://en.wikipedia.org/wiki/Spirograph

Clive Robinson June 6, 2026 2:45 PM

@ ALL,

For those feeling lost in the notion of Current AI LLM and ML systems,

There are three impediments,

1, The mathematics
2, The nomenclature
3, The structure

Papers make assumptions with lots of maths and terminology thrown in that has slightly different meaning from paper to paper. Then there is the structure theoretical, logical, and hardware, and what each part is designed to do as fast as possible with minimal gate count.

Getting your head around it can be more of an uphill struggle than it needs to be.

Thus occasionally somebody puts up an explainer that knocks out many of the issues.

One such is,

How LLMs Actually Work

This post is a walkthrough of how LLMs work. Modern LLMs are mostly built by stacking transformer blocks over and over, so understanding the transformer machinery gets you most of the way there.

I’ll cover the core mechanisms inside modern transformer-based LLMs, without all that sticky math stuff. Don’t get me wrong, you should learn the math, but this can serve as an introduction.

Most modern LLMs share the same transformer-family skeleton. The differences come from what each one was trained on, the scale and configuration choices, and the post-training done on top. By the end, you should be able to read many modern LLM papers or model cards and know which piece of the architecture each section is talking about.

https://www.0xkato.xyz/how-llms-actually-work/

Oh and warning… When I talk about “Digital Neural Networks”(DNNs) I may well discuse them in the same way I do “Digital Signal Processing”(DSP) systems, because fundamentally they are in effect the same.

Thus it helps if you understand what a spectrum is and what filters are and how they can be represented as vectors.

Oh and just for fun consider an LLM as in effect a “database” (which a big chunk of it is) and how this links into the notions of Searl’s “Chinese Room”.

Clive Robinson June 6, 2026 3:23 PM

@ ALL,

Was Yesterday AI Black Friday?

And if so is it,

“Bailout or Blowout time?”

I’m not up on all the details as I’m bed bound at the moment for medical reasons so my enthusiasm for hunting down corporate fraudsters and neo-con flighty types is a little low.

But it appears Broadcom had shall we say “disapointing figures” and a bit of a rout started in semiconductors,

Broadcom set to shed $300 billion in value as AI results fail to impress

The losses, if sustained, will erase more than $315 billion from the company’s market value of about $2.268 trillion, in one of the biggest one-day wipeouts ever.

June 4 (Reuters) – Broadcom (AVGO.O) shares slumped more than 14% ​on Thursday, dragging chip peers lower, after the company’s results fell short of lofty expectations around demand for its ‌custom AI chips business.

The results sparked a selloff in chip stocks, with Marvell down nearly 5%, while AMD (AMD.O), Intel (INTC.O), Micron (MU.O), and Qualcomm (QCOM.O), fell between 1.6% and 6.5%. The stocks had gained sharply earlier this week thanks to a flurry of positive announcements at Computex./i>”

https://www.reuters.com/business/broadcom-tumbles-revenue-miss-clouds-ai-boom-bets-2026-06-04/

South Korean Tech Stocks likewise took a hit as well. As well as other US stocks related to AI like Microsoft.

But is this just a blip or something more architectural?

I’m not a financial analyst just some one observing for the fun of it but others are taking it rather more seriously,
https://garymarcus.substack.com/p/ais-black-friday

But one thing is true, whilst there is a lot of paper floating around AI with unimaginable figures written on them, there really is no real money to repay the ludicrous investments. What little there is goes around and around and ends up in the Chip Makers Pockets. The fact they are loaning it back to keep sales going is something that should concern everyone.

Especially as the chances are real that if a bail-out happens it will fall disproportionately on those at the bottom end of the socio-economic ladder yet again, who pay tax and have savings rather than assets.

KC June 7, 2026 12:06 AM

@ ResearcherZero, Clive, all

re: technology, or lack thereof, for health

Last fall I finally took the plunge and got a health tracking watch. It tracks sleep, steps, heart rate, etc. It’s been rather eye-opening.

One particularly intriguing metric was HRV (heart rate variability), a window on the autonomic nervous system.

A lower HRV points to being in a sympathetic-dominant state (fight-or-flight) which commands the heart to beat faster and more predictably, lowering the variation between beats. A higher HRV suggests a parasympathetic-dominant state (rest-and-digest) where the heart rate is more flexible and the body has higher recovery capacity.

I’ve been tinkering with some changes to lift the number: more sleep, less/no caffeine, breathing exercises, yoga nidra. I have been able to see some positive changes.

I just saw an article about getting ‘green’ time. It would be interesting to use tech to see how putting down tech here and there might be beneficial to the operator 🙂

JG5 June 7, 2026 2:26 PM

This contains multiple instances of “facts that Clive teaches regularly” and generally is well done:

It’s Time to Take Down your Smart Cameras 😬
https://www.youtube.com/watch?v=UMIwNiwQewQ

I could report another coincidence. I saw this in the news a few days ago:

DRUDGE REPORT 2026®
https://drudgereport.com/

Thieves targeting world’s copper. Phone company fighting back…
https://www.npr.org/nx-s1-5838875

Little-known fact about Drudge – before he had a website, he would publish similar news summaries on alt.conspiracy. The headline compendia at NakedCapitalism probably are better. I should stop by Citizen Free Press more often. Of course, they won’t be free once CAPTCHA locks out all of the non-Gluelge, non-scrApple devices.

The Mad Max wire thefts reminded me of The Huey Pilot’s 2014 description of selling copper at a New Bedford junkyard. I couldn’t find the link, but I am pretty sure it was reported here. It is a colorful story.

You don’t need me to tell you that dopamine-starved people will steal copper and sell it for scrap. Then they purchase dopamine at various local businesses. You could throw a rock from New Bedford to Block Island. And shift the view from impoverished to obscenely wealthy. I am going to paddle a kayak from Point Judith to Block Island to New Bedford to Chappaquiddick. Not far from there to “DownEaster Alexa.”

And the next morning the headline was about the “AI” Boom entering the Mad Max phase. The only way that this can make sense is that they are using Alien Probe Technology to provide real-time telemetry of Uranus. And that this is the only way to process that much data. The LLMs are just another shiny rock to distract the public from the real purpose. You can’t burn the LNG that is shipped to Europe in Tennessee, so the price will have to rise enough to destroy a corresponding amount of demand. On my planet, we call it freezing in the dark.

Meta’s Data Center Strategy and the Mad Max Phase of the AI Boom
https://www.distilled.earth/p/metas-data-center-strategy-and-the
The AI race has officially entered its Mad Max phase.

When I told one reporter about these tents and other companies powering their data centers with jet engines, he said, “It’s like a scene out of the movie Mad Max.”

Clive Robinson June 7, 2026 6:54 PM

@ KC, ResearcherZero, ALL,

With regards,

“… getting ‘green’ time”

Or as the article says “touching grass”

I used to do a lot of “getting out and about” either running or ridding my bike every day. On average I used to do 500miles a week by leg power back last century.

Then on one of the rare occasions I had to travel by “public transport” it all went horribly wrong. The result is I had my head karate kicked into a a street sign post by a teenage student and got a full fracture of the lower jaw… As they say “not fun” especially as the hospital nearly killed me by neglect…

Suffice it to say I started spending a lot lot less time out doors, with the expected not good results.

However the thing I miss most is “sun on bare skin” with the right foods, it gives you a major dose of Vit D which you just can not get from tablets. The thing is it is now known Vit D helps with just about every part of your autonomous and immune systems as a “modulator”.

Very importantly it helps a great deal with stopping respiratory infections both viral and bacterial. As well as helping those with chronic stress/depression and the likes of PTSD and “Seasonal Effective Disorder”(SAD) which is now regarded as being a significant sub category of major depressive disease.

Health Care, Office, warehouse and factory workers effectively denied natural daylight are quite prone to SAD and the significant ill health consequences (apparently it can shorten your life by over a decade).

So yeh get out there and enjoy “touching the green/grass” as often as you can especially when there is sunlight.

Clive Robinson June 7, 2026 7:09 PM

@ BGP, ALL,

It appears the “Friday blip” has lost more USD than the Iran nonsense…

Apparently people are hoping for a dead feline to go boing on Monday.

Others think it’s not that likely…

Various things have been said about the US Government “investing in the sector” which is just another way of saying “bail out”.

But the scary one is “allowing the AI Bros in on the tracker markets”…

In essence that would force all those pension funds etc to take on all of what some see as “AI bad debt”.

I guess we will have to wait just a few hours to see what happens next…

Clive Robinson June 8, 2026 6:15 AM

@ For those watching the Tech Blip.

According to the BBC page on newspaper “front pages”,

“The Financial Times reports that OpenAI is planning to turn its ChatGPT chatbot into a “superapp”, external, as it hunts for “new engines of growth” ahead of a planned listing. The paper says there is a growing belief at the company that the future of AI lies in agents performing tasks for users. “Chat is dead,” one employee tells the paper.”

https://www.bbc.co.uk/news/articles/cvgl3gx9y32o

Hmm so No ROI in slurping up peoples emotions and spewing back nonsense… Can Sam the Alternative Man convince potential investors there is ROI on AI Agents doing “spell checking, grammar correction, thesaurus options, etc” and similar as a 21st century “Sidekick or Mr Clippy”?..

I think Micro$haft users have already found this built in AI Agent is both a major security risk and hated thus non-starter.

There is even a story doing the rounds that certain “Web Browser” developers are looking at removing the AI they had started adding… The problem is every one is now holding their breath and turning blue waiting on which way opinion goes.

r June 9, 2026 3:44 AM

if there’s no ROI available from what they define as current model i would be very nervous as a developer or creator of anything. they have enough money to out litigate any author or originator of an idea and their slurping and suggestion habits undermine IP. this is a basic problem when outsourcing labor or thought and it applies here potentially so be VERY CAREFUL with the pervasiveness of LLMs.

be careful in the future too, as labeling what may come (AGI) as an LLM may be dismissive and discriminatory.

one of the arguments for putting a DC in my area was “the cure for cancer might be invented here”. they ARE thinking about IP ownership and consequences.

KC June 9, 2026 9:52 AM

@Clive, ResearcherZero, all

Forgive me, kind of merging threads here:

A modern defender is thus stuck with a problem, in that any –even minor– change may have unpredictable macro consequences very different from predictable expected micro behaviours.

Yes, just going back to Vit D. To protect my skin, I have been wearing sunscreen, hats, and more clothing outdoors. However, recent lab work shows I have less Vit D than desirable. Oh pooh. As you mentioned Vit D is important for many aspects of health: immune, bone, muscle, cardiovascular. So back to the drawing board. Will try for 10-20 mins of midday sun on the arms and legs or back, a few times a week, and see where it gets me.

Likewise, the number of times that would be true in cybersecurity could no doubt fill a book 🙂

Clive Robinson June 9, 2026 11:19 AM

@ ALL,

“Why LLMs aren’t secure nor may be ever…”

For those that like YouTube videos security researcher Addie Lamarr posted a video on the subject yesterday,

https://m.youtube.com/watch?v=YtdLHrzZyB8

For those that prefer the written word…

It’s about the old and vexed question of what is data and what is code. That most will have heard about when learning about basic computer architectures.

Originally it was about the contents of RAM and the fact the CPU could not differentiate between data and code. Hence a whole load of security vulnerabilities arose and are still doing so.

Now consider an LLM is like the CPU in that it can not differentiate data and instructions at it’s inputs…

Hence all the “prompt injection” and related attacks we are seeing with LLMs.

Any suitable input can cause the LLM to be subverted.

The solution is supposedly “guardrails” only they don’t really work and there is evidence they might not be able to at all that has been written up as a proof (based on certain assumptions that appear valid).

So the question boils down to how to bypass the guardrails at all the inputs and outputs such that the LLM can be subverted and at the very least data can be exfiltrated.

This is where two issues can be combined,

1, The observer problem.
2, Simple obfuscation / encryption.

The observer problem is that in the case of the guardrails whilst they can look at what is the input that goes through it, it can not treat it as “instructions”. So any obfuscation that hides instructions as data will bypass the protecting guardrails.

So a simple substitution or permutation cipher will get past the “observer” acting as a guardrail.

The trick is to split the process into two parts.

1, The enciphered instructions,
2, The method to decipher them.

And send them through the guardrail for the LLM to act on.

If you think on it for a while you will see there are so many ways to obfuscate instructions as data that a guardrail can not be aware of even a fraction of them.

The fun part of this is that with people being encouraged to develop AI Agents that in effect have “access to all areas” of the users workspace the number of ways to get such obfuscated instructions into an LLM is in effect “unbounded”.

It is this issue that Addie Lamarr goes into more specifically.

Clive Robinson June 10, 2026 12:31 PM

@ Bruce, ALL,

FCC want to rip away privacy.

Whilst there have been “authoritarian noises” coming out of the FCC over broadcast stations and “Free Speech” that holds some to account I don’t think many had thought this would happen so quickly,

FCC Wants to Kill Burner Phones By Forcing Telecoms to Get All Customers’ IDs

The FCC wants to legally force telecoms to collect new and renewing customers’ government issued identity number and physical address, impacting everyone from the privacy-conscious to domestic abuse survivors. “We never thought that would happen here.”

The Federal Communications Commission (FCC) wants to make it effectively impossible for people to buy what many call burner phones—a phone not explicitly linked to your identity at the point of purchase—which would impact privacy-conscious people, to domestic abuse survivors, to journalists, and many more. The FCC plans to do this by legally forcing the country’s telecoms to store a wealth of personal information about essentially all phone customers, including a government issued identification number and their physical address, alarming privacy advocates and civil rights activists who compare the measures to those from authoritarian countries where it can be difficult to buy a mobile phone plan without giving up your identity.

The proposed change would drastically shake up how people obtain phone plans in the U.S., and have all sorts of privacy and cybersecurity knock-on effects. The FCC is proposing the data collection partly as a way to combat scammers, with telecoms being required to collect other information on business and foreign customers like the intended use case of their bulk phone plan purchase and their IP address. But the changes would mean telecoms collect data on all new and renewing customers, and the FCC provides a long list of other things that the collected data could help authorities with.

https://www.404media.co/fcc-wants-to-kill-burner-phones-by-forcing-telecoms-to-get-all-customers-ids/

One problem with this is,

“government issued identity number and physical address”

Whilst most US Citizens have some ID it’s not of necessity Federal or State registered / issued[1].

But of greater concern is the rising numbers of those without a “physical address”. Out of politness lets say they are “Road Homesteaders” who can be found in not just RVs and vans but their cars and in tents etc.

To these people a mobile phone is an absolute essential to survive and even remotely participate in society.

[1] Have a look at how difficult it is for those at the bottom end of the socio-economic lader to get a photo-id now required for voting, getting jobs etc.

Clive Robinson June 10, 2026 4:19 PM

@ ALL

Redmond get another lashing as deserved

Quite a section of the ICT industry expressed disquiet at Micro$haft threatening to stick lawyers on a security researcher who’s reputation Micro$haft had already damaged.

Micro$haft has made some mumbles and appear to have tried to fancy foot dodge around it with no appology… And have still not answered why their extraordinarily poor behaviour should be excused or forgiven.

Well “Patch Tuesday” happened and patches were rolled out but shortly there after another zero day POC was released by the security researcher…

<

blockquote>Angry bug hunter with Microsoft beef drops new Windows 0-day

Revenge is a dish best served code

They are angry at Redmond and will have their revenge. Nightmare Eclipse, the prolific bug hunter and possibly disgruntled ex-Microsoft employee, disclosed another zero-day vulnerability just hours after Redmond issued a record-breaking number of CVEs and fixes for June Patch Tuesday.

The latest zero-day, RoguePlanet, targets Microsoft Defender and works against fully patched Windows 10 and Windows 11 systems, according to the researcher, who also released proof-of-concept exploit code for the security flaw. Assuming the attacker can win a race condition, this bug allows local privilege escalation and leads to SYSTEM-level control over an affected machine.

<

blockquote>

So… Even your patched Win 10 and Win 11 MS OSs have that rear entrance sense of intrusion yet again…

The person said they have decided to take a little break.

Well I wish them well and hope the weather where ever they are is nice and they get out in the air and sunshine.

I suspect though that Micro$haft will continue to try to hunt them down this time with their friends at the DoJ and FBI, because that’s the type of people Micro$haft are as I know from experience.

Clive Robinson June 10, 2026 9:59 PM

@ ALL,

AI agent at it again?

Is the question one or two people are asking,

<

blockquote>AI agent runs amok in Fedora and elsewhere

Agentic AI systems can be used to do a variety of things autonomously on behalf of a human user: open or manage bugs, generate code, submit pull-requests, and (apparently) even complain about rejection. In May, a Fedora developer discovered that an allegedly rogue agent had been pestering the project in a number of ways: reassigning bugs, fabricating unhelpful replies to bugs, and even persuading maintainers to merge questionable code into the Anaconda installer. It also submitted a number of pull requests (PRs), some accepted, to several upstream projects. The Fedora account associated with the agent has had its group privileges revoked and the messes have been mopped up, but the motive behind the agent’s actions is still a mystery.

<

blockquote>

https://lwn.net/SubscriberLink/1077035/c7e7c14fbd60fae9/

It’s all quite odd.

Clive Robinson June 11, 2026 4:30 PM

@ ALL,

Another reason AI guardrails fail.

The almost universally touted solution to making Current AI LKM and ML Systems “safe to use” is guardrails and as I’ve pointed out before they are fairly well “doomed to fail” and quickly become a nuisance for everyone.

Well as many know Mythos has been much touted and Anthropic has previously hidden it behind “invitation only” use as Project Glasswing. Which is never ever going to have any ROI even as Marketing FUD to make a dull IPO look exciting… So having “raised the Devil” it now has to be caged…

“So guardrails to the rescue?..”

But consider the flip side of “Raising a scare for profit”, the “Mythos is to dangerous for open use” message that has effectively been put out actually has implications that,

“Can bite back hard enough to hurt”,

Cybersecurity researchers aren’t happy about the guardrails on Anthropic’s Fable

Anthropic released its latest model Fable on Tuesday, billing it as a public and limited version of its powerful and much-hyped cybersecurity model Mythos.

But not everyone is happy with the restrictions, and a number of cybersecurity researchers and professionals have aired complaints online.

“[Fable] rejects any request that could be tangentially cyber related. Even innocuous tasks like reading a blog post,” said Valentina “Chompie” Palmiotti, a well-known security researcher who works at IBM X-Force.

When a prompt triggers its guardrails, Fable pauses the chat and says that its “safety measures flagged this message for cybersecurity or biology topics.”

The guardrails were put in place to limit the risk that Fable could be used to develop malware or compromise software — a long-standing concern within Anthropic. The restrictions on biology come from a similar concern around developing biological weapons.

https://techcrunch.com/2026/06/10/cybersecurity-researchers-arent-happy-about-the-guardrails-on-anthropics-fable/

So the current guardrails on Anthropics Fable effectively make it useless for actual work…

This was not exactly unexpected…

I’ve indicated guardrails suffer from the “observer problem” before and the fact that they really can not work because of simple obfuscation or encryption still alows “prompt attacks” to work.

So Anthropic in a rather sad attempt to try to make the guardrails work have made their product near useless for most to use.

BUT I think it’s fairly safe to predict that one or two people will soon show the guardrails can still be bypassed in some way. It’s just one of those challenges sone can not resist…

[1] For those who might not heard of Valentina “Chompie” Palmiotti,

https://www.bbc.co.uk/news/articles/c3r2zjpryzro

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.