For when rants trigger RCU stall detection

The most useful phrases in a modern security programme are the ones that cannot be argued with. “The platform gives us coverage.”, “We have visibility.”, “The tool supports MFA.” Each one is calm, professional, and technically defensible. Each one can also be doing something quietly different from what the room hears. How the grammar works Three small grammatical moves do most of the heavy lifting. The first is capability standing in for implementation: “The platform supports MFA”, “Defender has ransomware protection”, “Our firewall can do segmentation”. ...

Across many mature organisations, the same phrases seem to keep coming back, like “Aligned with best practice”, “The control is in place”, and “We followed the framework”. They survive failure. They survive scandal. They survive the people who used them last time. The question worth asking is perhaps not whether they are accurate, but why they are so robust. The usual explanations cover bureaucratic inertia, regulatory capture, and the well-documented limits of organisational learning. These are real, but they are not the most interesting part. The more interesting possibility is that these phrases are doing useful work. Just not the work they appear to be doing. ...

Most organisations think they have a threat model. What they usually have is a historical artefact: a snapshot of how the environment looked on the day several people sat in a room with diagrams, coffee, and varying levels of optimism. The session happens. Assets are mapped. Threats are identified. Risks are scored. A document is produced. The document is reviewed, approved, uploaded somewhere nobody voluntarily visits, and occasionally resurrected during audits or post-incident archaeology. ...

We are told that world politics is a chess game. Grandmasters move pieces across a board, sacrificing pawns to protect kings, calculating six moves ahead. It is rational. It is elegant. It is, above all, knowable. This is a lie. After walking through the resource wars of Venezuela, Greenland, Iran, Ukraine, Russia and China, and after one reader finally lost patience and called a certain former president a “greedy twat”, a different metaphor emerged. Not chess. Not even regular poker. ...

A boring, decades-long plan for getting out of capitalism without burning the village down The two stories most often told about how to get past capitalism both fail in roughly the same way. The first is a Big Bang: revolutionary seizure of state power, redesign from above. The historical track record is grim. New rulers inherit the same coordination problems, the same resource constraints, and the same external threats, and tend to respond the way besieged regimes generally do, which involves rather more centralised violence than was originally promised. ...

How a piece of paper can become a parliamentary scandal? Step one: NGO Monitor, a Jerusalem based research institute, publishes a report. The report alleges that Hamas has infiltrated Dutch aid organisations operating in Gaza. The evidence is thin. One example involves a wastewater treatment project that also irrigated fruit trees. NGO Monitor suggested those fruit trees could well be used by fighters to hide behind. Apparently the dappled shade was the threat. ...

On 7 April 2026, Anthropic announced two things at once. The first was a new frontier model called Claude Mythos Preview. The second was Project Glasswing, a coalition of twelve technology and finance companies that would receive controlled access to that model, with everyone else, including paying API customers, locked out indefinitely. The accompanying blog posts from Anthropic’s red team made a remarkable claim: Mythos Preview, given an isolated container and a vague prompt, had autonomously discovered thousands of zero-day vulnerabilities across “every major operating system and every major web browser”: a 27-year-old denial-of-service bug in OpenBSD’s TCP stack, a 17-year-old remote code execution flaw in FreeBSD’s NFS server, fully weaponised end-to-end. A 16-year-old vulnerability in FFmpeg’s H.264 codec that had survived every fuzzer and every human reviewer to look at the code since 2010. In Mozilla Firefox alone, the model surfaced 271 zero-days, shipped as fixes in Firefox 150, the largest single batch of security fixes in the browser’s history. ...

LinkedIn loads JavaScript that probes for installed browser extensions — thousands of them, including competitors’ sales tools, grammar checkers, and religious or political plugins. LinkedIn acknowledges this, but frames it as anti-scraping and abuse prevention. The question is not whether extension detection happens. It is how the results are used and stored? So the situation is not “hidden conspiracy script discovered”, it is “known technique used aggressively enough that it has triggered class actions”. ...

This is not incompetence. It is the system behaving exactly as it did before, including in the room where the review takes place. Describing the incident instead of explaining it Most incident post-mortems or retrospectives reconstruct the sequence of events. What happened, in what order, and what could have been done differently. Useful, but shallow. The more important question is usually skipped: what had to be true about the organisation for this to happen at all? ...

Most organisations are aware of this. Very few act on it. The result is a detection posture that looks busy, looks measured, and quietly fails in the places that matter. This is where breaches tend to settle in and make themselves comfortable. A library of yesterday’s attacks Detection engineering is usually reactive. Something happens, a technique is identified, a rule is written. Over time this builds a library of detections that reflects what has already been seen, filtered through whatever incidents and intelligence happened to reach the team. ...