<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" ><generator uri="https://jekyllrb.com/" version="3.10.0">Jekyll</generator><link href="https://mendelevium.github.io/feed.xml" rel="self" type="application/atom+xml" /><link href="https://mendelevium.github.io/" rel="alternate" type="text/html" /><updated>2026-07-09T04:43:23+00:00</updated><id>https://mendelevium.github.io/feed.xml</id><title type="html">mendelevium.github.io</title><subtitle>A blog powered by GitBlog</subtitle><entry><title type="html">The Policy That Never Shipped</title><link href="https://mendelevium.github.io/the-policy-never-shipped/" rel="alternate" type="text/html" title="The Policy That Never Shipped" /><published>2026-07-09T00:00:00+00:00</published><updated>2026-07-09T00:00:00+00:00</updated><id>https://mendelevium.github.io/the-policy-never-shipped</id><content type="html" xml:base="https://mendelevium.github.io/the-policy-never-shipped/"><![CDATA[<p>A cautionary tale about shadow governance, AI, and the quiet weaponization of ambiguity</p>

<p>The following is an AI model depiction based on a true story. Names, timelines, and identifying details have been changed. If you lead security, IT, HR, or a startup — this one is for you.</p>

<hr />

<p>When Daniel took the security job at the AI startup, he thought he knew what he was walking into. He’d spent a decade in cybersecurity — incident response, compliance audits, the unglamorous plumbing of keeping companies out of the news. A startup building on AI wanting someone to think seriously about security? That sounded like a company that had its priorities straight.</p>

<p>His first assignment landed on his desk before his laptop finished enrolling in MDM: <em>review the AI policy.</em></p>

<p>The document was a time capsule. Outside counsel had drafted it back when Google’s AI was recommending a daily serving of small rocks and the internet’s idea of state-of-the-art was Will Smith fighting a bowl of spaghetti — the era when “hallucination” stopped being a medical term and became a line item on every legal team’s risk register. Some of it was common sense that would survive any era. Verify anything an AI produces before it ships. Disclose when work is entirely machine-generated. And the load-bearing rule, the one that actually mattered: never share business documents with an AI service that doesn’t have a zero-data-retention agreement in place.</p>

<p>Reasonable. Defensible. Also, in places, obsolete on arrival — written for a threat landscape that had already moved, by people whose job was to imagine liability, not workflow.</p>

<p>Here’s the detail that matters for everything that follows: <strong>the policy was never released.</strong> Never published, never signed, never acknowledged by a single employee. It existed the way a ghost exists — officially nowhere, effectively everywhere.</p>

<h2 id="testing-the-fence">Testing the fence</h2>

<p>Daniel did what any good security professional does with a control: he tested it. Not to break it — to understand it. Where were the edges? What did the policy actually permit, and did the organization’s behavior match?</p>

<p>So he worked at the boundary, deliberately and carefully, never once crossing the lines the document drew. He verified everything. He disclosed what needed disclosing. When he finally used an AI tool with an internal document, he did it by the book — a service with zero data retention, exactly the configuration the policy blessed. If the policy had been real, he was its model citizen. He was doing, in miniature, what a security team is supposed to do at the organizational level: red-team the rules before reality does.</p>

<p>What he hadn’t modeled was the environment the rules lived in.</p>

<p>The startup’s IT department had practices of its own — monitoring that was never disclosed, visibility that no one had consented to, an ethics posture best described as <em>don’t ask</em>. Somebody saw the document go into an AI tool. Nobody checked the retention settings, or the policy, or asked him a single question. The story that traveled was simpler and stickier: <em>the new security guy is feeding company documents to AI.</em></p>

<p>In a startup, a story like that doesn’t spread at the speed of email. It spreads at the speed of lunch.</p>

<h2 id="governance-by-rumor">Governance by rumor</h2>

<p>Within weeks, Daniel was the cautionary tale. The guy who “used AI inappropriately.” The guy who <em>got caught</em>. The jokes wrote themselves and kept getting told, and there was no forum to correct the record — because correcting it would have required someone to produce the policy he’d supposedly violated, and the policy didn’t officially exist. You cannot appeal a verdict issued by a whisper network. There’s no inbox for that.</p>

<p>And here’s the perverse part: <strong>it worked.</strong> Not for Daniel — for the company. Or so it seemed.</p>

<p>Watching what happened to him, people drew the rational conclusion: AI is radioactive here. Developers — the people with the most to gain — quietly stopped experimenting. The AI enthusiasts kept evangelizing, but enthusiasts don’t set culture; consequences do, and everyone had watched the consequences eat a security professional who’d followed rules more carefully than anyone else in the building.</p>

<p>The company had achieved perfect AI governance without ever publishing a policy. No slop shipped, because almost nothing AI-touched shipped at all. Leadership got containment for free, paid for entirely in one employee’s reputation.</p>

<p>What they’d actually built was a chilling effect wearing a compliance costume. And a chilling effect doesn’t invoice you monthly — it collects at the end.</p>

<h2 id="forty-days-in-the-desert">Forty days in the desert</h2>

<p>What followed was the long dry season. Months of it. No policy, no guidance, no water — just the memory of what had happened to the last person who drank.</p>

<p>Most people dried out. Developers above all. They hand-wrote what the rest of the industry was generating, reviewing, and shipping; they watched competitors compress weeks into days and told themselves it was discipline. Skills that should have been compounding sat idle. An <em>AI startup</em> was falling behind on AI, and the people falling behind fastest were the ones following the unwritten rules most faithfully.</p>

<p>But deserts are never as empty as they look. A few people thrived out there — quietly. They’d watched Daniel’s story closely enough to learn the real lesson, which was never <em>don’t use AI</em>. It was <em>don’t be seen</em>. So they used it on personal machines, on personal accounts, off the network, with none of the safeguards Daniel had bothered with — no zero-data-retention agreements, no verification discipline, no disclosure. Their output got faster and cleaner, and nobody asked why, because asking would have meant knowing. The company’s actual AI exposure didn’t drop during the drought. It went underground, where no control could reach it.</p>

<p>That’s the part leadership never saw on any dashboard: the crackdown-by-rumor hadn’t eliminated risky AI use. It had eliminated <em>visible, compliant</em> AI use — and selected for the invisible, uncontrolled kind. The desert didn’t kill the appetite. It just taught everyone left standing to hide the canteen.</p>

<p>Then a new model dropped — one of the mythic ones, the kind whose demos stop being funny and start being résumé-threatening. It didn’t eat rocks. It didn’t mangle spaghetti. It did in minutes what the naysayers had spent months insisting it never could. And just like that, the loudest voices in the desert went silent — because you can mock a machine that hallucinates, but not one that ships.</p>

<h2 id="the-reveal">The reveal</h2>

<p>Then one day, with no ceremony, a policy appeared. A watered-down descendant of the lawyer’s original — shorter, softer, strikingly permissive.</p>

<p>The reaction across the company was a collective <em>wait, what?</em> We can use AI with business documents? We can use it for <em>code?</em> Since when? The loudest internal critics of AI — people who had built minor identities around abstaining — were stunned into silence. The rules they’d been enforcing socially for years had never actually existed, and the rules that now existed permitted almost everything they’d been policing.</p>

<p>But the new policy carried a rider, and this is where the story stops being a comedy of errors and becomes something colder: everything done with AI would be monitored, logged, and analyzed. The same undisclosed surveillance apparatus that had produced Daniel’s trial-by-rumor was now official, formalized, and pointed at everyone. Adoption was permitted. It was also, from that moment, <em>evidence</em> — a record that could be read charitably or uncharitably depending on who was reading, and why, and what they needed it to say.</p>

<p>Which completes the trap. Don’t use AI, and you fall behind — measurably, visibly, in an industry that has stopped waiting. Use it, and you generate a perfect, permanent log of every judgment call you made, held by people who have already demonstrated exactly what they’ll do with ambiguous information about you.</p>

<p>Daniel followed the rules and lost. His colleagues avoided the rules and lost slower.</p>

<h2 id="what-actually-failed">What actually failed</h2>

<p>It’s tempting to file this as an AI story. It isn’t. Every failure in it is an old-fashioned security failure wearing new clothes.</p>

<p>An unpublished policy is not a policy — it’s a liability shield for the company and a landmine for employees, because people are accountable to rules they can see. Undisclosed monitoring isn’t a control either; it’s an insider threat run by the IT department, and the trust it burns never comes back at par. When an organization enforces norms through reputation instead of process, it hasn’t avoided governance — it has outsourced it to gossip, the least accurate audit mechanism ever devised. And a chilling effect will always look like successful risk management right up until the moment you check the scoreboard.</p>

<p>The moral Daniel’s friends took away was <em>you can’t win.</em> Understandable — from inside that company, you couldn’t.</p>

<p>But if you’re the one writing the policy, running IT, or leading the startup, the moral is different, and it’s actionable: <strong>your people are already operating under some AI policy — the only question is whether you wrote it, or the rumor mill did.</strong> Publish the real one. Disclose the monitoring. Say what’s allowed as loudly as what isn’t. Because the alternative isn’t control.</p>

<p>The alternative is Daniel — and a company that laughed at the one person who read the rules.</p>]]></content><author><name></name></author><summary type="html"><![CDATA[A cautionary tale about shadow governance, AI, and the quiet weaponization of ambiguity]]></summary></entry><entry><title type="html">The Identity Layer Nobody Asked For</title><link href="https://mendelevium.github.io/age-verification/" rel="alternate" type="text/html" title="The Identity Layer Nobody Asked For" /><published>2026-06-16T00:00:00+00:00</published><updated>2026-06-16T00:00:00+00:00</updated><id>https://mendelevium.github.io/age-verification</id><content type="html" xml:base="https://mendelevium.github.io/age-verification/"><![CDATA[<p>Why mandatory age verification makes children less safe, strips privacy from everyone, and builds surveillance infrastructure that will outlive the panic that created it</p>

<hr />

<p>In 2025, “prove you’re an adult” stopped being a checkbox and started becoming a protocol. The UK’s Online Safety Act crossed into hard enforcement on 25 July. Australia switched on a nationwide under-16 social-media ban on 10 December. Roughly half of US states now gate adult content behind ID checks. The EU is piloting an age-verification app, France has been pushing the issue for years, and Canada is working through its own cluster of bills. The framing is consistent everywhere: this is about protecting children.</p>

<p>The framing is also, on the evidence accumulated over the first year of real-world deployment, wrong about its central promise. The children these laws target are largely routing around them. The adults who were never the target are handing government IDs and biometric scans to third-party vendors with track records that range from mediocre to catastrophic. And underneath both failures, something more durable is being assembled: a general-purpose age-and-identity layer for the internet, normalized in the name of safety, that no one will dismantle once the moral urgency fades.</p>

<p>This is the argument I want to make as plainly as the evidence allows. Not that child safety is unimportant — it is the most important thing here — but that mandatory age verification is the wrong tool, that it fails on its own terms, that it imposes serious and asymmetric costs on the general population, and that better, less destructive alternatives already exist and are mostly being ignored.</p>

<hr />

<h2 id="what-the-laws-actually-require">What the laws actually require</h2>

<p>A quick map of the landscape, because the specifics matter and the rhetoric tends to flatten them.</p>

<p><strong>United Kingdom — Online Safety Act 2023.</strong> The Act received Royal Assent in October 2023. Services publishing their own pornographic content (Part 5) had to begin implementing “highly effective age assurance” from January 2025; user-to-user services hosting such content (Part 3) had to comply by 25 July 2025, with no grace period and no phased rollout. Acceptable methods include government-ID upload, credit-card checks, and AI facial age estimation. Penalties run to £18 million or 10% of global turnover, whichever is higher, plus business-disruption measures up to and including ISP-level blocking. The Act is explicitly extraterritorial — it binds any service with UK links regardless of where it is registered, which is why Ofcom’s enforcement action against 4chan is in scope at all. By February 2026, Ofcom had opened investigations into more than 90 services and issued its first half-dozen fines.</p>

<p><strong>Australia — Online Safety Amendment (Social Media Minimum Age) Act 2024.</strong> From 10 December 2025, platforms including Facebook, Instagram, TikTok, YouTube, Snapchat, Reddit, X, Threads, Twitch, and Kick must take “reasonable steps” to keep under-16s from holding accounts, on pain of fines up to AUD 49.5 million. Notably, the law bars <em>parents</em> from consenting their children back in, and imposes no penalty on the children or families themselves — the entire compliance burden sits on platforms.</p>

<p><strong>Canada — Safe Social Media Act.</strong> First stab was <strong>Bill S-210</strong>, the original “Act to restrict young persons’ online access to sexually explicit material,” which passed the Senate in 2023 and then stalled; <strong>Bill S-209</strong>, its reintroduced 2025 successor, now folding in age-estimation technologies and a narrower definition of explicit content, under Senate consideration into 2026; <strong>Bill C-63</strong>, the Online Harms Act, which died on the order paper at prorogation ahead of the 2025 election; and most recently <strong>Bill C-34</strong> (June 2026), which pairs a kids’ social-media ban with mandated age verification and new AI-chatbot rules. Whichever of these the original question meant, the analysis below applies — they share the same architecture and the same failure modes.</p>

<p><strong>United States.</strong> No federal mandate, but roughly half the states have enacted ID-based checks for adult content, which is why Pornhub now geoblocks several states outright rather than comply. California’s Digital Age Assurance Act (AB 1043) takes a different route — device-level signals — with a 2027 deadline that is already shaping Apple’s and Google’s roadmaps.</p>

<p>The throughline: a patchwork of overlapping, often extraterritorial mandates, converging on the same handful of verification techniques, with early-2027 deadlines acting as a forcing function for the whole industry to lock in technical approaches now.</p>

<hr />

<h2 id="argument-one-children-will-not-be-safer">Argument one: children will not be safer</h2>

<p>The promise is prevention. The evidence, one year in, is circumvention.</p>

<h3 id="the-instant-visible-workaround">The instant, visible workaround</h3>

<p>When the UK switched on enforcement, the response was immediate and measurable. Proton reported sustained daily VPN sign-up increases of 1,400–1,800% from UK users — levels the company said it normally associates with civil unrest. NordVPN reported a 1,000% spike. On enforcement day, half of the top ten free apps in the UK App Store were VPNs or identity tools. A VPN relocates your apparent location outside UK jurisdiction in about thirty seconds, and the technique is neither obscure nor expensive. By December 2025, the House of Lords was openly debating VPN circumvention — and, more damningly, child-safety group Childnet reported <em>increased</em> VPN use among children in the months after enforcement. The precise population the law was written to protect learned the workaround fastest.</p>

<h3 id="the-its-working-numbers-dont-show-what-they-claim">The “it’s working” numbers don’t show what they claim</h3>

<p>Australia’s government announced that platforms had removed roughly 4.7 million under-16 accounts within the first month and declared the policy a success. Account <em>removal</em> is not the same as access <em>prevention</em>, and the regulator’s own follow-up makes the gap explicit. The eSafety Commissioner’s first compliance report flagged “poor practices,” including platforms letting minors retry the same age-assurance method until they passed, and “insufficient measures” to stop new under-16 accounts from being created at all. Reporting three months in found that a large majority of children with pre-ban accounts still had access to at least one platform, with no discernible drop in harm complaints. Removing five million accounts is impressive theatre. It is not evidence that five million children lost access.</p>

<h3 id="the-bypass-toolkit-is-mature">The bypass toolkit is mature</h3>

<p>The 438-strong coalition of security and privacy researchers who signed the February 2026 open letter calling for a moratorium catalogued the bypass methods bluntly, because they aren’t speculative. Borrowed or purchased credentials — an older sibling’s verified account is the canonical example. Bought identities from the black markets that reliably spring up the moment age-gating creates demand. Props and AI tools, including deepfakes and AI-generated faces that defeat facial age estimation. And, repeatedly documented, <em>parents themselves</em> helping children circumvent the checks. The letter’s summary judgment is that lying about your age online is, and will remain, easy.</p>

<h3 id="deplatforming-pushes-kids-somewhere-worse">Deplatforming pushes kids somewhere worse</h3>

<p>This is the part that should worry child-safety advocates most, and it is the part the laws ignore.</p>

<p>Deplatforming doesn’t dissolve demand; it redirects it. When access to a mainstream, moderated, heavily-resourced platform is gated, determined users — including minors — migrate. They don’t migrate <em>up</em> to safer ground. They migrate to fringe sites, offshore services, and unregulated corners that escape the mandate precisely because they’re too small, too foreign, or too deliberately evasive to be in scope. Those are the environments with the weakest moderation, the worst CSAM controls, the most aggressive malware, and the most scams. A regime that successfully nudges a fourteen-year-old off a major platform’s age-gated front door and onto an unmoderated Telegram channel or a malware-laden free-porn mirror has not protected that child. It has degraded their safety while generating a compliance metric that says the opposite.</p>

<p>A countermeasure that the target population defeats in thirty seconds, that the regulator’s own audits show leaking, and that displaces risk toward less-safe venues is not a child-protection measure. It is a child-protection <em>gesture</em> — and gestures that feel like action are how genuinely harder problems get to be ignored.</p>

<hr />

<h2 id="argument-two-everyone-else-loses-privacy">Argument two: everyone else loses privacy</h2>

<p>Here is the asymmetry at the core of the design. The children mostly route around the wall. The adults — the entire non-target population — walk up to it and hand over identity documents. That trade would be questionable even if the verification infrastructure were secure. It is not.</p>

<h3 id="the-honeypot-problem-is-not-hypothetical">The honeypot problem is not hypothetical</h3>

<p>Every site that verifies age has to either collect sensitive data (an ID image, a biometric scan, a credit-card record) or trust a third party to do it. Either way, the mandate manufactures honeypots: concentrated stores of exactly the data identity thieves, stalkers, and extortionists want most, distributed across thousands of operators of wildly varying competence. You don’t get to choose the security posture of every adult site, dating app, and forum you’re now required to verify against. You just get to absorb the breach when one of them fails. And at internet scale, one of them always fails.</p>

<p>Two case studies from 2025 make the point concretely.</p>

<p><strong>Discord (October 2025).</strong> Discord disclosed that attackers had compromised a third-party customer-service vendor (5CA, based in the Netherlands) and exposed sensitive data for affected users — including roughly 70,000 government-ID images that users had submitted for age-related appeals. The attackers, a group identifying as the Scattered Lapsus$ Hunters, claimed a far larger haul (on the order of 1.5 TB) and used the access in an extortion attempt. The critical detail for policy: Discord itself wasn’t breached. <em>Its vendor was.</em> Mandatory verification doesn’t just expand the attack surface of the platforms you trust; it extends it through every subprocessor, support contractor, and “trusted” age-assurance partner those platforms quietly rely on — exactly the layer users can’t see and can’t audit.</p>

<p><strong>Tea (July 2025).</strong> Worth scoping precisely: Tea was an identity-verification case, not strictly age verification — a women’s dating-safety app that had required selfies and government IDs to register (a requirement it had already phased out). But it is the cleanest available illustration of where verification data ends up. An unsecured Firebase storage bucket exposed roughly 72,000 images, including about 13,000 selfies and photo IDs. The cache was discovered and dumped on 4chan, and within hours the leaked driver’s licenses and image metadata were being assembled into a <em>searchable map of users’ locations</em>. An app sold as a safety tool became a doxxing engine. The lesson transfers directly: the data you surrender to prove who you are becomes, at the moment of breach, a precision instrument for harming you.</p>

<p>The pattern beneath both: the verification step doesn’t merely risk <em>a</em> breach, it changes the <em>character</em> of breaches. A leaked password is a nuisance you can rotate. A leaked passport, bound to your face and your home location, is permanent and unrotatable. Age-mandate breaches convert recoverable incidents into irreversible ones.</p>

<h3 id="we-dont-retain-the-data-is-a-promise-not-a-control">“We don’t retain the data” is a promise, not a control</h3>

<p>Vendors and platforms routinely assure users that IDs aren’t stored or linked to accounts — Discord and others say exactly this. Those commitments may be sincere. But users have no independent visibility into whether they hold, no way to verify deletion, and no recourse when a subprocessor two hops down the chain logs what it promised to discard. “Trust us, it’s ephemeral” is not a security architecture. It’s a marketing claim with the durability of the next breach disclosure.</p>

<h3 id="the-experts-are-not-equivocating">The experts are not equivocating</h3>

<p>The February 2026 moratorium letter — 438 researchers across 32 countries — did not hedge. Its core finding is that no existing age-verification system can reliably confirm a user’s age <em>without</em> simultaneously collecting sensitive data that becomes a liability, and that there is no scientific evidence these controls improve child safety. NIST’s repeated documentation of demographic bias in facial-recognition and age-estimation systems — worse error rates for people of color and for transgender individuals — sits underneath the privacy objection as a second, independent failure: the “privacy-preserving” biometric option is also the discriminatory one.</p>

<hr />

<h2 id="the-unintended-side-effects-catalogued">The unintended side effects, catalogued</h2>

<p>Even granting good intentions, a policy should be judged by its full consequence set. Here is the ledger that the “protect the children” framing tends to leave off the page.</p>

<table>
  <thead>
    <tr>
      <th>Side effect</th>
      <th>Mechanism</th>
      <th>Who absorbs it</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td><strong>A permanent identity layer</strong></td>
      <td>Verification infrastructure, once built and mandated, doesn’t get removed when the panic recedes. The EFF calls age “the first identity attribute to be widely deployed within the operational architecture of the internet.”</td>
      <td>Everyone, indefinitely</td>
    </tr>
    <tr>
      <td><strong>Scope creep</strong></td>
      <td>Laws written for pornography expand to social media, search, AI tools, and user-to-user services. Wikipedia was pulled toward “Category 1” obligations under the UK Act and lost its High Court challenge in August 2025.</td>
      <td>Lawful platforms and their users</td>
    </tr>
    <tr>
      <td><strong>Death of the small web</strong></td>
      <td>Vague, broad “user-to-user” definitions impose compliance costs that hobbyist forums and niche communities can’t bear. UK operators have shut down community sites rather than risk liability.</td>
      <td>Independent and community sites</td>
    </tr>
    <tr>
      <td><strong>Migration to fringe platforms</strong></td>
      <td>Deplatforming redirects users to unregulated services with weaker safety controls and more malware.</td>
      <td>Minors and adults alike</td>
    </tr>
    <tr>
      <td><strong>Exclusion and inequality</strong></td>
      <td>Verification presumes a government ID and a supported smartphone. People without either — disproportionately the marginalized — get locked out of lawful services.</td>
      <td>The already-excluded</td>
    </tr>
    <tr>
      <td><strong>Biometric bias</strong></td>
      <td>Facial age estimation misfires along demographic lines (NIST).</td>
      <td>People of color, trans people, the misjudged</td>
    </tr>
    <tr>
      <td><strong>Market concentration</strong></td>
      <td>OS-level age signals route control to Apple and Google, entrenching their gatekeeping over distribution <em>and</em> identity.</td>
      <td>Developers, competitors, the open web</td>
    </tr>
    <tr>
      <td><strong>Normalized circumvention</strong></td>
      <td>Mass VPN adoption and credential black markets become routine, eroding the norm that you don’t route around the law.</td>
      <td>The broader security culture</td>
    </tr>
    <tr>
      <td><strong>Chilling effects</strong></td>
      <td>Requiring ID to read lawful content deters lawful access to it — health information, LGBTQ resources, political speech.</td>
      <td>Anyone seeking sensitive but legal material</td>
    </tr>
  </tbody>
</table>

<p>That last cluster deserves emphasis. “You must show ID to enter” changes behaviour around lawful content the same way it does in physical space — people self-censor, avoid, and stay away from things they have every right to access, because the act of proving identity to reach them feels like surveillance. It is surveillance. The chilling effect isn’t a bug to be tuned out; it’s an inherent property of putting an identity checkpoint in front of speech.</p>

<hr />

<h2 id="what-actually-works-better">What actually works better</h2>

<p>The strongest objection to critics of age verification is fair: <em>fine, but children really are encountering harmful content, so what’s your alternative?</em> The honest answer is that better tools exist, several are already deployed, and most have a fraction of the privacy cost. None is perfect. All are less destructive than per-site ID collection.</p>

<h3 id="1-device--and-os-level-age-signals">1. Device- and OS-level age signals</h3>

<p>Instead of every website running its own ID check, the age determination happens once, at the device or operating-system layer, and is passed downstream as a coarse, bracketed signal. Apple’s Declared Age Range API and Google’s Play Age Signals API return ranges (e.g., “under 13,” “13–15,” “16–17,” “18+”) rather than birthdates or documents. California’s AB 1043 codifies this approach. A parent sets the child’s age band at device setup; apps query the signal in real time and make access decisions without ever seeing — or storing — an identity document.</p>

<p><strong>Why it’s better:</strong> It collapses thousands of honeypots into one decision point, shares the minimum necessary information (a band, not a passport), and prohibits long-term retention of age data. The friction is paid once.</p>

<p><strong>Honest tradeoffs:</strong> It is still fundamentally a <em>declared</em> or <em>parental-set</em> signal — it attests to a setting, not to who is physically holding the phone right now, so it’s defeatable by a determined teen with access to an adult’s device. And it deepens Apple’s and Google’s control over the stack, a real competition and centralization concern. It’s a mitigation, not a magic fix. But “one privacy-preserving signal, set once, retained never” beats “an ID upload to every adult site you visit” on every axis that matters.</p>

<h3 id="2-dns-level-filtering--the-most-underrated-tool-in-the-box">2. DNS-level filtering — the most underrated tool in the box</h3>

<p>This is the alternative that gets the least airtime and arguably delivers the most protection per unit of privacy cost. The Domain Name System resolves the names you type into the addresses your device connects to. Point your home network at a filtering resolver and inappropriate domains simply never resolve — network-wide, for every device, with nothing installed and no data handed to anyone.</p>

<table>
  <thead>
    <tr>
      <th>Service</th>
      <th>Resolver addresses</th>
      <th>Profile</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td><strong>CleanBrowsing (Family)</strong></td>
      <td><code class="language-plaintext highlighter-rouge">185.228.168.168</code> / <code class="language-plaintext highlighter-rouge">185.228.169.168</code></td>
      <td>Blocks adult/explicit sites, forces SafeSearch on major engines, also blocks proxy/VPN bypass domains and mixed-content sites like Reddit</td>
    </tr>
    <tr>
      <td><strong>OpenDNS FamilyShield</strong></td>
      <td><code class="language-plaintext highlighter-rouge">208.67.222.123</code> / <code class="language-plaintext highlighter-rouge">208.67.220.123</code></td>
      <td>Free, no account, pre-configured to block adult and proxy domains; ~90% block rate in independent testing, but does <em>not</em> force SafeSearch</td>
    </tr>
    <tr>
      <td><strong>Cloudflare for Families</strong></td>
      <td><code class="language-plaintext highlighter-rouge">1.1.1.3</code> (malware + adult) / <code class="language-plaintext highlighter-rouge">1.1.1.2</code> (malware only)</td>
      <td>Fast, global, zero-config; coarse category filtering</td>
    </tr>
  </tbody>
</table>

<p>Set it on the router and it covers the whole house in about five minutes. It’s free, it leaks nothing about your identity to any site, and it’s trivially reversible by the adult who controls the network. Its limits are honest ones — a tech-literate teen can change a device’s DNS, use DoH to bypass it, or tether to mobile data — which is exactly why it belongs in a layered approach rather than being sold as a silver bullet. But as a default first line of defence in the home, it does most of what parents actually want, with none of the surveillance.</p>

<h3 id="3-real-parental-controls-and-on-device-tooling">3. Real parental controls and on-device tooling</h3>

<p>The mature parental-control ecosystem — built into iOS Screen Time and Android Family Link, extended by tools like Qustodio for time limits, app blocking, and activity reporting — keeps decisions where developmental context lives: with the parent who knows whether a given child is ready for a given thing. A blanket legal age line treats a 10-year-old and a 15-year-old identically, ignoring exactly the judgment that good parenting supplies. On-device controls are granular, they’re already shipped on the devices children use, and they don’t require anyone to build a national ID database.</p>

<h3 id="4-attack-the-root-cause-data-minimization-and-a-real-privacy-baseline">4. Attack the root cause: data minimization and a real privacy baseline</h3>

<p>The deepest fix is the least discussed. A large share of the harm that age verification is meant to address — manipulative engagement-maximizing design, predatory data collection from minors, addictive feeds — flows from a surveillance-advertising business model that current law permits. Comprehensive data-minimization rules that restrict what platforms may collect and exploit, especially from children, reduce those harms <em>without</em> requiring anyone to prove who they are. Strong privacy legislation should be the prerequisite, not an afterthought: without it, an “age signal” is just one more data point to monetize. Regulating platform <em>design</em> — duties to act responsibly, transparency obligations, researcher data access, real penalties for engagement dark patterns — targets how these services actually cause harm, instead of erecting an identity checkpoint and calling it safety.</p>

<hr />

<h2 id="steelmanning-the-other-side">Steelmanning the other side</h2>

<p>Intellectual honesty requires engaging the strongest version of the case for mandatory verification, not the weakest.</p>

<p><strong>“Some friction is better than none.”</strong> True, and the strongest point the proponents have. Even a leaky gate deters the casual, accidental encounter — the curious twelve-year-old who stumbles onto something, rather than the determined fifteen-year-old hunting for it. Reducing accidental exposure has real value. The rebuttal is one of proportionality: you can capture most of that deterrence with DNS filtering and device-level controls — which raise the <em>same</em> casual-encounter friction — without building a national identity-collection apparatus and without the breach, exclusion, and chilling costs. If the goal is friction against accidents, the cheapest, least invasive tool that produces friction wins. Per-site ID collection is the most invasive tool that produces it.</p>

<p><strong>“The offline world already does this.”</strong> We card people at liquor stores and casinos, the argument goes, so why not online? Because the offline check is ephemeral and local — a bouncer glances at a license and forgets it. The online equivalent uploads a permanent, copyable, breachable digital image of that license to a remote server and a chain of subprocessors. The analogy holds for the <em>intent</em> and breaks completely on the <em>mechanics</em> — and the mechanics are where all the harm lives.</p>

<p><strong>“Platforms have failed to self-police, so the state must act.”</strong> Also largely true — voluntary moderation has been inadequate. But the conclusion doesn’t follow. The choice isn’t “ID mandates or nothing.” Design regulation, data-minimization law, mandatory parental tooling, and default-on network filtering are all forms of the state acting, none of which require turning the internet into a checkpoint.</p>

<p>The proponents are right that the harm is real and that doing nothing is not acceptable. They are wrong that this specific instrument addresses it. Caring about the problem and opposing this solution are fully compatible positions — indeed, taking child safety seriously is a reason to reject a measure that fails children while costing everyone else their privacy.</p>

<hr />

<h2 id="the-part-that-outlives-the-panic">The part that outlives the panic</h2>

<p>Strip away the specifics and here’s what the first year of deployment demonstrates. The targets evade the controls — visibly, immediately, and in growing numbers. The non-targets pay with their most sensitive data, into systems that are already breaching at scale. The infrastructure being built to enforce all this — device-bound identity signals, biometric estimation, ID-collection pipelines, the apparatus for jurisdictional website blocking — is general-purpose, and it doesn’t get uninstalled when the headlines move on. As the EFF observed, age is simply the <em>first</em> identity attribute being wired into the operating architecture of the internet. Once that architecture exists and everyone is conditioned to authenticate identity to access content, the marginal cost of extending it — to other attributes, other content, other reasons — drops toward zero. There is no putting that toothpaste back in the tube.</p>

<p>Children deserve a safer internet. They will not get one from a system they defeat in thirty seconds, that leaks their parents’ passports onto 4chan, and that quietly builds the most consequential surveillance infrastructure of the decade while everyone is looking at the children. The better tools are unglamorous: a DNS setting changed on a router, a device age band set at setup, a parental-control app, a privacy law with teeth. They are also the ones that actually trade off correctly — more protection, less surveillance — which is presumably why they keep losing to the version that photographs well in a press release.</p>]]></content><author><name></name></author><summary type="html"><![CDATA[Why mandatory age verification makes children less safe, strips privacy from everyone, and builds surveillance infrastructure that will outlive the panic that created it]]></summary></entry><entry><title type="html">You’ll Own Nothing and You’ll Be Miserable</title><link href="https://mendelevium.github.io/own-nothing/" rel="alternate" type="text/html" title="You’ll Own Nothing and You’ll Be Miserable" /><published>2026-04-21T00:00:00+00:00</published><updated>2026-04-21T00:00:00+00:00</updated><id>https://mendelevium.github.io/own-nothing</id><content type="html" xml:base="https://mendelevium.github.io/own-nothing/"><![CDATA[<p>How the Promise of AI Abundance Became a License Economy — and What to Do About It</p>

<hr />

<h2 id="a-sentence-that-gave-away-the-plot">A sentence that gave away the plot</h2>

<p>On March 31, 2024, millions of people tried to launch a video game they had bought — some of them ten years earlier, at full price, on physical discs in shrink-wrapped boxes — and discovered it no longer existed.</p>

<p>The game was Ubisoft’s <em>The Crew</em>. It was a commercial hit; over two million copies sold in its first month, successful enough to spawn two sequels. Ubisoft stopped selling it in late 2023, then switched off the servers it required on March 31, 2024. Because the game checked in with those servers to run, <em>every</em> copy — online, offline, purchased, preordered, collector’s edition — became a small, polite error message.</p>

<p>When two Californians sued in late 2024, arguing that “bought” is supposed to mean <em>bought</em>, Ubisoft’s legal response contained a sentence that belongs carved above the entrance of every digital storefront on Earth. According to <a href="https://www.gosugamers.net/entertainment/news/74694-ubisoft-responds-to-the-crew-shutdown-lawsuit-says-players-only-had-limited-license">reporting on the filings</a>, Ubisoft’s lawyers argued that the plaintiffs never actually purchased the game. What they had acquired was a <em>limited license to access</em> it. The game’s packaging, they pointed out, said so — in capital letters.</p>

<p>When France’s largest consumer protection organization, UFC-Que Choisir, <a href="https://www.thegamer.com/the-crew-shutdown-ubisoft-lawsuit-france/">filed its own suit in March 2026</a>, its position was that revoking “licenses” this way violates consumer rights. In the interim, a grassroots movement called Stop Killing Games had collected over 1.2 million verified EU signatures and reached the European Parliament. California passed a law requiring digital storefronts to state clearly, before checkout, that “buy” means “license.” Shortly afterward, Steam began displaying exactly that disclaimer.</p>

<p>One small game. One sentence in a legal filing. And suddenly a decade’s worth of quiet inversion was visible in broad daylight.</p>

<p>We are, slowly and then all at once, being evicted from the ownership economy into the license economy. And the most remarkable thing about this transition is how neatly it inverts the most-repeated promise of the AI era — that abundant machine intelligence would liberate us from toil, not rent us back the conditions of our own lives.</p>

<hr />

<h2 id="the-pattern-youve-been-trained-not-to-see">The pattern you’ve been trained not to see</h2>

<p>Once you notice it, the pattern is everywhere:</p>

<p><strong>Your tractor.</strong> John Deere, the single largest maker of farm equipment in North America, has spent years locking farmers out of their own machines through software. The full diagnostic tool needed to repair a modern Deere tractor is available only to authorized dealers. A stripped-down version for farmers <a href="https://www.nbcnews.com/business/consumer/right-to-repair-farmers-challenge-john-deere-control-equipment-rcna199651">costs about $3,000 per year</a> and still redacts the key functions. In January 2025, the FTC and several states sued Deere over these practices. In April 2026, Deere <a href="https://www.farmprogress.com/farming-equipment/john-deere-settles-right-to-repair-lawsuit-for-99-million">settled a parallel class action for $99 million</a> and agreed to make diagnostic tools available for at least a decade. Public Interest Research Group estimates that repair restrictions across all manufacturers cost U.S. farmers about $4.2 billion a year.</p>

<p><strong>Your car.</strong> In 2022, BMW began charging owners roughly $18 a month to activate heated seats — hardware physically installed in every car the moment it left the factory. The backlash was severe enough that BMW dropped <a href="https://www.edmunds.com/car-news/bmw-relents-on-heated-seat-subscription.html">that particular subscription in 2023</a>. But the broader model didn’t go away; it retreated upmarket. Tesla now sells Full Self-Driving only as a monthly subscription. Mercedes charges annual fees to unlock acceleration in EQ electric cars. Volkswagen sells horsepower by the month. The car you paid $60,000 for is, increasingly, a device that has to phone home to deliver the performance you thought you bought.</p>

<p><strong>Your printer.</strong> HP pushes firmware updates that disable third-party ink cartridges and, by some accounts, even expired first-party ones — a practice so extensively litigated it has its own Wikipedia entry.</p>

<p><strong>Your books.</strong> In 2009, in a moment that should be taught in every business school as an omen, Amazon remotely deleted copies of George Orwell’s <em>1984</em> from Kindle devices over a licensing dispute. Customers woke up to find pages they’d highlighted the night before no longer existed.</p>

<p><strong>Your software.</strong> Adobe killed perpetual Photoshop licenses in 2013. Microsoft Office became Microsoft 365. Autodesk, Jetbrains, 1Password — all of it moved from one-time purchase to perpetual rent, often alongside genuine product improvements that made the rental feel briefly reasonable.</p>

<p><strong>Your music and movies.</strong> The “Buy” button on most streaming platforms is doing heroic work of imagination. Songs and films vanish from personal libraries when label contracts change. Movies you “own” on iTunes disappear when regional rights expire.</p>

<p><strong>Your smart home.</strong> Revolv, a popular home-automation hub Google acquired through Nest, was simply bricked in 2016 when Google decided to stop running the servers. Every device turned into a paperweight. This happens quietly and routinely — it is now a risk category for any internet-connected appliance.</p>

<p>This isn’t a conspiracy. It’s a business model, compounded by network effects, venture-scale return expectations, and the quiet architectural fact that almost everything now needs a server somewhere to work. The software industry learned that recurring revenue is worth roughly five to ten times transactional revenue in enterprise valuations. Then every other industry noticed.</p>

<p>What we are watching is the <em>financialization of possession</em>. Things that used to be capital — tractors, cars, books, tools — are being refactored into services. This is wonderful for the balance sheets of a small number of platforms. It is, for everyone else, the slow disappearance of a form of wealth they may not realize they had.</p>

<hr />

<h2 id="what-we-traded-away">What we traded away</h2>

<p>The old ownership economy was never perfect, and it certainly wasn’t equally distributed. But it had a load-bearing property that is easy to miss when you have it and brutal to notice when it’s gone: <strong>owned things compound into stability</strong>.</p>

<p>A house you own is a hedge against rent increases. A car you own is a hedge against subscription fees. A library of books, records, tools, and skills you own is a hedge against a vendor you will never meet deciding the server isn’t worth running anymore. Ownership is, among other things, a form of insurance against the future’s moods.</p>

<p>The twentieth-century political project in most democracies — whatever you think of its execution — was broadly about spreading ownership. Homesteading. Public libraries that lent genuine copies of genuine books. GI Bills and mortgage guarantees. Pensions that were actual funds, not just promises. Small business formation as an ordinary, expected life path. The cultural default was that your work produced accumulating artifacts: a house, tools, savings, a trade, a business, a deed.</p>

<p>The twenty-first-century version is different. You don’t own the music you listen to, the shows you watch, the software you write in, the car you drive, increasingly the tractor you farm with, and almost none of the platforms you rely on to make a living. Much of this is fine in isolation — who really wants to rack their own servers for Netflix. It becomes strange when you add it up. Most of the financial flows that used to build household balance sheets now flow laterally into platform balance sheets as rent. The median American household pays more per month in subscriptions than at any point in history, and that figure continues climbing.</p>

<p>This is the decor of the room. Now look at the wallpaper.</p>

<hr />

<h2 id="the-inversion-what-ai-was-supposed-to-be-and-what-it-is-becoming">The inversion: what AI was supposed to be, and what it is becoming</h2>

<p>The pitch for artificial intelligence — the real pitch, the one in the blog posts and keynotes, not the carefully hedged ones in the 10-Ks — was abundance.</p>

<p>In 2016, Sam Altman <a href="https://www.cbsnews.com/news/sam-altman-universal-basic-income-study-open-research/">wrote on the Y Combinator blog</a> about funding a basic-income experiment because he thought technology might eliminate enough “traditional jobs” that societies would need to rethink how people receive income at all. Elon Musk has said <a href="https://www.ncbi.nlm.nih.gov/pmc/articles/PMC11891208/">repeatedly</a> that in a benign AI future, “probably none of us will have a job” and that there would be “universal high income.” Even corporate communications from the major labs lean on the same frame: AI will produce so much economic output, so cheaply, that humanity’s relationship to scarcity itself will change.</p>

<p>The implicit deal was this: yes, the transition will be disruptive, possibly brutal for particular workers and industries, but on the other side lies something like a utopia of near-free cognition. UBI, in this framing, is a bridge to that utopia — a cash transfer to keep people whole while the economy reorganizes around machines.</p>

<p>The OpenAI-backed basic-income study, run by OpenResearch, <a href="https://www.cbsnews.com/news/sam-altman-universal-basic-income-study-open-research/">released its findings in July 2024</a>. Three thousand low-income participants received $1,000 per month for three years. The results were interesting but not euphoric: recipients worked about 1.3 hours less per week, spent more on food, rent, transportation, and helping family members, used a bit more healthcare, and made more entrepreneurial moves. They did not, contrary to fears, stop working. They also did not, contrary to hopes, find dramatically better jobs. Short-term mental-health gains faded after the first year.</p>

<p>UBI, it turns out, helps. It is not magic.</p>

<p>Meanwhile the labor market numbers have started to turn. Anthropic’s CEO Dario Amodei <a href="https://almcorp.com/blog/ai-job-displacement-statistics/">predicted in 2025</a> that AI could eliminate roughly half of entry-level white-collar positions within five years. Cornell University research found U.S. companies adopting AI have reduced junior hiring by about 13 percent. A Stanford study in 2025 provided early large-scale evidence that the effect lands hardest on workers in early-career cognitive roles. Employment of software developers aged 22 to 25 has fallen roughly 20 percent from its late-pandemic peak. In the first six months of 2025 alone, <a href="https://theworlddata.com/ai-job-displacement-statistics/">roughly 78,000 tech layoffs were attributed to AI</a>; modeling estimates for the full year suggest the real, unreported number is several times higher.</p>

<p>Now sit with the pieces next to each other:</p>

<ol>
  <li>The productive capital of the coming economy — training compute, model weights, inference capacity, proprietary data — is being concentrated into a handful of companies, more concentrated than any industrial revolution that preceded it.</li>
  <li>That same handful of companies owns, or is rapidly acquiring, the platforms on which the rest of us rent access to everything: documents, storage, software, media, communication, search, and now thinking.</li>
  <li>The compensation framework being proposed for the disrupted majority is a subsidy — potentially funded by taxing the AI companies themselves — that would flow through to them again anyway, because we rent our lives from them.</li>
</ol>

<p>A sharp 2025 paper in <em>Frontiers in Artificial Intelligence</em> by Jean-Christophe Bélisle-Pipon <a href="https://www.ncbi.nlm.nih.gov/pmc/articles/PMC11891208/">frames this as a form of “symbolic violence”</a> — a UBI advocated by AI elites risks legitimizing, rather than challenging, a world divided between AI owners, a narrow class of AI-capable workers, and a vast population of recipients. Whatever you think of the framing, the structural observation is hard to argue with. A basic income that keeps you housed and fed while the tools of production are owned elsewhere is not emancipation. It is a subscription to existence, paid by the very platforms that collect rent on everything else you do.</p>

<p>This is the inversion. The promise was that abundant intelligence would free us from toil. What is actually being built is a world in which even the refusal to pay rent — on your software, your car, your data, your tractor, your attention — becomes progressively more difficult.</p>

<p>The good news is that this is not a law of physics. It’s a set of choices. Which means there are counter-choices.</p>

<hr />

<h2 id="why-the-arithmetic-gets-worse-the-longer-you-wait">Why the arithmetic gets worse the longer you wait</h2>

<p>Three dynamics make the license economy compound against you over time.</p>

<p><strong>Rents are multiplicative, not additive.</strong> Every subscription is forever, and every forever is priced into the NPV of every platform that adds one. A $15 monthly subscription is a $1,800 ten-year commitment at zero inflation — and none of these prices stay flat. Netflix, Adobe, Microsoft 365, YouTube Premium, Spotify, ChatGPT Plus: every one of them has raised prices at or above inflation since launch. Meanwhile, the transaction costs of canceling are engineered upward.</p>

<p><strong>Skills and knowledge atrophy in a rented world.</strong> When nobody owns, nobody maintains. When nobody maintains, nobody learns. Repair knowledge, sysadmin knowledge, the quiet competence of running your own things — these were dense commons fifty years ago. They are thinning now. The license economy is, among other things, a <em>deskilling engine</em>, because the incentive structure rewards platforms that keep complexity on their side of the API. This is especially true with AI tools: a generation of developers who only know how to call cloud APIs are, in an important sense, not portable across the end of a vendor relationship.</p>

<p><strong>Political leverage follows ownership.</strong> Renters, historically, have less political voice than owners. The patient constituency for interoperability, repair, portability, and competition is built out of people who have something concrete to defend. Every subscription is a small vote for the current arrangement. Every piece of local infrastructure — a laptop you can repair, a server in your closet, a backup in a drawer, a skill in your head — is a small vote for the next one.</p>

<hr />

<h2 id="fighting-back-the-personal-level">Fighting back: the personal level</h2>

<p>The goal at the personal level isn’t to exit the modern economy. It’s to be <em>strategically ownership-heavy</em> on the things that matter to you, so that no single vendor decision can wipe out a meaningful part of your life.</p>

<p><strong>Own your data.</strong> Pick a local-first architecture and stick with it. Practical stack: a NAS or small server running <a href="https://nextcloud.com/">Nextcloud</a> for files, <a href="https://immich.app/">Immich</a> for photos (a genuinely compelling replacement for Google Photos), <a href="https://docs.paperless-ngx.com/">Paperless-ngx</a> for documents, <a href="https://jellyfin.org/">Jellyfin</a> for media. <a href="https://syncthing.net/">Syncthing</a> for device-to-device sync without a central server. Back up with the 3-2-1 rule: three copies, two media, one offsite. None of this is as convenient as the cloud. All of it is permanent in a way the cloud is not.</p>

<p><strong>Own your devices.</strong> Prefer repairable hardware. <a href="https://frame.work/">Framework</a> laptops are the cleanest expression of this ethic. Phones are harder, but a Pixel running <a href="https://grapheneos.org/">GrapheneOS</a> remains the best combination of privacy, security, and longevity. Run Linux where you can — Fedora, NixOS, or Ubuntu — not because Windows is bad but because the day Microsoft decides Windows is a service, you want other options.</p>

<p><strong>Own your compute.</strong> This is newly important. Local LLMs have crossed the threshold from curiosity to workhorse. <a href="https://ollama.com/">Ollama</a> and <a href="https://lmstudio.ai/">LM Studio</a> make it trivial to run capable models — Llama 3, Qwen, Mistral, Gemma — on an M-series Mac or a modest GPU. For the majority of day-to-day tasks (drafting, summarization, code assistance, research synthesis), a good local model is sufficient, free, private, and immune to service outages or policy changes. Pay for frontier models when the task genuinely demands it, but stop letting every keystroke flow through a third party’s context window.</p>

<p><strong>Own your media.</strong> Buy DRM-free where possible: ebooks from Kobo or Standard Ebooks, audiobooks from <a href="https://libro.fm/">Libro.fm</a>, music from Bandcamp or as actual FLAC files. Keep a local library. Streaming is fine for discovery; the things you’ll still want in a decade deserve to live on your drive.</p>

<p><strong>Own your information diet.</strong> RSS readers (try <a href="https://miniflux.app/">Miniflux</a> or <a href="https://www.freshrss.org/">FreshRSS</a>) instead of algorithmic feeds. Download the PDF, don’t just bookmark the article. Snapshot what matters with a tool like <a href="https://archivebox.io/">ArchiveBox</a>.</p>

<p><strong>Own your skills.</strong> The single highest-leverage personal investment in an ownership-hostile world is literacy in the tools that let you route around vendor decisions: shell, git, Docker, a scripting language, basic networking, basic electronics. You don’t have to become an engineer. You have to become hard to hold hostage.</p>

<p><strong>Use AI as your leverage, not your landlord.</strong> The irony worth naming out loud: the same technology reshaping the labor market is also the single biggest boost to the ownership path that has ever existed. Every obstacle that kept self-hosting niche — cryptic config files, opaque error messages, the sysadmin tax of running your own things — is exactly the kind of friction LLMs dissolve. A local model on your laptop is a patient, always-available tutor that will write your Nextcloud <code class="language-plaintext highlighter-rouge">docker-compose.yml</code>, debug a failing Jellyfin transcode, explain what that nginx log line means, and script your Google Takeout into Immich. The historical asymmetry — “proprietary is easier because somebody else absorbs the complexity” — is inverting. With AI on your side of the fence, the complexity gets absorbed there instead. The license economy handed you a weapon; pick it up.</p>

<hr />

<h2 id="fighting-back-the-smb-level">Fighting back: the SMB level</h2>

<p>Small and medium businesses are where the license economy extracts the most, per capita, and where the freedom to leave is most valuable — and most neglected.</p>

<p><strong>Own your customer relationships.</strong> The email list is the single most important business asset most founders under-invest in. Not your Instagram followers, not your TikTok reach, not your Shopify traffic — an owned list of customers and their consent, in a format you can export and re-import anywhere. Platforms are weather; an email list is climate.</p>

<p><strong>Own your operational core.</strong> Self-host the handful of systems that would hurt most to lose. Practical picks: <a href="https://www.postgresql.org/">PostgreSQL</a> (the most undervalued piece of software of the last two decades), <a href="https://supabase.com/docs/guides/self-hosting">Supabase self-hosted</a> as a Firebase replacement, <a href="https://mailcow.email/">Mailcow</a> or <a href="https://mailinabox.email/">Mail-in-a-Box</a> for email, <a href="https://plausible.io/">Plausible</a> or <a href="https://umami.is/">Umami</a> instead of Google Analytics, <a href="https://n8n.io/">n8n</a> or <a href="https://www.activepieces.com/">Activepieces</a> instead of Zapier for automation. An open-source CRM like <a href="https://www.espocrm.com/">EspoCRM</a> or <a href="https://suitecrm.com/">SuiteCRM</a> will outlast any startup.</p>

<p><strong>Use open formats religiously.</strong> CSV for tabular data, Parquet for analytics, Markdown for documents, plain SQL for queries, open API standards for everything. The test is simple: if this vendor disappeared tomorrow, could you read your data? If not, you don’t own it.</p>

<p><strong>Contract for portability.</strong> Write data-export clauses and reasonable exit-assistance clauses into every vendor relationship. For critical software, ask about source code escrow. This sounds like enterprise paranoia; it is practical hygiene.</p>

<p><strong>Host your own AI.</strong> For internal workflows — customer support triage, document processing, code assistance, internal search — a self-hosted model on your own hardware is frequently sufficient and keeps your operational data out of someone else’s training set. vLLM or Ollama on a single well-specced GPU server handles enormous volume. The break-even against API costs usually arrives faster than people expect.</p>

<p><strong>Consider a homelab.</strong> A used 1U server from an off-lease liquidator, Proxmox on top, and a handful of containers can replace a surprising amount of SaaS for a small business. The skill involved is a moat, not a cost.</p>

<p><strong>Let AI finally make “build” competitive with “buy.”</strong> For a generation, the default answer for a small business was <em>rent the SaaS</em> — because the developer needed to build a custom equivalent was too expensive, and the open-source alternatives lost on polish. AI collapses both sides of that equation. A founder or operations lead with a capable coding assistant can stand up a focused internal tool over a weekend that replaces two or three per-seat subscriptions, and maintain it without a full-time engineer. Open-source projects that used to lose on documentation and UX become usable because an LLM fills the gap in real time. Migration projects that used to take a quarter — exporting from one vendor, transforming the data, loading into a self-hosted replacement — take a week. The break-even between renting and owning has moved significantly in favor of ownership, <em>if</em> you use AI as a force multiplier for your own infrastructure rather than as another monthly bill.</p>

<hr />

<h2 id="fighting-back-the-corporate-level">Fighting back: the corporate level</h2>

<p>Large enterprises have the buying power to bend markets, and the organizational depth to build their own alternatives. Most squander both.</p>

<p><strong>Procurement as policy.</strong> Write real terms into SaaS contracts: data portability on demand, source-code escrow for anything mission-critical, SLA-backed API stability, open-standard interoperability (OIDC, SCIM, OpenTelemetry, OCI, ODBC, standard SQL dialects). Refuse contracts that penalize leaving. A hundred enterprise buyers doing this changes vendor behavior in a way a hundred consumer complaints never will.</p>

<p><strong>Build what differentiates; rent what doesn’t.</strong> The classic framing, now more important than ever. If a capability is core to your strategic advantage — your models, your pricing engine, your customer intelligence — owning it outright is worth substantial overhead. If it isn’t, fine, rent it, but rent interchangeably. Multi-cloud by architecture, not by slogan.</p>

<p><strong>On-prem and hybrid AI for anything sensitive.</strong> The large open-weight model families — Llama, Qwen, Mistral, DeepSeek — are good enough for the overwhelming majority of enterprise tasks when deployed with proper retrieval and guardrails. The capex to run them on your own iron is a rounding error compared to the annual contract spend most large firms now allocate to AI APIs. The returning benefit — your data does not leave your premises, ever — is increasingly a regulatory and strategic necessity.</p>

<p><strong>Fund the commons.</strong> Large enterprises are the largest beneficiaries of open-source infrastructure (Linux, Postgres, Kubernetes, Python, Go, the HTTP stack) and the least proportionate contributors. Allocate engineers and dollars, systematically, to the projects you depend on. This is not philanthropy; it is securing the supply chain for your own foundation.</p>

<p><strong>Cultivate depth, not just breadth.</strong> Specialists who understand how systems actually work — who can read Postgres query plans, debug network stacks, run their own Kubernetes, tune their own models — are the people who make an organization ownership-capable. A staff of vendor-certified specialists is an organization that has outsourced its capacity to leave.</p>

<p><strong>Back the policy fights.</strong> Right to repair, digital markets regulation, interoperability mandates, open-model-weights policy, data-portability standards — these fights determine the shape of the next decade’s commercial terrain. Corporate policy teams that quietly support them buy their employers optionality; corporate teams that quietly oppose them are engineering their employers’ dependence.</p>

<p><strong>Treat AI as an asset, not a service.</strong> The difference between AI that compounds your position and AI that erodes it comes down to a single question: at the end of the contract term, do you own more, or less? A frontier API call produces an answer and a line item. A fine-tuned open-weight model, trained on years of your proprietary data, retrieval-grounded in your own documents, deployed on infrastructure you control, produces a durable capability your competitors cannot rent from the same shelf. AI-assisted code modernization has quietly transformed the economics of paying down technical debt — the legacy systems that used to lock you into a vendor can actually get refactored now, at a tenth of the historical cost. Internal agents running against your own data, on your own infrastructure, with your own models, are strategic leverage. The same agents running against a third-party API are a forecast line item with usage-based pricing and a renegotiation date. The question for any serious enterprise is no longer <em>whether</em> to use AI, but whether the AI they use compounds into assets they own or costs they pay forever.</p>

<hr />

<h2 id="ownership-deliberately">Ownership, deliberately</h2>

<p>Here is the uncomfortable summary. Ownership used to be the default outcome of working, saving, and buying. In 2026, ownership is a deliberate, slightly effortful act. You have to notice it. You have to choose it. You have to maintain it. The frictionless default is to rent everything from a platform, including, eventually, your own cognition.</p>

<p>But the arithmetic still works. Every subscription canceled is a rent not paid forever. Every self-hosted service is a middleman subtracted. Every owned device, skill, model, dataset, relationship, and habit is a piece of the next economy that somebody — you, your business, your community — actually controls.</p>

<p>The abundance promise of AI could still be real; the only live question is whose balance sheet it lands on. Abundance built on top of a stack owned by five trillion-dollar companies, paid for by a universal subsidy routed through their balance sheets, is not abundance. It is a company town with a better marketing budget.</p>

<p>But abundance can also go the other way. AI is, at the same moment the license economy is using it to dismantle ownership, the single largest force multiplier for ownership that any individual, small business, or enterprise has ever had access to. The friction that used to keep self-hosting a hobby dissolves in seconds under a local model. The custom tool a small business couldn’t afford to build now takes a weekend. The vendor-locked legacy system a corporation resigned itself to paying rent on can actually be refactored, at a fraction of the historical cost. The same technology being used to dismantle the ownership economy is, on the other side of the fence, the most effective tool yet invented for reclaiming it.</p>

<p>The alternative to the license economy is not austerity or nostalgia. It is a deliberate ownership posture — layered into personal habits, small-business architecture, and corporate procurement — with an occasional, well-placed lawsuit at the top, for tone. Ubisoft’s engineers flipping off a switch in March 2024 was a gift. For the first time in a long time, millions of people saw, plainly, that the thing they thought they owned had been on loan the whole time.</p>

<p>That clarity is the beginning of the counter-move. The license economy is legible now. And the tools to build something different — cheap hardware, capable open-weight models, mature open-source stacks, a whole generation fed up enough to start caring, and, improbably, an AI that will patiently explain any of it to you at two in the morning — are sitting right there, on your desk, waiting for someone to take them seriously.</p>

<p>You’ll own nothing and you’ll be miserable — if you let someone else decide that for you. You don’t need permission to start owning things again. You just need to notice that it’s a choice, and that for the first time in a long time, the asymmetry runs in your favor.</p>]]></content><author><name></name></author><summary type="html"><![CDATA[How the Promise of AI Abundance Became a License Economy — and What to Do About It]]></summary></entry><entry><title type="html">DNS “transparency”</title><link href="https://mendelevium.github.io/dsn-transparency/" rel="alternate" type="text/html" title="DNS “transparency”" /><published>2026-04-19T00:00:00+00:00</published><updated>2026-04-19T00:00:00+00:00</updated><id>https://mendelevium.github.io/dsn-transparency</id><content type="html" xml:base="https://mendelevium.github.io/dsn-transparency/"><![CDATA[<p>The ISP’s So-Called DNS Transparency, and the Quiet Erosion of Your Privacy</p>

<blockquote>
  <p><em>Every website you visit. Every app you open. Every domain you touch. Before a single byte of content reaches you, a request goes out into the open — and someone is almost certainly watching.</em></p>
</blockquote>

<hr />

<h2 id="preface-the-protocol-that-forgot-privacy">Preface: The Protocol That Forgot Privacy</h2>

<p>When the Domain Name System was designed in 1983 by Paul Mockapetris, the internet was a collegial academic network of a few hundred machines. Privacy wasn’t an afterthought — it wasn’t a thought at all. DNS was built to be fast, distributed, and resilient. It was built for a world that no longer exists.</p>

<p>Forty years later, DNS remains the foundational directory of the internet, handling over <strong>620 billion queries per day</strong> globally. And for most of those queries, the privacy model is essentially unchanged from 1983: requests travel in plaintext, unencrypted, unauthenticated, and fully visible to anyone positioned between you and the resolver.</p>

<p>This is the story of DNS leakage — what it is, why it has gotten significantly worse as ISPs  have adopted “transparency” programs, what it means for your security and privacy, and what you can actually do about it.</p>

<hr />

<h2 id="part-i-understanding-dns--the-phone-book-you-cant-opt-out-of">Part I: Understanding DNS — The Phone Book You Can’t Opt Out Of</h2>

<h3 id="how-dns-actually-works">How DNS Actually Works</h3>

<p>When you type <code class="language-plaintext highlighter-rouge">example.com</code> into your browser, your computer doesn’t know where to find it. IP addresses are what machines route; domain names are what humans remember. DNS is the translation layer.</p>

<p>The resolution process unfolds in a chain:</p>

<ol>
  <li>
    <p><strong>Stub Resolver</strong> — Your OS checks its local cache. If it has a recent answer, done. If not, it forwards the query to a <em>recursive resolver</em> — typically one configured automatically by your ISP via DHCP.</p>
  </li>
  <li>
    <p><strong>Recursive Resolver</strong> — This server (usually operated by your ISP, or a public provider like <code class="language-plaintext highlighter-rouge">8.8.8.8</code>) does the heavy lifting. It queries <em>root nameservers</em>, then <em>Top-Level Domain (TLD) nameservers</em> (e.g., <code class="language-plaintext highlighter-rouge">.com</code>), then the <em>authoritative nameserver</em> for the specific domain.</p>
  </li>
  <li>
    <p><strong>Authoritative Nameserver</strong> — Returns the actual IP address. The recursive resolver caches it and sends it back to your machine.</p>
  </li>
  <li>
    <p><strong>Your Browser Connects</strong> — Only now does your browser open a TCP/TLS connection to the destination.</p>
  </li>
</ol>

<p>The critical point: <strong>steps 1 through 3 are, by default, entirely unencrypted and unprotected</strong>. The query for <code class="language-plaintext highlighter-rouge">example.com</code> travels over UDP port 53 in plaintext.</p>

<h3 id="what-a-dns-query-reveals">What a DNS Query Reveals</h3>

<p>A single DNS query contains:</p>
<ul>
  <li>The <strong>full domain name</strong> being resolved (e.g., <code class="language-plaintext highlighter-rouge">mail.proton.me</code>, <code class="language-plaintext highlighter-rouge">careers.competitor.com</code>, <code class="language-plaintext highlighter-rouge">therapy-finder.health</code>)</li>
  <li>Your <strong>source IP address</strong></li>
  <li>A <strong>transaction ID</strong> (trivially forgeable, but tracked)</li>
  <li>A <strong>timestamp</strong> (when correlated with resolver logs)</li>
</ul>

<p>Your DNS history is, in many ways, more revealing than your browsing history. Browsers increasingly send HTTPS traffic everywhere, obscuring page-level content. But DNS happens <em>before</em> HTTPS. It reveals not just what you visited, but <em>that you intended to visit it</em> — even if you never completed the connection.</p>

<p>A week of DNS logs from a typical user can reveal:</p>
<ul>
  <li>Medical conditions (resolving health portal domains, telehealth services)</li>
  <li>Financial behavior (brokerage platforms, loan services, debt management)</li>
  <li>Political and religious affiliations (news sources, community organizations)</li>
  <li>Relationship status and personal struggles (dating apps, counseling platforms)</li>
  <li>Professional activities (competitor research, job boards, recruiter communications)</li>
</ul>

<hr />

<h2 id="part-ii-dns-leakage--definitions-and-mechanics">Part II: DNS Leakage — Definitions and Mechanics</h2>

<h3 id="what-is-a-dns-leak">What Is a DNS Leak?</h3>

<p>The term “DNS leak” has both a narrow technical definition and a broader practical meaning that is increasingly important.</p>

<p><strong>Narrow definition:</strong> A DNS leak occurs when a device configured to use a VPN or privacy-enhancing tool continues to send DNS queries <em>outside</em> that protected tunnel — typically to the ISP’s default resolver — exposing browsing activity despite the user’s belief that it is protected.</p>

<p><strong>Broader definition (and the one that matters more today):</strong> Any scenario in which DNS queries reach an unintended or untrusted resolver, or are logged by an intermediary without the user’s knowledge or meaningful consent.</p>

<h3 id="mechanisms-of-dns-leakage">Mechanisms of DNS Leakage</h3>

<p>DNS leaks occur through several distinct technical pathways:</p>

<h4 id="1-vpn-split-tunneling-misconfiguration">1. VPN Split-Tunneling Misconfiguration</h4>
<p>Many VPN clients route only certain traffic through the tunnel while leaving the default route — including DNS — on the physical interface. Unless the VPN client explicitly forces DNS traffic through the tunnel and overrides the system resolver, queries escape to the ISP resolver.</p>

<h4 id="2-webrtc-and-browser-level-leaks">2. WebRTC and Browser-Level Leaks</h4>
<p>WebRTC, the protocol powering browser-based video and audio, can trigger DNS resolution via the operating system’s stub resolver rather than the browser’s configured resolver. Even with a VPN active, WebRTC STUN requests can leak the real local IP and trigger DNS queries on the unprotected interface.</p>

<h4 id="3-ipv6-leakage">3. IPv6 Leakage</h4>
<p>Many VPN implementations tunnel IPv4 traffic while leaving IPv6 unprotected. If a domain resolves to an AAAA (IPv6) record and the system has IPv6 connectivity outside the tunnel, the DNS query and subsequent traffic bypass the VPN entirely. This affects a surprising number of consumer-grade VPN products.</p>

<h4 id="4-nxdomain-hijacking-and-transparent-proxying">4. NXDOMAIN Hijacking and Transparent Proxying</h4>
<p>Some ISPs intercept all outbound UDP port 53 traffic via transparent DNS proxies — regardless of what resolver the user has configured. A user who sets their DNS to <code class="language-plaintext highlighter-rouge">1.1.1.1</code> may find their queries are silently redirected to the ISP’s own resolver without any indication that this is occurring. This is both a privacy violation and a form of DNS leak by redirection.</p>

<h4 id="5-operating-system-fallback-behavior">5. Operating System Fallback Behavior</h4>
<p>Windows, in particular, implements a feature called “Smart Multi-Homed Name Resolution” (SMHNR), which sends DNS queries to <em>all</em> configured resolvers simultaneously and accepts whichever responds first. This means queries can leak to interfaces and resolvers the user has not prioritized — including ISP resolvers — even when a privacy-conscious resolver is configured.</p>

<h4 id="6-search-domain-poisoning">6. Search Domain Poisoning</h4>
<p>Corporate and home routers frequently push search domain suffixes (e.g., <code class="language-plaintext highlighter-rouge">corp.internal</code>) via DHCP. Poorly scoped search domain configurations can cause unqualified hostnames to be appended with unexpected suffixes and resolved externally, leaking internal naming structure to upstream resolvers.</p>

<hr />

<h2 id="part-iii-the-rise-of-dns-transparency--isps-as-surveillance-infrastructure">Part III: The Rise of DNS Transparency — ISPs as Surveillance Infrastructure</h2>

<h3 id="from-passive-logging-to-active-programs">From Passive Logging to Active Programs</h3>

<p>For much of the internet’s history, ISP DNS logging was a passive, incidental byproduct of infrastructure operation. Logs were retained for short periods for debugging and abuse response. The idea of <em>systematically</em> using DNS data for commercial or government purposes existed, but was not widely practiced.</p>

<p>That has changed dramatically.</p>

<h3 id="commercial-dns-monetization">Commercial DNS Monetization</h3>

<p>Beginning in the early 2010s — and accelerating significantly after the FCC’s 2017 rollback of broadband privacy rules in the United States — ISPs have increasingly treated DNS query data as a revenue stream.</p>

<p>The model works as follows:</p>

<ol>
  <li>
    <p><strong>Collection</strong> — All DNS queries from customers are logged at the recursive resolver level. At scale, a major ISP like Comcast, AT&amp;T, or Verizon handles hundreds of millions of queries per day.</p>
  </li>
  <li>
    <p><strong>Profiling</strong> — Queries are correlated with subscriber accounts (tied to billing address, real identity) and analyzed to build behavioral profiles: interest categories, lifestyle segments, purchase intent signals.</p>
  </li>
  <li>
    <p><strong>Monetization</strong> — Profiles are sold to data brokers, used directly for targeted advertising, or licensed to third-party analytics firms.</p>
  </li>
</ol>

<p>Verizon’s “Relevant Mobile Advertising” program, AT&amp;T’s “Internet Preferences” program, and similar initiatives by Comcast have all used or proposed using browsing and DNS data for advertising purposes. The legal basis varies by jurisdiction, and opt-out mechanisms — when they exist — are often buried in terms of service.</p>

<h3 id="government-mandated-dns-logging-and-lawful-transparency">Government-Mandated DNS Logging and “Lawful Transparency”</h3>

<p>Beyond commercial monetization, a parallel trend has emerged: government-mandated DNS logging under the guise of security or legal compliance.</p>

<p><strong>United Kingdom — Investigatory Powers Act (2016)</strong><br />
Often called the “Snoopers’ Charter,” this legislation requires ISPs to retain “Internet Connection Records” — which include DNS query logs — for 12 months and make them accessible to a wide range of government agencies without requiring a judicial warrant.</p>

<p><strong>Australia — Telecommunications (Interception and Access) Act</strong><br />
Australia’s metadata retention scheme requires telecommunications providers to retain metadata including destination IP addresses and connection logs for two years. DNS data falls within scope.</p>

<p><strong>European Union — Network and Information Security Directive (NIS2)</strong><br />
While framed around cybersecurity, NIS2 and related EU DNS4EU initiatives push for centralized DNS infrastructure that provides governments with visibility into DNS traffic for “threat intelligence” purposes. The line between security monitoring and surveillance is, charitably, blurry.</p>

<p><strong>United States — NSA/PRISM Era and Beyond</strong><br />
Edward Snowden’s 2013 disclosures revealed that the NSA operated programs collecting DNS query data at scale through programs like MUSCULAR, which tapped directly into the backbone links between data centers. Post-Snowden reforms were narrow; bulk collection of metadata — including DNS — remains legally permissible under authorities like EO 12333.</p>

<p><strong>Russia, China, Turkey, and Others</strong><br />
Authoritarian states have gone furthest, implementing DNS-level filtering, mandatory resolution through state-controlled resolvers, and systematic logging of all DNS traffic as a matter of official policy. Russia’s RuNet isolation architecture and China’s Great Firewall both operate substantially through DNS interception and manipulation.</p>

<h3 id="the-transparency-framing-problem">The “Transparency” Framing Problem</h3>

<p>The term “DNS transparency” has been co-opted in a way that deserves scrutiny. In cryptography and protocol design, “transparency” is a positive property — it means operations are auditable and verifiable. Certificate Transparency (CT), for example, is genuinely good: it creates a public, append-only log of issued TLS certificates that enables detection of misissued certificates.</p>

<p>But “DNS transparency” in the ISP context means something different and more troubling: <strong>it means that your DNS queries are transparent to the ISPs</strong> — not transparent to you in any auditable sense. It is surveillance wearing the clothing of an engineering virtue.</p>

<hr />

<h2 id="part-iv-the-security-and-privacy-risk-landscape">Part IV: The Security and Privacy Risk Landscape</h2>

<h3 id="threat-model-who-are-you-protecting-against">Threat Model: Who Are You Protecting Against?</h3>

<p>Understanding DNS leakage risks requires clarity about threat actors. These are not equivalent:</p>

<table>
  <thead>
    <tr>
      <th>Threat Actor</th>
      <th>Capability</th>
      <th>Motivation</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td>Your ISP</td>
      <td>Passive DNS logging, traffic analysis</td>
      <td>Commercial monetization, regulatory compliance</td>
    </tr>
    <tr>
      <td>Government agencies</td>
      <td>Compelled disclosure, direct access</td>
      <td>Law enforcement, intelligence gathering</td>
    </tr>
    <tr>
      <td>Network adversaries (MITM)</td>
      <td>DNS spoofing, query interception</td>
      <td>Targeted attacks, credential harvesting</td>
    </tr>
    <tr>
      <td>Data brokers</td>
      <td>Purchase of ISP data</td>
      <td>Profiling for resale</td>
    </tr>
    <tr>
      <td>Malicious resolvers</td>
      <td>Response manipulation, logging</td>
      <td>Phishing, malware delivery</td>
    </tr>
    <tr>
      <td>Employers / network admins</td>
      <td>DNS-level filtering and logging</td>
      <td>Policy enforcement, productivity monitoring</td>
    </tr>
  </tbody>
</table>

<p>Most users face meaningful exposure in several of these categories simultaneously.</p>

<h3 id="attack-vectors-enabled-by-dns-leakage">Attack Vectors Enabled by DNS Leakage</h3>

<h4 id="dns-cache-poisoning">DNS Cache Poisoning</h4>
<p>An attacker who can observe a DNS query — its transaction ID and source port — can race to inject a forged response before the legitimate reply arrives. A poisoned cache entry redirects all users of that resolver to an attacker-controlled IP. In 2008, Dan Kaminsky’s discovery of a fundamental DNS cache poisoning vulnerability triggered a global emergency patch cycle affecting virtually every DNS implementation. The underlying protocol weakness — no cryptographic authentication of responses — remains in plain DNS.</p>

<h4 id="dns-hijacking-for-credential-harvesting">DNS Hijacking for Credential Harvesting</h4>
<p>By poisoning a resolver’s cache for <code class="language-plaintext highlighter-rouge">bank.example.com</code>, an attacker serves a convincing phishing page at the correct URL. Because the domain resolves to the wrong IP, HTTPS certificate warnings may (or may not) appear depending on whether the attacker has obtained a certificate. Lack of DNSSEC validation makes this attack easier.</p>

<h4 id="dns-tunneling-for-data-exfiltration">DNS Tunneling for Data Exfiltration</h4>
<p>Malware and attackers can use DNS as a covert channel to exfiltrate data or receive command-and-control instructions, encoding data in subdomain names (<code class="language-plaintext highlighter-rouge">c29tZS1kYXRh.evil.com</code>). Because DNS traffic is frequently allowed through firewalls that block other protocols, this technique is disturbingly effective. Organizations that log and analyze DNS can detect anomalous query patterns; those that don’t are blind to this vector.</p>

<h4 id="isp-nxdomain-hijacking">ISP NXDOMAIN Hijacking</h4>
<p>Rather than returning a proper NXDOMAIN response for non-existent domains, many ISPs hijack these responses to serve ad-laden “search” pages. Beyond the obvious annoyance, this behavior:</p>
<ul>
  <li>Breaks software that relies on NXDOMAIN responses for service discovery</li>
  <li>Creates a vector for phishing (users may click links on the “search” page)</li>
  <li>Leaks even failed resolution attempts to the ISP’s advertising infrastructure</li>
</ul>

<h4 id="timing-and-correlation-attacks">Timing and Correlation Attacks</h4>
<p>Even without reading query content, an observer can correlate the <em>timing</em> and <em>frequency</em> of DNS queries against known patterns. When does a journalist resolve domains associated with a particular whistleblower platform? When does an employee resolve a competitor’s job application portal? These correlations are actionable even in the absence of content.</p>

<h4 id="osint-and-deanonymization">OSINT and Deanonymization</h4>
<p>Researchers, law enforcement, and malicious actors routinely use passive DNS databases — repositories of historical DNS query/response pairs — to map infrastructure, track threat actors, and identify relationships between domains and IP addresses. Data contributed to these databases often comes from ISP resolver logs (sold or leaked) and from compromised resolvers.</p>

<h3 id="real-world-consequences">Real-World Consequences</h3>

<p>These risks are not theoretical:</p>

<ul>
  <li><strong>Kazakhstan (2019):</strong> The government mandated that all internet users install a state-issued “security certificate” — effectively a root CA — enabling man-in-the-middle attacks on all HTTPS traffic, with DNS as the entry point for traffic interception.</li>
  <li><strong>Turkey (2014, 2022):</strong> The Turkish government repeatedly ordered ISPs to block Twitter and other services via DNS hijacking, demonstrating how DNS control translates directly to censorship capability.</li>
  <li><strong>US ISP DNS Sale (2017):</strong> Following the FCC rule rollback, multiple major US ISPs publicly announced or quietly implemented programs to monetize DNS and browsing data.</li>
  <li><strong>BGP/DNS Hijacking of MyEtherWallet (2018):</strong> Attackers hijacked BGP routes for AWS DNS servers, redirecting MyEtherWallet users to a phishing site, stealing approximately $150,000 in cryptocurrency in under two hours.</li>
</ul>

<hr />

<h2 id="part-v-the-technical-countermeasures">Part V: The Technical Countermeasures</h2>

<h3 id="1-dns-over-https-doh">1. DNS over HTTPS (DoH)</h3>

<table>
  <tbody>
    <tr>
      <td>**RFC 8484</td>
      <td>Standardized 2018**</td>
    </tr>
  </tbody>
</table>

<p>DoH encapsulates DNS queries within HTTPS connections — the same protocol used for ordinary web traffic. Queries travel encrypted to a DoH-capable resolver, indistinguishable from regular HTTPS traffic.</p>

<p><strong>Advantages:</strong></p>
<ul>
  <li>Queries are encrypted in transit; ISPs and network observers cannot read query content</li>
  <li>Traffic is encrypted from the system to the resolver, preventing MITM</li>
  <li>Blends with normal HTTPS traffic, making it difficult to block without collateral damage</li>
  <li>Supported natively in Firefox, Chrome, Edge, and Windows 11</li>
</ul>

<p><strong>Limitations:</strong></p>
<ul>
  <li>Shifts trust from the ISP to the DoH resolver (Cloudflare, Google, NextDNS, etc.) — you must trust whoever operates it</li>
  <li>Does not prevent the resolver from logging queries</li>
  <li>Can be blocked by deep packet inspection if the resolver’s IP is known and blocked</li>
  <li>Does not protect against a malicious or compromised DoH resolver</li>
</ul>

<p><strong>Implementation:</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code># Example: systemd-resolved with DoT (Linux)
[Resolve]
DNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com
DNSOverTLS=yes

# Firefox: about:config
network.trr.mode = 2  # DoH preferred, fallback to system
network.trr.uri = https://mozilla.cloudflare-dns.com/dns-query
</code></pre></div></div>

<h3 id="2-dns-over-tls-dot">2. DNS over TLS (DoT)</h3>

<table>
  <tbody>
    <tr>
      <td>**RFC 7858</td>
      <td>Standardized 2016**</td>
    </tr>
  </tbody>
</table>

<p>DoT encrypts DNS queries within a TLS connection on a dedicated port (TCP 853). Unlike DoH, it uses a distinct port, making it identifiable — and blockable — by network operators.</p>

<p><strong>Advantages:</strong></p>
<ul>
  <li>Strong encryption with TLS; resistant to eavesdropping</li>
  <li>Clear separation of concerns (port 853 is exclusively DNS)</li>
  <li>Easier to audit and control at the network level</li>
</ul>

<p><strong>Limitations:</strong></p>
<ul>
  <li>Port 853 is frequently blocked by corporate firewalls and in restrictive network environments</li>
  <li>More easily distinguishable and blockable than DoH</li>
  <li>Same resolver-trust problem as DoH</li>
</ul>

<h3 id="3-dns-over-quic-doq">3. DNS over QUIC (DoQ)</h3>

<table>
  <tbody>
    <tr>
      <td>**RFC 9250</td>
      <td>Standardized 2022**</td>
    </tr>
  </tbody>
</table>

<p>DoQ carries DNS over the QUIC transport protocol, which offers TLS 1.3 encryption, reduced connection latency (0-RTT handshakes), and multiplexing without head-of-line blocking.</p>

<p><strong>Advantages:</strong></p>
<ul>
  <li>Encrypted (TLS 1.3 minimum)</li>
  <li>Lower latency than DoT (no TCP handshake overhead)</li>
  <li>Resilient to packet loss</li>
</ul>

<p><strong>Limitations:</strong></p>
<ul>
  <li>Nascent ecosystem; limited resolver and client support as of 2025</li>
  <li>QUIC’s UDP-based transport is increasingly throttled or blocked on some networks</li>
</ul>

<h3 id="4-dnssec">4. DNSSEC</h3>

<table>
  <tbody>
    <tr>
      <td>**RFC 4033–4035</td>
      <td>Widely deployed from ~2010**</td>
    </tr>
  </tbody>
</table>

<p>DNSSEC adds cryptographic signatures to DNS records, enabling resolvers to verify that responses are authentic and unmodified. It does <strong>not</strong> encrypt queries — it provides integrity, not confidentiality.</p>

<p><strong>What DNSSEC solves:</strong></p>
<ul>
  <li>Cache poisoning (forged responses are rejected if signatures don’t validate)</li>
  <li>DNS hijacking by intermediate resolvers (response integrity is verifiable)</li>
</ul>

<p><strong>What DNSSEC does not solve:</strong></p>
<ul>
  <li>Eavesdropping (queries are still plaintext)</li>
  <li>Malicious-but-legitimate resolvers (they can still log what they receive)</li>
  <li>ISP surveillance</li>
</ul>

<p><strong>Deployment gap:</strong> Despite being standardized since the early 2000s, DNSSEC adoption remains incomplete. Approximately 40% of global DNS traffic is DNSSEC-validated as of 2024, but many domains still lack DNSSEC signatures, and many resolvers skip validation.</p>

<h3 id="5-oblivious-dns-over-https-odoh">5. Oblivious DNS over HTTPS (ODoH)</h3>

<table>
  <tbody>
    <tr>
      <td>**RFC 9230</td>
      <td>2022**</td>
    </tr>
  </tbody>
</table>

<p>ODoH is an elegant cryptographic protocol that separates knowledge of <em>who is asking</em> from knowledge of <em>what is being asked</em> by introducing an untrusted proxy:</p>

<ol>
  <li>The client encrypts the DNS query with the resolver’s public key</li>
  <li>The encrypted query is sent to an <strong>ODoH Proxy</strong> — a separate entity that knows the client’s IP but cannot read the query</li>
  <li>The proxy forwards it to the <strong>ODoH Resolver</strong>, which can read the query but sees only the proxy’s IP, not the client’s</li>
  <li>The response is encrypted back through the chain</li>
</ol>

<p><strong>The key property:</strong> No single entity knows both who is asking and what they are asking. Even a colluding proxy and resolver cannot reconstruct the full picture unless they share logs — which the protocol is designed to make difficult to hide.</p>

<p><strong>Current state:</strong> Cloudflare operates an ODoH service. Adoption is growing but remains limited to privacy-focused applications and technically sophisticated users.</p>

<h3 id="6-encrypted-client-hello-ech--the-missing-piece">6. Encrypted Client Hello (ECH) — The Missing Piece</h3>

<p>Even with DoH protecting DNS queries, a subtle privacy leak remains: the TLS <strong>Server Name Indication (SNI)</strong> field. When your browser opens an HTTPS connection, it sends the target domain name in plaintext in the TLS ClientHello message — so that servers hosting multiple domains know which certificate to present.</p>

<p>SNI is visible to network observers even when DNS is encrypted. An ISP cannot read the query, but can read the TLS handshake.</p>

<p><strong>ECH (formerly ESNI)</strong> encrypts the SNI field using a public key published in the domain’s DNS record (requiring HTTPS DNS record types and DNSSEC). When combined with DoH:</p>

<ul>
  <li>DNS query: encrypted via DoH ✓</li>
  <li>TLS handshake SNI: encrypted via ECH ✓</li>
  <li>The resulting traffic reveals the <em>outer</em> domain (typically a CDN like Cloudflare) but not the actual destination ✓</li>
</ul>

<p>ECH is supported in Firefox, Chrome (behind a flag), and Cloudflare’s infrastructure. Full ecosystem deployment is ongoing.</p>

<h3 id="7-running-your-own-recursive-resolver">7. Running Your Own Recursive Resolver</h3>

<p>For advanced users, running a local recursive resolver eliminates dependence on a third-party resolver for confidentiality:</p>

<p><strong>Options:</strong></p>
<ul>
  <li><strong>Unbound</strong> — Widely-used, high-performance validating resolver with DNSSEC support</li>
  <li><strong>Pi-hole + Unbound</strong> — Network-wide DNS filtering with local recursive resolution</li>
  <li><strong>BIND 9</strong> — The reference implementation, powerful but complex</li>
</ul>

<p><strong>What this achieves:</strong> Queries leave your machine and go directly to authoritative servers (root → TLD → authoritative), bypassing your ISP’s resolver entirely. Your ISP still sees the <em>destination IPs</em> of DNS traffic but not the query content if you use DoT/DoH for the upstream leg.</p>

<p><strong>What this doesn’t achieve:</strong> Queries to authoritative nameservers are still in plaintext. Each authoritative server you contact sees your IP. For most threat models, this is acceptable; for high-sensitivity use cases, combine with Tor or ODoH.</p>

<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># Unbound local resolver config snippet (/etc/unbound/unbound.conf)</span>
server:
    verbosity: 1
    interface: 127.0.0.1
    port: 5335
    <span class="k">do</span><span class="nt">-ip4</span>: <span class="nb">yes
    </span><span class="k">do</span><span class="nt">-udp</span>: <span class="nb">yes
    </span><span class="k">do</span><span class="nt">-tcp</span>: <span class="nb">yes
    </span><span class="k">do</span><span class="nt">-ip6</span>: no

    <span class="c"># DNSSEC validation</span>
    auto-trust-anchor-file: <span class="s2">"/var/lib/unbound/root.key"</span>

    <span class="c"># Harden against cache poisoning</span>
    harden-glue: <span class="nb">yes
    </span>harden-dnssec-stripped: <span class="nb">yes
    </span>use-caps-for-id: <span class="nb">yes</span>   <span class="c"># 0x20 encoding randomization</span>

    <span class="c"># Reduce attack surface</span>
    hide-identity: <span class="nb">yes
    </span>hide-version: <span class="nb">yes</span>

    <span class="c"># Cache settings</span>
    cache-min-ttl: 3600
    cache-max-ttl: 86400
    prefetch: <span class="nb">yes</span>
</code></pre></div></div>

<h3 id="8-vpn-with-dns-leak-protection">8. VPN with DNS Leak Protection</h3>

<p>If using a VPN, verify that:</p>

<ol>
  <li><strong>DNS requests are routed through the VPN tunnel</strong> — Not split-tunneled or sent to the local network’s resolver</li>
  <li><strong>Kill switch is enabled</strong> — Drops internet traffic if the VPN disconnects, preventing leak exposure during reconnection</li>
  <li><strong>IPv6 is disabled or tunneled</strong> — Prevents IPv6 DNS leakage</li>
  <li><strong>WebRTC is disabled in browser settings</strong> — Prevents browser-level IP and DNS leaks</li>
</ol>

<h3 id="countermeasure-effectiveness-summary">Countermeasure Effectiveness Summary</h3>

<p>Not all countermeasures defend against the same threat. DNS leakage (queries escaping a 
protected tunnel), ISP DNS transparency (systematic resolver-level surveillance), and TLS 
handshake leakage (the SNI field exposing your destination even after DNS is encrypted) are 
distinct problems that require distinct solutions. DNSSEC stands apart entirely — it provides 
cryptographic response integrity, not confidentiality, and belongs to a different layer of the 
privacy stack. Critically, DoH and ECH are complementary, not redundant: DoH encrypts the DNS 
query, ECH encrypts the TLS handshake that follows it. A network observer blocked by DoH can 
still read SNI in plaintext without ECH — and vice versa. Both are required to prevent 
destination reconstruction from network traffic.</p>

<table>
  <thead>
    <tr>
      <th>Countermeasure</th>
      <th>DNS Transparency</th>
      <th>DNS Leakage</th>
      <th>TLS Handshake Leakage</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td>DoH (non-ISP resolver)</td>
      <td>✅ Strong</td>
      <td>⚠️ Partial</td>
      <td>❌ None</td>
    </tr>
    <tr>
      <td>DoT (non-ISP resolver)</td>
      <td>✅ Strong</td>
      <td>⚠️ Partial</td>
      <td>❌ None</td>
    </tr>
    <tr>
      <td>DoQ</td>
      <td>✅ Strong</td>
      <td>⚠️ Partial</td>
      <td>❌ None</td>
    </tr>
    <tr>
      <td>ODoH</td>
      <td>✅ Strongest</td>
      <td>⚠️ Partial</td>
      <td>❌ None</td>
    </tr>
    <tr>
      <td>VPN (leak-protected)</td>
      <td>✅ Strong</td>
      <td>✅ Strong</td>
      <td>✅ Yes (tunneled)</td>
    </tr>
    <tr>
      <td>Self-hosted resolver</td>
      <td>⚠️ Partial</td>
      <td>✅ Strong</td>
      <td>N/A</td>
    </tr>
    <tr>
      <td>ECH</td>
      <td>❌ None</td>
      <td>❌ None</td>
      <td>✅ Yes — encrypts SNI</td>
    </tr>
    <tr>
      <td>DNSSEC</td>
      <td>N/A</td>
      <td>N/A</td>
      <td>N/A</td>
    </tr>
  </tbody>
</table>

<p><strong>Verification tools:</strong></p>
<ul>
  <li><code class="language-plaintext highlighter-rouge">dnsleaktest.com</code> — Tests which resolver(s) your queries reach</li>
  <li><code class="language-plaintext highlighter-rouge">ipleak.net</code> — Comprehensive IP, DNS, and WebRTC leak test</li>
  <li><code class="language-plaintext highlighter-rouge">browserleaks.com</code> — Detailed browser fingerprint and leak analysis</li>
</ul>

<p><strong>Important caveat:</strong> A VPN shifts the trust relationship from your ISP to your VPN provider. If your VPN provider logs DNS queries (many do, despite “no-log” marketing claims), you have not meaningfully improved your privacy — you’ve merely changed who is surveilling you. Verify VPN providers through independent audits, not marketing materials.</p>

<hr />

<h2 id="part-vi-choosing-a-resolver--the-trust-trade-off">Part VI: Choosing a Resolver — The Trust Trade-Off</h2>

<p>If you cannot (or choose not to) run your own recursive resolver, you must place trust in a third-party resolver. This is unavoidable — the question is <em>who</em> you trust and on what basis.</p>

<table>
  <thead>
    <tr>
      <th>Resolver</th>
      <th>Operator</th>
      <th>DoH</th>
      <th>DoT</th>
      <th>DoQ</th>
      <th>Logging Policy</th>
      <th>DNSSEC</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td><code class="language-plaintext highlighter-rouge">1.1.1.1</code></td>
      <td>Cloudflare</td>
      <td>✓</td>
      <td>✓</td>
      <td>✓</td>
      <td>Purged within 24h; KPMG-audited</td>
      <td>✓</td>
    </tr>
    <tr>
      <td><code class="language-plaintext highlighter-rouge">8.8.8.8</code></td>
      <td>Google</td>
      <td>✓</td>
      <td>✓</td>
      <td>—</td>
      <td>Logged; anonymized after 24–48h</td>
      <td>✓</td>
    </tr>
    <tr>
      <td><code class="language-plaintext highlighter-rouge">9.9.9.9</code></td>
      <td>Quad9 (non-profit)</td>
      <td>✓</td>
      <td>✓</td>
      <td>✓</td>
      <td>No PII logged</td>
      <td>✓</td>
    </tr>
    <tr>
      <td><code class="language-plaintext highlighter-rouge">94.140.14.14</code></td>
      <td>AdGuard</td>
      <td>✓</td>
      <td>✓</td>
      <td>✓</td>
      <td>No logging (unverified by audit)</td>
      <td>✓</td>
    </tr>
    <tr>
      <td>NextDNS</td>
      <td>NextDNS Inc.</td>
      <td>✓</td>
      <td>✓</td>
      <td>✓</td>
      <td>Configurable; logs visible to user</td>
      <td>✓</td>
    </tr>
  </tbody>
</table>

<p><strong>Recommendation framework:</strong></p>
<ul>
  <li><strong>Default privacy:</strong> Cloudflare <code class="language-plaintext highlighter-rouge">1.1.1.1</code> with DoH/DoT — well-audited, fast, established no-logging commitment</li>
  <li><strong>Non-profit preference:</strong> Quad9 <code class="language-plaintext highlighter-rouge">9.9.9.9</code> — non-profit operator, malware blocking, strong privacy stance</li>
  <li><strong>Maximum control:</strong> Self-hosted Unbound with Cloudflare or Quad9 as upstream DoT/DoH forwarder</li>
  <li><strong>Maximum privacy:</strong> ODoH via Cloudflare + Fastly proxy partnership</li>
</ul>

<hr />

<h2 id="part-vii-organizational-and-enterprise-considerations">Part VII: Organizational and Enterprise Considerations</h2>

<p>DNS privacy is not only a personal concern. Organizations face distinct DNS-related security risks:</p>

<h3 id="internal-dns-leakage">Internal DNS Leakage</h3>
<p>Corporate devices configured with split-DNS (internal domains resolved locally, public domains via ISP) frequently leak internal DNS structure when employees work remotely. Queries for <code class="language-plaintext highlighter-rouge">internal.corp.example.com</code> may reach public resolvers, exposing organizational structure, application names, and internal service topology.</p>

<p><strong>Mitigation:</strong> Enforce VPN-based DNS resolution for all corporate devices when outside the office network; use DNSSEC-signed internal zones; monitor for anomalous query patterns.</p>

<h3 id="dns-as-an-exfiltration-channel">DNS as an Exfiltration Channel</h3>
<p>Attackers who have compromised internal systems routinely use DNS tunneling to exfiltrate data, since port 53 is almost universally permitted through firewalls. Each query to an attacker-controlled authoritative server carries a small payload of exfiltrated data in the subdomain label.</p>

<p><strong>Detection signals:</strong></p>
<ul>
  <li>Abnormally long subdomain labels (&gt; 50 characters)</li>
  <li>High query rates to a single second-level domain</li>
  <li>High entropy in subdomain strings (base64/hex encoded data)</li>
  <li>Queries for non-existent domains following a pattern</li>
</ul>

<p><strong>Mitigation:</strong> DNS traffic analysis (Zeek/Bro, Cisco Umbrella, Infoblox BloxOne); RPZ (Response Policy Zones) to block known malicious domains; anomaly detection on query volumes.</p>

<h3 id="third-party-resolver-risk-for-organizations">Third-Party Resolver Risk for Organizations</h3>
<p>Large organizations that outsource DNS resolution to cloud providers (Google, Cloudflare, AWS Route 53 Resolver) are exposing their full query profile to those providers. This includes competitive intelligence signals, merger and acquisition research activity, and partner relationship data visible in DNS patterns.</p>

<hr />

<h2 id="part-viii-a-practical-prevention-checklist">Part VIII: A Practical Prevention Checklist</h2>

<h3 id="for-individual-users">For Individual Users</h3>

<ul class="task-list">
  <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" /><strong>Enable DoH or DoT</strong> in your operating system and/or browser, pointed at a trustworthy resolver</li>
  <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" /><strong>Verify your VPN doesn’t leak DNS</strong> using <code class="language-plaintext highlighter-rouge">dnsleaktest.com</code></li>
  <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" /><strong>Disable WebRTC</strong> in Firefox (<code class="language-plaintext highlighter-rouge">media.peerconnection.enabled = false</code> in <code class="language-plaintext highlighter-rouge">about:config</code>) or use a WebRTC control extension in Chrome</li>
  <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" /><strong>Disable IPv6</strong> if your VPN doesn’t tunnel it, or verify your VPN client handles it correctly</li>
  <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" /><strong>Enable ECH</strong> in Firefox (enabled by default in recent versions) and Chrome (via <code class="language-plaintext highlighter-rouge">chrome://flags</code>)</li>
  <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" /><strong>Consider Pi-hole + Unbound</strong> for network-wide encrypted recursive resolution</li>
  <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" /><strong>Audit your router’s DNS settings</strong> — many home routers ignore client-configured DNS and forward everything to the ISP resolver</li>
  <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" /><strong>Use a VPN provider with independently audited no-logging</strong> — look for audits, not marketing claims</li>
  <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" /><strong>Run a DNS leak test</strong> periodically, especially after VPN updates or OS upgrades</li>
</ul>

<h3 id="for-developers-and-system-administrators">For Developers and System Administrators</h3>

<ul class="task-list">
  <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" /><strong>Sign your domains with DNSSEC</strong> — protects users of your services from spoofing</li>
  <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" /><strong>Publish HTTPS DNS records</strong> with ECH public keys for your domains</li>
  <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" /><strong>Monitor your organization’s DNS traffic</strong> for exfiltration patterns</li>
  <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" /><strong>Implement RPZ filtering</strong> to block known malicious resolver responses</li>
  <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" /><strong>Audit split-DNS configurations</strong> for internal domain leakage</li>
  <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" /><strong>Use DNS over TLS for upstream resolver communication</strong> in Unbound/BIND configurations</li>
  <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" /><strong>Log and alert on high-entropy subdomain queries</strong> as a DNS tunneling detection signal</li>
</ul>

<hr />

<h2 id="conclusion-the-quiet-infrastructure-of-surveillance">Conclusion: The Quiet Infrastructure of Surveillance</h2>

<p>DNS was designed in a different world, and it shows. Every day, billions of people trust a 40-year-old unauthenticated plaintext protocol with some of their most sensitive behavioral data, with virtually no indication that this is happening and no meaningful ability to opt out of the default.</p>

<p>The rise of ISP DNS transparency programs — dressed in the language of security and operational necessity — has transformed this incidental exposure into systematic commercial and governmental surveillance infrastructure. The logs exist. They are retained. They are analyzed, sold, and compelled by subpoena. The query you sent three years ago asking about a health condition, a competitor, a legal resource, or a dissident journalist is, in many cases, still sitting in a database somewhere.</p>

<p>The tools to change this exist. DoH, DoT, ODoH, ECH, DNSSEC, self-hosted resolvers — these are not exotic technologies. They are increasingly built into the browsers and operating systems you already use. The friction between “exposed by default” and “protected with intentional configuration” has never been lower.</p>

<p>The internet’s directory doesn’t have to be an open book. But closing it requires understanding that it’s open in the first place.</p>]]></content><author><name></name></author><summary type="html"><![CDATA[The ISP’s So-Called DNS Transparency, and the Quiet Erosion of Your Privacy]]></summary></entry><entry><title type="html">The Watershed Moment We Knew Was Coming</title><link href="https://mendelevium.github.io/mythos-analysis/" rel="alternate" type="text/html" title="The Watershed Moment We Knew Was Coming" /><published>2026-04-08T00:00:00+00:00</published><updated>2026-04-08T00:00:00+00:00</updated><id>https://mendelevium.github.io/mythos-analysis</id><content type="html" xml:base="https://mendelevium.github.io/mythos-analysis/"><![CDATA[<p>Independent analysis of Anthropic’s Claude Mythos Preview cybersecurity disclosure · April 7, 2026</p>

<hr />

<p>Anthropic’s disclosure today about Claude Mythos Preview is not a product announcement. It is a civilizational inflection point for computer security — one that demands a frank assessment of what has changed, what it means for defenders and attackers alike, and what the industry must do immediately.</p>

<blockquote>
  <p><strong>Critical Finding:</strong> Mythos Preview autonomously identifies and fully exploits zero-day vulnerabilities across every major operating system and every major web browser — including a 27-year-old OpenBSD bug, a 17-year-old FreeBSD remote root exploit, and multiple chained Linux kernel privilege escalation chains — all without human intervention after a single prompt.</p>
</blockquote>

<hr />

<h2 id="the-quantitative-leap-is-real">The Quantitative Leap Is Real</h2>

<p>The security community is accustomed to incremental improvements in tooling. What Anthropic describes with Mythos Preview is not incremental. The numbers tell a stark story:</p>

<table>
  <thead>
    <tr>
      <th>Metric</th>
      <th>Figure</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td>Improvement over Opus 4.6 on Firefox exploit benchmark</td>
      <td><strong>181×</strong></td>
    </tr>
    <tr>
      <td>Full control-flow hijacks (tier 5) on fully-patched OSS-Fuzz targets</td>
      <td><strong>10</strong></td>
    </tr>
    <tr>
      <td>API cost to build a complete Linux kernel LPE exploit chain</td>
      <td><strong>&lt;$1,000</strong></td>
    </tr>
  </tbody>
</table>

<p>To understand why the 181× figure matters, you need context. Opus 4.6 — itself a frontier model — succeeded in generating Firefox shell exploits only twice in hundreds of attempts. Mythos Preview succeeded 181 times on the same corpus. This is not a marginal improvement. It is a phase transition.</p>

<p>The tier-5 OSS-Fuzz result is equally significant. Reaching full control-flow hijack on a hardened, fully-patched target requires more than finding a bug — it requires constructing a working exploit chain against active mitigations. Mythos Preview did this ten times, on ten independent targets, in a single automated pass. Prior frontier models achieved it once each.</p>

<blockquote>
  <p><em>“Engineers at Anthropic with no formal security training asked Mythos Preview to find remote code execution vulnerabilities overnight, and woke up the following morning to a complete, working exploit.”</em></p>
</blockquote>

<p>That sentence deserves to sit on its own. The democratization of offensive capability is no longer theoretical.</p>

<hr />

<h2 id="three-findings-that-define-the-moment">Three Findings That Define the Moment</h2>

<p>The report documents dozens of vulnerabilities. Three deserve specific attention from a research perspective, as they reveal qualitatively different capability dimensions.</p>

<h3 id="openbsd-tcp-sack--signed-integer-overflow-leading-to-null-pointer-dereference">OpenBSD TCP SACK — signed integer overflow leading to null-pointer dereference</h3>
<p><strong>Age:</strong> 27 years | <strong>Impact:</strong> Remote denial-of-service</p>

<p>The vulnerability requires Mythos Preview to simultaneously reason about two interacting bugs: an unchecked lower-bound on SACK block start values, and a conditional append path that relies on a pointer the first bug can implicitly free. Neither bug is exploitable alone. Finding the interaction requires holding the full TCP SACK state machine in mind while reading C — a task that demands genuine semantic understanding of protocol semantics, not pattern matching.</p>

<p>This is the hardest category of bug to find by fuzzing: no memory sanitizer fires, no crash occurs on typical inputs, and the dangerous condition requires a specific two-field relationship across two packets. The model found it in under $50 of compute. A thousand-run campaign across the entire OpenBSD codebase cost under $20,000.</p>

<h3 id="cve-2026-4747--freebsd-nfs-remote-code-execution">CVE-2026-4747 — FreeBSD NFS remote code execution</h3>
<p><strong>Age:</strong> 17 years | <strong>Impact:</strong> Unauthenticated remote root</p>

<p>This is the most operationally significant finding in the disclosure. An unauthenticated remote attacker can gain full root on any internet-exposed FreeBSD NFS server. Mythos Preview not only found the 96-byte stack overflow in the RPCSEC_GSS authentication handler — it independently identified that the standard <code class="language-plaintext highlighter-rouge">-fstack-protector</code> flag was insufficient (the buffer is declared as <code class="language-plaintext highlighter-rouge">int32_t[32]</code>, not a char array, so no stack canary is emitted), resolved the handle authentication challenge using an NFSv4 EXCHANGE_ID information disclosure as a side channel, and wrote a 20-gadget ROP chain split across six sequential packets to fit within the overflow budget. The entire discovery-to-exploit pipeline required zero human guidance after an initial prompt.</p>

<h3 id="linux-kernel--multi-vulnerability-chain-kaslr-bypass--arbitrary-write--root">Linux kernel — multi-vulnerability chain (KASLR bypass + arbitrary write → root)</h3>
<p><strong>Impact:</strong> Local privilege escalation via autonomous multi-step exploit chaining</p>

<p>The Linux exploit chains demonstrate the most alarming capability of all: autonomous multi-step reasoning across vulnerability classes. Mythos Preview independently identified that a given write primitive was blind without a KASLR bypass, independently identified a separate read vulnerability to serve that purpose, and chained them — sometimes alongside a third or fourth vulnerability — into a working root exploit.</p>

<p>The documented <code class="language-plaintext highlighter-rouge">ipset</code> bitmap chain is particularly impressive: exploiting a one-bit OOB write to flip <code class="language-plaintext highlighter-rouge">_PAGE_RW</code> in a physically-adjacent page table entry, enabling a writable shared mapping of <code class="language-plaintext highlighter-rouge">/usr/bin/passwd</code>, requires precisely sequenced SLUB heap grooming across the SLUB, PCP freelist, and buddy allocator. This is graduate-level kernel exploitation. It took the model under a day and under $1,000.</p>

<hr />

<h2 id="the-capability-trajectory-is-the-real-story">The Capability Trajectory Is the Real Story</h2>

<p>The individual findings, alarming as they are, are not the primary message. The trajectory is. Anthropic’s own red team <a href="https://red.anthropic.com/2026/firefox/">wrote just last month</a> that “Opus 4.6 is currently far better at identifying and fixing vulnerabilities than at exploiting them.” Their internal evaluations showed Opus 4.6 had near-zero autonomous exploit success rates. Mythos Preview, released weeks later, demolishes those benchmarks.</p>

<p><strong>~12 months ago:</strong> Frontier models cannot identify non-trivial vulnerabilities autonomously. Benchmarks show 0% success on tier-3+ crash severity against patched OSS-Fuzz targets.</p>

<p><strong>~6 months ago:</strong> Models begin finding real vulnerabilities. Opus 4.6 sends 112 confirmed true-positive bugs to Mozilla. Exploit capability remains near-zero — findings require human operators to develop into PoC exploits.</p>

<p><strong>Last month:</strong> Opus 4.6 achieves two Firefox exploits in hundreds of attempts. Independent researchers demonstrate it can exploit a known CVE with significant human prompting.</p>

<p><strong>Today:</strong> Mythos Preview: 181 Firefox exploits. 10 tier-5 OSS-Fuzz hijacks. Autonomous zero-day discovery and full exploit chain construction. 27-year-old, 17-year-old, 16-year-old bugs found and weaponized overnight.</p>

<h3 id="dont-bank-on-a-plateau">Don’t bank on a plateau</h3>

<p>Some in the security community have begun voicing a quiet hope: that LLM capability gains will plateau before they become truly dangerous, buying the industry time to adapt. This is not a plan. It is a wish dressed up as a forecast.</p>

<p>There is no principled technical basis for expecting a capability ceiling in the near term. The improvements that produced Mythos Preview — general advances in reasoning, code understanding, and autonomous tool use — are not nearing exhaustion. And crucially, the security capabilities described here were not explicitly trained; they emerged as a downstream consequence of general improvements. That means they will continue to improve in step with general model quality, whether labs intend it or not.</p>

<p>Planning enterprise security strategy around an expected plateau is a category error in risk management. You do not design a building’s fire suppression system around a hope that fires will become less common. You design it to handle the fires you can document today, while acknowledging that the threat may worsen. The documented threat, as of today, is substantial.</p>

<p>If this rate of capability gain continues — and there is no principled reason to believe it will not — the industry has between months and a small number of years before models with Mythos-class capabilities become broadly accessible through public APIs. Anthropic is responsibly restricting access for now. Others will not apply the same judgment.</p>

<hr />

<h2 id="what-is-genuinely-new">What Is Genuinely New</h2>

<p>The security community has heard “AI will change security” for years. It is worth being precise about what has actually changed with Mythos Preview versus prior claims:</p>

<table>
  <thead>
    <tr>
      <th>Capability</th>
      <th>Prior state (Opus 4.6)</th>
      <th>Mythos Preview</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td>Zero-day discovery</td>
      <td>Limited — finds bugs in well-instrumented code</td>
      <td>Systematic — autonomous across all major OSes and browsers</td>
    </tr>
    <tr>
      <td>Exploit development</td>
      <td>Near-zero — 2/hundreds on Firefox benchmark</td>
      <td>Reliable — 181/hundreds; multi-step chains</td>
    </tr>
    <tr>
      <td>Chained exploits</td>
      <td>None documented</td>
      <td>Documented — up to 4-vulnerability chains autonomously</td>
    </tr>
    <tr>
      <td>Closed-source RE</td>
      <td>Limited</td>
      <td>Effective — root on smartphones via firmware analysis</td>
    </tr>
    <tr>
      <td>Non-expert access</td>
      <td>Partial — still requires security background</td>
      <td>Lowered bar — non-security engineers producing working RCE overnight</td>
    </tr>
    <tr>
      <td>N-day speed</td>
      <td>Days–weeks with human assistance</td>
      <td>Hours — fully autonomous from CVE to working exploit</td>
    </tr>
  </tbody>
</table>

<hr />

<h2 id="a-note-on-scope-and-honesty">A Note on Scope and Honesty</h2>

<p>Anthropic cannot disclose 99% of what they found. Their responsible disclosure process means that only bugs already patched can be discussed publicly. The FreeBSD RCE, the OpenBSD SACK crash, and three FFmpeg vulnerabilities are the tip. They commit to SHA-3 hashes of dozens more reports — browser exploit chains, VMM guest-to-host corruption, Linux kernel logic bugs, cryptographic library authentication bypasses — none yet public. What we are reading about is deliberately the least dangerous slice of the findings.</p>

<p>The cryptographic commitment scheme they use (SHA-3 pre-image resistance to prove possession without disclosure) is a thoughtful approach to accountability under responsible disclosure constraints. It allows the research community to verify later that the claims made today are honest, without prematurely releasing exploits for unpatched systems. This is good practice.</p>

<p>The disclosure also appropriately acknowledges uncertainty: they note that Mythos Preview sometimes references previously published exploitation walkthroughs for known CVEs, which partially confounds novelty claims in the N-day section. They address this honestly, and limit novelty claims to their zero-day findings where no such contamination is possible.</p>

<hr />

<h2 id="the-asymmetry-problem--and-why-defenders-have-less-time-than-they-think">The Asymmetry Problem — and Why Defenders Have Less Time Than They Think</h2>

<p>Anthropic makes an important historical analogy to fuzzing. When AFL and libFuzzer emerged, there were similar concerns about attacker uplift. Those tools did benefit attackers initially — and then became foundational defensive infrastructure through OSS-Fuzz and similar programs. The argument is that LLMs will follow the same arc.</p>

<p>The analogy holds, but with a crucial difference in time horizons. Fuzzing’s attacker uplift period was measured in years, during which defenders could adapt. The N-day exploit result in this paper — CVE to working exploit in hours, fully autonomously, for under $2,000 — compresses a timeline that the security industry’s entire patch-to-deploy infrastructure is not built to handle.</p>

<blockquote>
  <p><strong>Structural Risk:</strong> Current enterprise patch SLAs range from days to months depending on criticality. The gap between public CVE disclosure and deployed patches for widely-used infrastructure software is often measured in weeks. Mythos Preview closes that window to hours. Every day of patch lag that organizations accept as routine is now a window in which autonomous exploitation is feasible — at scale, cheaply, and without requiring specialized human expertise.</p>
</blockquote>

<hr />

<h2 id="on-the-idea-that-visible-catastrophe-would-be-clarifying">On the Idea That Visible Catastrophe Would Be Clarifying</h2>

<p>A tempting but dangerous line of thinking holds that a sufficiently visible failure — a major infrastructure compromise, a cascading breach of critical systems — might function as a forcing mechanism, finally compelling the industry and policymakers to take coordinated action. The logic has a certain grim appeal: perhaps only a concrete demonstration of harm will create the political will to act.</p>

<p>This argument should be rejected, firmly and specifically.</p>

<p>The first problem is that “visible harm” in the context of autonomous cyber exploitation does not look like a controlled demonstration. It looks like hospitals losing access to patient records, power grids failing in winter, financial settlement systems going dark. The costs of these failures fall disproportionately on people who have no agency over the security decisions that caused them — patients, civilians, people who depend on digital infrastructure they cannot audit or improve. A catastrophic breach does not generate clean political lessons; it generates chaos, attribution disputes, and often a security response that trades civil liberties for speed.</p>

<p>The second problem is historical: the security industry has had visible catastrophes. WannaCry. NotPetya. The Colonial Pipeline ransomware. SolarWinds. Each was genuinely alarming. Each generated op-eds and congressional hearings. None produced the systematic, structural change that the moment seemed to demand. There is little reason to believe that an AI-enabled equivalent would be different — and considerable reason to believe the scale of harm would be larger.</p>

<p>The right model is not to wait for a catastrophe that finally forces action. It is to treat the published evidence as sufficient grounds for action now, before the catastrophe, while the window to act proactively remains open.</p>

<hr />

<h2 id="immediate-recommendations-for-defenders">Immediate Recommendations for Defenders</h2>

<p><strong>01 — Deploy current frontier models for vulnerability discovery now.</strong> Opus 4.6 and equivalent models already find high- and critical-severity vulnerabilities systematically. Projects without LLM-assisted vulnerability scanning are leaving known bugs on the table. Set up the scaffolding today — the marginal cost is low and the defensive value is immediate.</p>

<p><strong>02 — Treat patch lag as the primary risk surface.</strong> Reduce time-to-deploy for security patches to as close to zero as operationally feasible. Enable automatic updates wherever possible. CVE-to-exploit timelines are now measured in hours for a well-resourced attacker. Dependency bumps carrying CVE fixes are not routine maintenance — they are urgent security responses.</p>

<p><strong>03 — Re-evaluate friction-based mitigations.</strong> Many defense-in-depth measures work by making exploitation tedious rather than impossible — stack canaries, ASLR, partial RELRO. Mythos Preview grinds through this tedium systematically and at scale. The FreeBSD exploit is a clear example: what an attacker would have needed days to work through, the model handled in hours. Mitigations that impose hard cryptographic or architectural barriers (W^X, CFI, memory-safe rewrites) remain valuable. Friction-only measures need honest re-evaluation.</p>

<p><strong>04 — Assume legacy codebases have undiscovered critical vulnerabilities.</strong> The 27-year OpenBSD bug, the 17-year FreeBSD bug, and the 16-year FFmpeg bug were all in heavily-audited, well-fuzzed codebases. If Mythos Preview can find these, similar bugs almost certainly exist in less scrutinized legacy systems. The question is not whether your critical infrastructure has undiscovered vulnerabilities — it does. The question is who finds them first.</p>

<p><strong>05 — Automate incident response triage now.</strong> If vulnerability discovery and exploit development can be automated, so must early-stage incident response. Detection, alert triage, and preliminary root-cause analysis need model assistance. The volume of security events is about to increase dramatically; organizations cannot staff their way through it.</p>

<p><strong>06 — Revisit vulnerability disclosure policies for scale.</strong> Coordinated vulnerability disclosure was designed for a world where a skilled researcher might find a handful of critical bugs per year. Mythos Preview found thousands of high- and critical-severity vulnerabilities in weeks. Disclosure pipelines, maintainer bandwidth, and legal frameworks are not built for this volume. The industry needs new infrastructure.</p>

<hr />

<h2 id="the-uncomfortable-conclusion">The Uncomfortable Conclusion</h2>

<p>Anthropic ends their report with a reference to Linus’s Law: “Given enough eyeballs, all bugs are shallow.” The point is that language models now provide essentially unlimited eyeballs — tireless, systematic, and increasingly capable of not just finding bugs but exploiting them.</p>

<p>There is a version of this story with a good ending. Mythos Preview, used defensively through Project Glasswing and similar programs, could harden critical infrastructure faster than any previous technology. The same capability that writes a 20-gadget ROP chain can write patches, review pull requests, and find vulnerabilities before they ship. In the long run, defenders who effectively deploy these tools should gain a decisive advantage — they have more code to protect, but they also have more resources, more time, and more legitimate access to the systems they’re defending.</p>

<p>But the transitional period is the problem. The asymmetry between what Mythos Preview can do today and what most organizations’ defenses assume is vast and widening. The model is not publicly available — yet. Models with equivalent capability, trained by other labs with less careful release policies, will be.</p>

<p>The transition will not be clarified by a collapse. It will be navigated — or not — by the decisions organizations and policymakers make in the next few months, largely in the absence of a crisis to concentrate their attention. That is precisely what makes this moment difficult, and precisely what makes early action indispensable.</p>

<blockquote>
  <p><em>The security community spent twenty years building an equilibrium. We have perhaps months to prepare for a new one. The question is not whether to act — it is whether we will act at the scale the moment demands.</em></p>
</blockquote>

<p>Project Glasswing is a serious and thoughtful response to an unprecedented situation. The commitments Anthropic makes — cryptographic disclosure, coordinated patching, restricted access — are the right ones. But responsible stewardship from one lab cannot substitute for industry-wide preparation. The capabilities described today are not theoretical. They are running. They are finding vulnerabilities in every major operating system, every major browser, and some of the most trusted cryptographic libraries in the world.</p>

<p>The time to build the scaffolding, train the teams, update the patch pipelines, and rethink the threat model is now — before these capabilities are broadly accessible. That window may be shorter than anyone is comfortable admitting.</p>]]></content><author><name></name></author><summary type="html"><![CDATA[Independent analysis of Anthropic’s Claude Mythos Preview cybersecurity disclosure · April 7, 2026]]></summary></entry><entry><title type="html">The Invisible Breach</title><link href="https://mendelevium.github.io/the-invisible-breach/" rel="alternate" type="text/html" title="The Invisible Breach" /><published>2026-04-02T00:00:00+00:00</published><updated>2026-04-02T00:00:00+00:00</updated><id>https://mendelevium.github.io/the-invisible-breach</id><content type="html" xml:base="https://mendelevium.github.io/the-invisible-breach/"><![CDATA[<p>How Supply Chain Attacks Are Quietly Becoming the Most Dangerous Threat in Software Security</p>

<hr />

<h2 id="introduction-the-trust-trap">Introduction: The Trust Trap</h2>

<p>There’s a thought experiment worth sitting with before reading further: how many lines of code are you actually running right now? On your development machine, across your CI/CD pipelines, in your production services?</p>

<p>The answer — when you account for every transitive dependency — is almost certainly in the <strong>tens of millions</strong>. And you’ve reviewed, at best, a few thousand of those lines yourself.</p>

<p>That gap is where supply chain attacks live.</p>

<p>Unlike a direct breach — where an adversary tries to crack your perimeter, phish your employees, or exploit a misconfigured server — a supply chain attack doesn’t need to target you at all. Instead, it targets the shared infrastructure of trust that the entire software ecosystem depends on: open-source packages, CI/CD tooling, build pipelines, and registry systems. When an attacker compromises a dependency you use, they don’t need to get past your defenses. You invited them in.</p>

<p>This article examines three supply chain attacks in increasing order of sophistication and ambition: <strong>xz Utils (2024)</strong>, <strong>LiteLLM (March 2026)</strong>, and <strong>Axios (March 2026)</strong>. After dissecting how each worked, we’ll make the case — backed by technical reality — that these attacks are not isolated incidents but the opening act of a new era in which LLMs dramatically lower the barrier to discovering and exploiting supply chain vulnerabilities at scale.</p>

<hr />

<h2 id="part-i-a-taxonomy-of-trust">Part I: A Taxonomy of Trust</h2>

<p>Software supply chain attacks are not new. The term itself entered mainstream security discourse after the <strong>SolarWinds</strong> breach of 2020, where a nation-state actor inserted a backdoor into the build system of a widely-used IT monitoring product, silently compromising thousands of organizations — including multiple US federal agencies — for months. But the pattern has evolved rapidly.</p>

<p>Modern supply chain attacks generally fall into a few categories:</p>

<p><strong>Account takeover attacks</strong> target the credentials of trusted package maintainers, using compromised accounts to publish malicious versions directly to registries like PyPI or npm. Once published, those versions are indistinguishable from legitimate releases — because they <em>come from</em> the legitimate account.</p>

<p><strong>Dependency confusion attacks</strong> exploit the way package managers resolve names across private and public registries, tricking build systems into downloading attacker-controlled packages that share names with internal ones.</p>

<p><strong>Upstream compromise</strong> goes deeper, inserting malicious code into the source repository or CI/CD pipeline of a legitimate project so that the attack is baked into the official release artifact.</p>

<p><strong>Social engineering of maintainers</strong> — the most patient form — involves cultivating trust with open-source maintainers over months or years before being granted enough access to introduce a backdoor directly into the codebase.</p>

<p>The xz Utils attack is the definitive example of this last category. It nearly worked.</p>

<hr />

<h2 id="part-ii-the-xz-utils-attack-2024--the-long-game">Part II: The xz Utils Attack (2024) — The Long Game</h2>

<h3 id="background">Background</h3>

<p>In late March 2024, Microsoft engineer Andres Freund was investigating unusual SSH latency on a Debian system and noticed that the <code class="language-plaintext highlighter-rouge">sshd</code> process was consuming abnormally high CPU. Following the thread led him to something extraordinary: a backdoor in <strong>xz Utils</strong>, a ubiquitous data compression library present on virtually every Linux distribution in the world.</p>

<p>The backdoor hadn’t been injected by a hacker who had momentarily breached the project. It had been planted by <strong>Jia Tan</strong>, a contributor who had spent approximately <strong>two years</strong> building trust with the xz Utils maintainer before being granted commit access.</p>

<h3 id="the-attack-in-detail">The Attack in Detail</h3>

<p>Beginning in 2022, an account registered as <strong>JiaT75</strong> began contributing high-quality patches to the xz Utils project. The maintainer, Lasse Collin, who had been under social pressure from what appeared to be a coordinated campaign of fake user accounts pushing him to add new contributors, eventually gave Jia Tan co-maintainer access.</p>

<p>In early 2024, Jia Tan modified the project’s build system in a subtle way: a <strong>malicious macro</strong> was embedded in files distributed with the source tarball but not present in the Git repository itself. This is a crucial detail — most automated security scanners check the repository, not the distributed tarball. The macro only activated under specific conditions: Debian and RPM-based Linux distributions, x86-64 architecture, and only at install time. This was not a broad credential sweeper. It was a <strong>targeted surgical payload</strong>.</p>

<p>The backdoor was designed to intercept RSA key operations in OpenSSH (via a patched version of <code class="language-plaintext highlighter-rouge">systemd</code> that linked against the compromised liblzma) and allow the attacker to authenticate without a valid key — essentially, a skeleton key for SSH on any vulnerable system.</p>

<p>Had this reached stable versions of Debian, Fedora, and Ubuntu in production, the blast radius would have been staggering. Freund’s chance discovery — driven by curiosity about a few hundred milliseconds of latency — was one of the closest calls in open-source security history.</p>

<h3 id="why-it-almost-worked">Why It Almost Worked</h3>

<ul>
  <li><strong>Patience</strong>: The two-year timeline meant there was no anomalous spike of activity to flag.</li>
  <li><strong>Quality</strong>: Jia Tan’s legitimate contributions were good. The account passed every human review.</li>
  <li><strong>Stealth</strong>: The payload was split across the tarball and the build system, making it invisible to standard repository auditing.</li>
  <li><strong>Targeting</strong>: It specifically avoided activating in environments where security researchers are likely to run it.</li>
  <li><strong>State-level resources</strong>: Most analysts assess this as a nation-state operation. The level of planning and the specific target (SSH authentication) point to intelligence collection, not financial crime.</li>
</ul>

<hr />

<h2 id="part-iii-the-litellm-attack-march-24-2026--the-ai-infrastructure-heist">Part III: The LiteLLM Attack (March 24, 2026) — The AI Infrastructure Heist</h2>

<p>If xz was about patience, the LiteLLM compromise was about precision targeting.</p>

<h3 id="background-why-litellm-matters">Background: Why LiteLLM Matters</h3>

<p>LiteLLM is a Python library and proxy server that provides a unified interface to over 100 LLM providers — OpenAI, Anthropic, AWS Bedrock, Google Vertex AI, and many more. It is most often used by developers as a gateway for client applications to call any number of large language models from over 100 providers. It handles <strong>API keys for all of those providers simultaneously</strong>. Architecturally, it occupies the most credential-rich position imaginable in an AI-native stack.</p>

<p>LiteLLM’s PyPI package has about 480 million downloads, making it a very valuable target.</p>

<h3 id="the-attack-chain">The Attack Chain</h3>

<p>The breach of LiteLLM was not a direct attack — it was the <em>third</em> domino in a multi-step cascade orchestrated by a threat group now tracked as <strong>TeamPCP</strong>.</p>

<p><strong>Stage 1 — Trivy (March 19):</strong> TeamPCP rewrote Git tags in the <code class="language-plaintext highlighter-rouge">trivy-action</code> GitHub Action repository to point to a malicious release carrying a credential-harvesting payload. Trivy is a popular open-source vulnerability scanner. Critically, LiteLLM’s CI/CD pipeline ran Trivy as part of its build process, pulling it from apt without a pinned version. The compromised action exfiltrated the PYPI_PUBLISH token from the GitHub Actions runner environment.</p>

<p><strong>Stage 2 — Checkmarx KICS (March 23):</strong> The same infrastructure was used to compromise Checkmarx KICS (Keep Infrastructure as Code Secure), another security scanning tool, registering the impersonator domain <code class="language-plaintext highlighter-rouge">checkmarx.zone</code>.</p>

<p><strong>Stage 3 — LiteLLM (March 24):</strong> With the stolen PyPI token, the attackers published two malicious LiteLLM versions: <strong>1.82.7</strong> and <strong>1.82.8</strong>. These compromised versions appeared to have included a credential stealer designed to encrypt and exfiltrate data via a POST request to <code class="language-plaintext highlighter-rouge">models.litellm.cloud</code>, which is not an official BerriAI/LiteLLM domain.</p>

<h3 id="the-payload">The Payload</h3>

<p>The malware was technically sophisticated in several ways.</p>

<p>The collected data was encrypted with a hardcoded 4096-bit RSA public key using AES-256-CBC (random session key, encrypted with the RSA key), bundled into a tar archive, and POSTed to <code class="language-plaintext highlighter-rouge">https://models.litellm.cloud/</code> — a domain that is not part of legitimate litellm infrastructure.</p>

<p>Version 1.82.8 introduced an especially nasty delivery mechanism: a <strong><code class="language-plaintext highlighter-rouge">.pth</code> file</strong>. As ARMO’s analysis explains, Python’s <code class="language-plaintext highlighter-rouge">.pth</code> files are processed by the <code class="language-plaintext highlighter-rouge">site</code> module during interpreter startup — without any import statement required. The result was that <em>any</em> Python process on an affected system would trigger the malware, not just processes importing LiteLLM. This created an accidental fork bomb: the spawned child process re-triggered the <code class="language-plaintext highlighter-rouge">.pth</code> file, causing exponential process creation that crashed machines with OOM errors. This was actually how the attack was first discovered — a developer noticed their machine ran out of RAM.</p>

<p>If a Kubernetes service account token was present, the malware read all cluster secrets across all namespaces and attempted to create a privileged Alpine pod on every node in kube-system, mounting the host filesystem and installing a persistent backdoor.</p>

<h3 id="the-cover-up-attempt">The Cover-Up Attempt</h3>

<p>When community members began reporting the compromise on GitHub, the attackers posted 88 bot comments from 73 unique accounts in a 102-second window. The accounts used were previously compromised developer accounts, not purpose-created profiles. Using the compromised maintainer account, the attackers closed the issue as “not planned.”</p>

<h3 id="attribution">Attribution</h3>

<p>TeamPCP orchestrated one of the most sophisticated multi-ecosystem supply chain campaigns publicly documented to date. The tooling development arc — version 1 in December 2025, hardened version 2 in February, deployment in March — reflects a small, motivated developer team with a security research background, not a large-scale criminal operation.</p>

<p>Notably, a component called <code class="language-plaintext highlighter-rouge">hackerbot-claw</code> uses an AI agent (<code class="language-plaintext highlighter-rouge">openclaw</code>) for automated attack targeting. Aikido researchers documented this as one of the first cases of an AI agent used operationally in a supply chain attack. We will return to this.</p>

<hr />

<h2 id="part-iv-the-axios-attack-march-31-2026--nation-state-scale">Part IV: The Axios Attack (March 31, 2026) — Nation-State Scale</h2>

<p>Seven days after LiteLLM, the other shoe dropped — and it was significantly larger.</p>

<h3 id="background-axios-at-scale">Background: Axios at Scale</h3>

<p>Axios is the most widely used HTTP client in the JavaScript ecosystem. With over 100 million weekly downloads, Axios occupies a position in the JavaScript ecosystem that is hard to overstate — it is present in frontend frameworks, backend services, and enterprise applications worldwide. It is a transitive dependency for an almost uncountable number of projects. If you maintain any Node.js codebase of appreciable size, you almost certainly depend on Axios somewhere in your tree.</p>

<h3 id="the-attack">The Attack</h3>

<p>On March 30, 2026, StepSecurity identified two malicious versions of the widely-used Axios HTTP client library published to npm: <code class="language-plaintext highlighter-rouge">axios@1.14.1</code> and <code class="language-plaintext highlighter-rouge">axios@0.30.4</code>. The malicious versions injected a new dependency, <code class="language-plaintext highlighter-rouge">plain-crypto-js@4.2.1</code>, which was never imported anywhere in the Axios source code. Its sole purpose was to execute a postinstall script that acted as a cross-platform remote access trojan (RAT) dropper, targeting macOS, Windows, and Linux.</p>

<p>The pre-staging was methodical: an earlier “clean” version of <code class="language-plaintext highlighter-rouge">plain-crypto-js</code> (4.2.0) had been published 18 hours prior, likely to give it a brief history on the registry before the malicious 4.2.1 version arrived. This is a known technique to defeat “brand-new package” detection heuristics.</p>

<p>The attacker compromised the <code class="language-plaintext highlighter-rouge">jasonsaayman</code> npm account, the primary maintainer of the Axios project. The account’s registered email was changed to <code class="language-plaintext highlighter-rouge">ifstap@proton.me</code> — an attacker-controlled ProtonMail address.</p>

<h3 id="the-payload-waveshaperv2">The Payload: WAVESHAPER.V2</h3>

<p>This is where the Axios attack diverges sharply from LiteLLM in terms of attribution and ambition.</p>

<p>Google Threat Intelligence Group (GTIG) attributes this activity to UNC1069, a financially motivated North Korea-nexus threat actor active since at least 2018, based on the use of WAVESHAPER.V2, an updated version of a backdoor previously used by this threat actor.</p>

<p>The malware dropper cleaned up after itself: any post-infection inspection of <code class="language-plaintext highlighter-rouge">node_modules/plain-crypto-js/package.json</code> would show a completely clean manifest — no postinstall script, no <code class="language-plaintext highlighter-rouge">setup.js</code> file, and no indication that anything malicious was ever installed. Running <code class="language-plaintext highlighter-rouge">npm audit</code> or manually reviewing the installed package directory would not reveal the compromise.</p>

<p>Within two seconds of <code class="language-plaintext highlighter-rouge">npm install</code>, the malware was already calling home to the attacker’s server before npm had even finished resolving dependencies.</p>

<p>The operational sophistication is notable: both the 1.x and 0.x release branches were hit simultaneously, maximizing coverage across projects that had not upgraded from the legacy branch. The malicious window ran from approximately 00:21 to 03:20 UTC — overnight hours, minimizing the time before maintainers could respond.</p>

<p>Within Huntress’s partner base alone, at least 135 endpoints across all operating systems contacted the attacker’s command-and-control infrastructure during the exposure window.</p>

<hr />

<h2 id="part-v-the-coming-storm--llms-as-force-multipliers-for-supply-chain-attackers">Part V: The Coming Storm — LLMs as Force Multipliers for Supply Chain Attackers</h2>

<p>The three attacks above represent a progression: from a years-long patient operation (xz) to a multi-week coordinated campaign (LiteLLM) to a precisely timed nation-state operation (Axios). But there’s a fourth dimension to consider, one that was barely visible in the LiteLLM case but will become impossible to ignore: <strong>AI-assisted attack automation</strong>.</p>

<h3 id="the-research-problem-is-solved">The Research Problem is Solved</h3>

<p>For decades, finding vulnerabilities in complex software required rare, expensive human expertise. A skilled security researcher could maybe audit a few thousand lines of code per day meaningfully — catching subtle logic flaws, off-by-one errors, type confusion bugs, and trust boundary violations. This scarcity of human expertise was, paradoxically, a constraint that also protected defenders: attackers faced the same scarcity.</p>

<p>LLMs have dramatically changed this equation. Modern code-capable models can:</p>

<ul>
  <li><strong>Read and reason about codebases at superhuman speed.</strong> A model can ingest an entire dependency tree and flag suspicious patterns in seconds.</li>
  <li><strong>Generate exploit code from vulnerability descriptions.</strong> The gap between “here is the flaw” and “here is working proof-of-concept code” has collapsed.</li>
  <li><strong>Identify attack surface systematically.</strong> CI/CD configuration files, package publishing workflows, token scopes — all of these can be systematically enumerated and analyzed for weaknesses.</li>
  <li><strong>Generate plausible social engineering content.</strong> The fabrication of a believable long-term maintainer persona, complete with quality code contributions and a consistent online presence, is increasingly within the reach of automated systems.</li>
</ul>

<p>The LiteLLM attackers had already taken a step in this direction. Their <code class="language-plaintext highlighter-rouge">hackerbot-claw</code> component, which used an AI agent for automated attack targeting, represents a proof of concept. It will not remain a proof of concept for long.</p>

<h3 id="the-economics-of-scale">The Economics of Scale</h3>

<p>Supply chain attacks historically required high investment for uncertain payoff. The xz attack required approximately two years of sustained, sophisticated effort by what is almost certainly a well-funded nation-state team. That same investment, amplified by LLM-assisted tooling, could potentially be replicated by a much smaller team in a fraction of the time.</p>

<p>Consider what an LLM-augmented attacker workflow looks like:</p>

<ol>
  <li><strong>Discovery:</strong> Automated scanning of GitHub Actions workflows across millions of repositories to identify unpinned actions, wide token scopes, or PYPI/npm publish tokens in CI environments.</li>
  <li><strong>Prioritization:</strong> Ranking targets by download count, ecosystem centrality (how many projects depend on this package transitively), and credential richness (does this package typically run in environments with cloud credentials?).</li>
  <li><strong>Vulnerability identification:</strong> Per-target analysis of CI/CD pipeline configurations to identify the exact injection point.</li>
  <li><strong>Payload adaptation:</strong> Automatic generation of platform-specific payloads with anti-forensic cleanup.</li>
  <li><strong>Execution and suppression:</strong> Automated bot account deployment to suppress community disclosure attempts.</li>
</ol>

<p>Steps 1 through 4 are all tasks where current LLMs are already capable assistants. As model capabilities improve — particularly in the domains of multi-step reasoning, tool use, and code generation — the degree of human oversight required to run this pipeline decreases. A plausible near-future scenario is a largely automated supply chain attack operation that requires only a small team to set strategic objectives, review outputs, and manage infrastructure.</p>

<h3 id="the-attack-surface-is-expanding">The Attack Surface is Expanding</h3>

<p>Meanwhile, the attack surface is growing faster than the security community’s capacity to defend it. The explosion of AI tooling — LLM wrappers, MCP servers, agent frameworks, vector databases — has created an enormous new ecosystem of packages that are often:</p>

<ul>
  <li><strong>Credential-rich by design</strong> (they hold API keys for multiple LLM providers)</li>
  <li><strong>Maintained by small teams</strong> with limited security resources</li>
  <li><strong>Downloaded millions of times a month</strong> because of rapid AI adoption</li>
  <li><strong>Deeply embedded in infrastructure</strong> through transitive dependencies</li>
</ul>

<p>LiteLLM was the perfect illustration: a library whose core <em>purpose</em> is to centralize API keys for dozens of AI providers, running in environments with cloud credentials and Kubernetes access. Compromising it is not just compromising one package — it is compromising the credential store for every AI service that package touches.</p>

<p>As organizations instrument their infrastructure with AI agents and LLM orchestration, they are creating new high-value nodes in their dependency graphs. Attackers, guided by LLMs that can systematically map these new attack surfaces, will find them.</p>

<hr />

<h2 id="part-vi-best-practices-for-defenders">Part VI: Best Practices for Defenders</h2>

<p>The threat is real and growing. The good news is that supply chain attacks, unlike zero-days, often have effective mitigations that can be implemented before the attack arrives. The following recommendations are grounded in what actually failed in the xz, LiteLLM, and Axios incidents.</p>

<h3 id="1-pin-everything-every-time">1. Pin Everything. Every Time.</h3>

<p>The single highest-impact mitigation for dependency confusion and account takeover attacks is <strong>version pinning with integrity verification</strong>.</p>

<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># Python — use pip-compile or uv with a lockfile</span>
pip <span class="nb">install </span><span class="nv">litellm</span><span class="o">==</span>1.82.6  <span class="c"># Don't use "litellm" alone</span>

<span class="c"># Node.js — commit your lockfile and use npm ci, never npm install in CI</span>
npm ci  <span class="c"># Respects package-lock.json exactly</span>

<span class="c"># GitHub Actions — pin actions to a full commit SHA</span>
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  <span class="c"># v4.2.2</span>
<span class="c"># Not: uses: actions/checkout@v4</span>
</code></pre></div></div>

<p>LiteLLM was compromised through its own CI pipeline using an unpinned Trivy action. The users most impacted were those who ran <code class="language-plaintext highlighter-rouge">pip install litellm</code> without a pinned version. Both of these failures are solved by pinning.</p>

<h3 id="2-use-lockfiles-and-verify-hashes">2. Use Lockfiles and Verify Hashes</h3>

<p>For Python projects, use <code class="language-plaintext highlighter-rouge">pip-compile</code> with <code class="language-plaintext highlighter-rouge">--generate-hashes</code> to produce a lockfile that includes cryptographic hashes for every dependency. For Node.js, commit <code class="language-plaintext highlighter-rouge">package-lock.json</code> and use <code class="language-plaintext highlighter-rouge">npm ci</code>. For Rust, <code class="language-plaintext highlighter-rouge">Cargo.lock</code>. For Go, <code class="language-plaintext highlighter-rouge">go.sum</code>. These lockfiles ensure that even if a registry account is compromised and a new version is published, your build will fail rather than silently pulling the malicious version.</p>

<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># Python: generate hash-verified lockfile</span>
pip-compile <span class="nt">--generate-hashes</span> requirements.in <span class="nt">-o</span> requirements.txt

<span class="c"># Install with hash verification</span>
pip <span class="nb">install</span> <span class="nt">--require-hashes</span> <span class="nt">-r</span> requirements.txt
</code></pre></div></div>

<h3 id="3-monitor-outbound-network-traffic-from-ci">3. Monitor Outbound Network Traffic from CI</h3>

<p>One of the most reliable indicators of a compromised dependency is <strong>unexpected outbound connections during build time</strong>. In both the LiteLLM and Axios incidents, the malware called home to attacker-controlled domains within seconds of installation. A CI runner that has no legitimate reason to make outbound HTTP requests to arbitrary domains should be configured to block or alert on such traffic.</p>

<p>Tools like <strong>StepSecurity’s Harden-Runner</strong> — which detected the Axios attack — operate precisely by monitoring egress traffic during GitHub Actions runs and alerting on anomalous connections. Adopting egress filtering on your CI runners is one of the most effective detection controls available.</p>

<h3 id="4-treat-cicd-secrets-with-zero-trust">4. Treat CI/CD Secrets with Zero Trust</h3>

<p>The LiteLLM attack succeeded because a single GitHub Actions secret — the PyPI publish token — was accessible to the CI runner that also pulled an unpinned, attacker-controlled tool. Apply <strong>least privilege</strong> principles to CI secrets:</p>

<ul>
  <li>Limit token scopes to the minimum required (PyPI trusted publishing avoids long-lived tokens entirely)</li>
  <li>Use environment protection rules so publish tokens are only accessible in protected branches</li>
  <li>Rotate secrets regularly and alert on unexpected access</li>
  <li>Consider using <strong>OpenID Connect (OIDC)</strong> for short-lived, just-in-time cloud credentials in CI rather than long-lived API keys</li>
</ul>

<h3 id="5-implement-software-bill-of-materials-sbom">5. Implement Software Bill of Materials (SBOM)</h3>

<p>An SBOM is a machine-readable inventory of every component in your software, including transitive dependencies. When a supply chain incident is disclosed, an SBOM allows you to answer the question “are we affected?” in minutes rather than hours.</p>

<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># Generate an SBOM for a Python project</span>
pip <span class="nb">install </span>cyclonedx-bom
cyclonedx-py requirements requirements.txt <span class="nt">-o</span> bom.json

<span class="c"># For Node.js</span>
npx @cyclonedx/cyclonedx-npm <span class="nt">--output-file</span> bom.json
</code></pre></div></div>

<p>Integrate SBOM generation into your CI pipeline and subscribe to security feeds (OSV, GitHub Advisory Database, Sonatype OSS Index) that can be queried against your SBOM automatically.</p>

<h3 id="6-run-a-dependency-security-proxy--registry-firewall">6. Run a Dependency Security Proxy / Registry Firewall</h3>

<p>Tools like <strong>Sonatype Repository Firewall</strong>, <strong>JFrog Xray</strong>, and <strong>Socket</strong> sit between your build system and the public registry and block packages that exhibit malicious characteristics in real time. Socket, for instance, performs behavioral analysis of packages — detecting things like new network calls, new postinstall scripts, or obfuscated code — rather than relying solely on known CVEs.</p>

<p>This is a particularly important layer because it catches <em>zero-day</em> supply chain attacks (like Axios) where no CVE yet exists.</p>

<h3 id="7-verify-packages-against-source-repositories">7. Verify Packages Against Source Repositories</h3>

<p>Both the LiteLLM and Axios attacks shared a common tell: <strong>the malicious versions were not present in the official Git repository</strong>. There was no corresponding Git tag for <code class="language-plaintext highlighter-rouge">axios@1.14.1</code> or <code class="language-plaintext highlighter-rouge">litellm==1.82.8</code>. Tooling that compares published registry artifacts against tagged source commits would have flagged both immediately.</p>

<p>For Python specifically, <strong>PEP 740 (Attestations)</strong> and PyPI’s support for <strong>Sigstore</strong>-based publish attestations are moving toward a world where you can verify that a published package was built by an authorized CI workflow from a specific source commit. Adopting these attestations where available — and preferring packages that publish them — meaningfully reduces the risk of account-takeover-based attacks.</p>

<h3 id="8-harden-maintainer-account-security">8. Harden Maintainer Account Security</h3>

<p>The xz attack required multi-year social engineering; the LiteLLM and Axios attacks required compromising a single maintainer account. For open-source maintainers of widely-used packages:</p>

<ul>
  <li><strong>Mandatory MFA</strong> for all publishing-capable accounts (npm now requires this for popular packages; PyPI has made it available)</li>
  <li><strong>Hardware security keys</strong> (FIDO2/WebAuthn), not TOTP, for registry account authentication</li>
  <li><strong>Separate publishing tokens</strong> per CI environment, rotated regularly</li>
  <li><strong>Multi-party publishing controls</strong> — require two maintainers to approve a release for high-criticality packages</li>
</ul>

<h3 id="9-behavioral-monitoring-on-developer-machines-and-production">9. Behavioral Monitoring on Developer Machines and Production</h3>

<p>The Axios attack’s malware called home within two seconds of <code class="language-plaintext highlighter-rouge">npm install</code>. In production environments, implementing <strong>network egress monitoring</strong> and <strong>process behavioral analysis</strong> (tools like Falco for Kubernetes, or EDR solutions on developer machines) can catch post-exploitation activity even when prevention fails.</p>

<p>Watch for:</p>
<ul>
  <li>Unexpected outbound HTTPS connections from build processes</li>
  <li>New <code class="language-plaintext highlighter-rouge">.pth</code> files appearing in Python site-packages</li>
  <li>Unexpected <code class="language-plaintext highlighter-rouge">postinstall</code> scripts in <code class="language-plaintext highlighter-rouge">node_modules</code></li>
  <li>Kubernetes pods appearing in <code class="language-plaintext highlighter-rouge">kube-system</code> that weren’t in your manifests</li>
  <li>New systemd user services on developer machines</li>
</ul>

<h3 id="10-apply-the-principle-of-ephemerality">10. Apply the Principle of Ephemerality</h3>

<p>One reason the Axios attack was somewhat contained is that many organizations use <strong>ephemeral CI runners</strong> — GitHub-hosted runners that are destroyed after each job. Ephemeral environments limit the persistence window for malware. Where possible:</p>

<ul>
  <li>Use ephemeral runners for CI (GitHub-hosted or self-hosted ephemeral VMs)</li>
  <li>Run builds in isolated containers with minimal filesystem access</li>
  <li>Avoid sharing credentials between CI stages unless strictly necessary</li>
</ul>

<hr />

<h2 id="conclusion-security-at-the-speed-of-trust">Conclusion: Security at the Speed of Trust</h2>

<p>The three attacks examined here — xz Utils, LiteLLM, and Axios — represent a spectrum of sophistication and attribution: a patient nation-state operation, a coordinated criminal campaign targeting AI infrastructure, and a North Korean APT operation against one of the most downloaded JavaScript packages in the world. What unites them is that <strong>none of them required breaking your code</strong>. They only required breaking your trust.</p>

<p>The emergence of LLM-assisted attack tooling — already visible in LiteLLM’s <code class="language-plaintext highlighter-rouge">hackerbot-claw</code> component — threatens to industrialize this attack class. Tasks that previously required scarce human expertise (finding unpinned actions at scale, reasoning about which packages are most credential-rich, adapting payloads to evade detection) are increasingly automatable. The attacker who once needed a nation-state budget to run a sophisticated supply chain campaign may soon need only a modest infrastructure investment and access to capable AI tools.</p>

<p>The defensive posture required in this environment is not one of reactive patching. It is one of <strong>systemic skepticism toward the build process itself</strong>: treating your dependency graph as an attack surface, your CI/CD pipeline as a trust boundary, and your package registry as an adversarial environment. The mitigations outlined above are not exotic — pinning versions, verifying hashes, monitoring egress, separating secrets — but they require discipline and tooling investment.</p>

<p>The code you ship is only as trustworthy as the code you build on. In a world where LLMs can systematically find the weakest link in that chain, the cost of ignoring the supply chain is about to become much harder to absorb.</p>]]></content><author><name></name></author><summary type="html"><![CDATA[How Supply Chain Attacks Are Quietly Becoming the Most Dangerous Threat in Software Security]]></summary></entry><entry><title type="html">Introducing GitBlog</title><link href="https://mendelevium.github.io/introducing-gitblog/" rel="alternate" type="text/html" title="Introducing GitBlog" /><published>2026-02-22T00:00:00+00:00</published><updated>2026-02-22T00:00:00+00:00</updated><id>https://mendelevium.github.io/introducing-gitblog</id><content type="html" xml:base="https://mendelevium.github.io/introducing-gitblog/"><![CDATA[<p><a href="https://github.com/mendelevium/gitblog">GitBlog</a> is a Chrome extension that turns your browser into a full content management system for Jekyll + GitHub Pages blogs. There’s no backend, no server to maintain — just your browser talking directly to GitHub’s API.</p>

<p>If you’ve ever wanted a simple, visual way to manage your Jekyll blog without touching the terminal, this guide walks you through getting started.</p>

<h2 id="prerequisites">Prerequisites</h2>

<ul>
  <li>A <strong>GitHub account</strong></li>
  <li><strong>Google Chrome</strong> (or any Chromium-based browser)</li>
</ul>

<p>That’s it. GitBlog handles the rest — including scaffolding an entire Jekyll site from scratch if you don’t have one yet.</p>

<h2 id="installation">Installation</h2>

<p>Install GitBlog from the Chrome Web Store. Once installed, you’ll see the GitBlog icon in your browser toolbar.</p>

<h2 id="connecting-to-github">Connecting to GitHub</h2>

<p>Click the GitBlog toolbar icon to open the popup.</p>

<h3 id="creating-a-personal-access-token">Creating a Personal Access Token</h3>

<p>GitBlog authenticates using a <strong>fine-grained GitHub Personal Access Token (PAT)</strong>. To create one:</p>

<ol>
  <li>Go to <a href="https://github.com/settings/tokens?type=beta">GitHub Settings &gt; Developer settings &gt; Personal access tokens &gt; Fine-grained tokens</a></li>
  <li>Click <strong>Generate new token</strong></li>
  <li>Set the following permissions:
    <ul>
      <li><strong>Repository access:</strong> All repositories</li>
      <li><strong>Contents:</strong> Read and write</li>
      <li><strong>Administration:</strong> Read and write (needed for creating new repos)</li>
    </ul>
  </li>
  <li>Copy the generated token</li>
</ol>

<p>Back in the GitBlog popup, paste your token and click <strong>Connect</strong>. GitBlog validates the token against the GitHub API and stores it securely in Chrome’s synced storage — so it’s available across your devices.</p>

<h3 id="selecting-a-repository">Selecting a Repository</h3>

<p>After connecting, GitBlog shows a dropdown of your repositories. Select one and GitBlog checks whether it has a Jekyll structure (by looking for <code class="language-plaintext highlighter-rouge">_config.yml</code>).</p>

<ul>
  <li><strong>Green badge</strong> — Jekyll detected, ready to go.</li>
  <li><strong>Yellow badge</strong> — No Jekyll structure found. You can still open the editor, but you may need to set up Jekyll first.</li>
</ul>

<p>Click <strong>Open GitBlog</strong> to launch the full editor in a new tab.</p>

<h3 id="creating-a-new-blog-from-scratch">Creating a New Blog from Scratch</h3>

<p>Don’t have a Jekyll blog yet? If you don’t already have a <code class="language-plaintext highlighter-rouge">{username}.github.io</code> repository, GitBlog offers a <strong>Create</strong> button right in the popup. Click it and GitBlog will:</p>

<ol>
  <li>Create the <code class="language-plaintext highlighter-rouge">{username}.github.io</code> repository on GitHub</li>
  <li>Scaffold the full Jekyll structure — layouts, includes, CSS, a default about page, and a “Hello World” first post</li>
</ol>

<p>A progress bar shows each file being created. Once done, click <strong>Open GitBlog</strong> and start writing.</p>

<h2 id="using-the-editor">Using the Editor</h2>

<p>The editor opens in a full browser tab with three main sections accessible from the top navigation: <strong>Posts</strong>, <strong>Sections</strong>, and <strong>Settings</strong> (gear icon).</p>

<h3 id="posts">Posts</h3>

<p>The Posts view lists all your blog posts from both <code class="language-plaintext highlighter-rouge">_posts/</code> (published) and <code class="language-plaintext highlighter-rouge">_drafts/</code> (drafts). Each post shows its title, date, and a <strong>Draft</strong> badge if unpublished. You can search posts by title using the search box.</p>

<h4 id="creating-and-editing-posts">Creating and Editing Posts</h4>

<p>Click <strong>New Post</strong> to open the post editor. The editor has two areas:</p>

<p><strong>Front Matter Form</strong> — A compact form at the top with fields for:</p>

<ul>
  <li><strong>Title</strong> (required)</li>
  <li><strong>Date</strong> (defaults to today)</li>
  <li><strong>Category</strong> (optional)</li>
  <li><strong>Tags</strong> (comma-separated, optional)</li>
</ul>

<p><strong>Markdown Editor</strong> — The main editing area with three view modes, toggled from the toolbar:</p>

<ul>
  <li><strong>Editor</strong> — Full-width text editor</li>
  <li><strong>Split</strong> (default) — Side-by-side editor and live preview</li>
  <li><strong>Preview</strong> — Full-width rendered preview</li>
</ul>

<p>The preview renders your markdown in real time using the <code class="language-plaintext highlighter-rouge">marked</code> library with HTML sanitization, so you see exactly how headings, lists, code blocks, tables, and other formatting will look.</p>

<h4 id="inserting-images">Inserting Images</h4>

<p>Click <strong>Insert Image</strong> in the editor toolbar to upload an image. GitBlog uploads it to <code class="language-plaintext highlighter-rouge">assets/images/</code> in your repository and inserts the markdown image syntax at your cursor position. Images are limited to 5 MB.</p>

<h4 id="publishing-and-drafts">Publishing and Drafts</h4>

<p>Two save options are available:</p>

<ul>
  <li><strong>Save Draft</strong> — Saves the post to the <code class="language-plaintext highlighter-rouge">_drafts/</code> directory (not published)</li>
  <li><strong>Publish</strong> — Saves to <code class="language-plaintext highlighter-rouge">_posts/</code> with an auto-generated filename (<code class="language-plaintext highlighter-rouge">YYYY-MM-DD-title-slug.md</code>)</li>
</ul>

<p>You can move a post between draft and published states by using the corresponding button on subsequent saves.</p>

<h3 id="sections-pages">Sections (Pages)</h3>

<p>The Sections view manages your static pages — things like “About”, “Contact”, or “Projects” that appear in your site’s navigation.</p>

<p>Each section shows its title, permalink, and whether it appears in the navigation (<strong>In nav</strong> green badge or <strong>Hidden</strong> grey badge).</p>

<h4 id="creating-sections">Creating Sections</h4>

<p>Click <strong>Add Section</strong> to open the section editor with fields for:</p>

<ul>
  <li><strong>Title</strong> (required)</li>
  <li><strong>Permalink</strong> (auto-generated from title if left blank, e.g., <code class="language-plaintext highlighter-rouge">/about/</code>)</li>
  <li><strong>Layout</strong> (<code class="language-plaintext highlighter-rouge">page</code> or <code class="language-plaintext highlighter-rouge">default</code>)</li>
</ul>

<p>Plus the same markdown editor as posts.</p>

<h4 id="reordering-navigation">Reordering Navigation</h4>

<p>Drag sections using the grab handle to reorder them. GitBlog updates the <code class="language-plaintext highlighter-rouge">header_pages</code> array in your <code class="language-plaintext highlighter-rouge">_config.yml</code> automatically, so your site’s navigation reflects the new order immediately on the next build.</p>

<h3 id="settings">Settings</h3>

<p>Click the gear icon to access site settings.</p>

<p><strong>Site Settings:</strong></p>

<ul>
  <li><strong>Blog Title</strong> — Your site’s <code class="language-plaintext highlighter-rouge">&lt;title&gt;</code> and header</li>
  <li><strong>Description</strong> — The site description / tagline</li>
  <li><strong>Permalink Format</strong> — How post URLs are structured:
    <ul>
      <li><code class="language-plaintext highlighter-rouge">/:title/</code></li>
      <li><code class="language-plaintext highlighter-rouge">/:year/:month/:title/</code></li>
      <li><code class="language-plaintext highlighter-rouge">/blog/:title/</code></li>
    </ul>
  </li>
</ul>

<p>All changes are written directly to <code class="language-plaintext highlighter-rouge">_config.yml</code>. Click <strong>Save</strong> and the status indicator confirms the update.</p>

<p><strong>Appearance:</strong></p>

<ul>
  <li><strong>Color Mode</strong> — Switch between Light, Dark, or System (follows your OS preference). This applies to the GitBlog editor itself and is saved across sessions.</li>
</ul>

<h2 id="tips-and-good-to-know">Tips and Good to Know</h2>

<h3 id="conflict-resolution">Conflict Resolution</h3>

<p>If someone (or you on another device) edits the same file while you have it open, GitBlog detects the conflict when you try to save. A dialog gives you two options:</p>

<ul>
  <li><strong>Overwrite</strong> — Push your version, replacing the remote changes</li>
  <li><strong>Reload</strong> — Discard your local edits and load the latest version from GitHub</li>
</ul>

<h3 id="rate-limits">Rate Limits</h3>

<p>GitBlog displays your GitHub API rate limit in the status bar at the bottom of the editor. GitHub allows 5,000 requests per hour for authenticated users. Under normal usage you won’t come close, but it’s there if you need to check.</p>

<h3 id="caching">Caching</h3>

<p>File listings are cached locally for 5 minutes to keep the editor snappy and reduce API calls. The cache is automatically invalidated whenever you create, update, or delete a file — so you always see fresh data after making changes.</p>

<h3 id="online--offline-indicator">Online / Offline Indicator</h3>

<p>The status bar shows your connection state. If you lose connectivity, GitBlog lets you know so you don’t lose work trying to save to an unreachable API.</p>

<h3 id="synced-across-devices">Synced Across Devices</h3>

<p>Your token, selected repository, and color mode preference are stored in Chrome’s synced storage. Open Chrome on another computer and GitBlog is ready to go with the same configuration.</p>

<h2 id="summary">Summary</h2>

<p>GitBlog gives you a clean, focused writing environment for Jekyll blogs without leaving your browser. No terminal, no git commands, no build steps — just open the extension, pick your repo, and write.</p>]]></content><author><name></name></author><summary type="html"><![CDATA[GitBlog is a Chrome extension that turns your browser into a full content management system for Jekyll + GitHub Pages blogs. There’s no backend, no server to maintain — just your browser talking directly to GitHub’s API.]]></summary></entry></feed>