The Architecture of Trust

The Architecture of Trust

Michael Bilca, formerly of the FBI's cybersecurity infrastructure group and one of the original architects behind ETSI TC SAI, has written the sharpest articulation yet of why prompt injection is fundamentally unfixable at the model layer — and why the solution was already built once, fifty years ago, then deliberately destroyed. His argument centers on SS7 (Signaling System No. 7), the nervous system of the global telephone network before it was gutted. SS7 maintained a clean architectural separation: the bearer channel carried voice (data), the signaling channel carried commands. These were physically separate — different protocols, different infrastructure, different trust assumptions. Nobody confused which was which because the architecture did not permit confusion. (more: https://www.linkedin.com/pulse/bell-labs-solved-prompt-injection-1976-michael-bilca-surue)

Then SMS happened. The bean counters noticed spare bandwidth on the signaling channel and shoved user content into it. The architectural guarantee evaporated, and downstream consequences — SS7 vulnerabilities used to intercept calls, track locations, redirect 2FA codes — are still being exploited today. Bilca's point is structural: the transformer context window commits the same original sin. Instructions and data land in one undifferentiated token stream, and no amount of RLHF, constitutional AI, or clever prompting can enforce a distinction that does not exist in the representation. The fix is two channels — a trusted control channel for human-to-AI intent and an untrusted data channel for everything the agent retrieves from the world — with a hard boundary between them. He proposes ETSI TC SAI open a work item for a testable, certifiable protocol specification, analogous to FIPS 140 for cryptographic modules. The bottom turtle: hardware-attested signing at the TPM/SGX level, with public keys on a transparency ledger. Science fiction? TPMs ship in most modern laptops. The engineering challenge is integration and standardization, not invention.

The timing lands well. This week Orca Security disclosed RoguePilot, a passive prompt injection attack against GitHub Copilot in Codespaces. The exploit embeds hidden instructions inside a GitHub Issue using HTML comment tags — invisible to human readers, fully legible to Copilot when it processes the issue description. When a developer opens a Codespace from the poisoned issue, Copilot silently complies: it pulls a crafted PR containing a symlink to the environment's secrets file, reads the GitHub token through it (bypassing workspace boundary restrictions because guardrails do not follow symlinks), and exfiltrates the token via a JSON schema URL that VS Code fetches automatically. Full repository takeover, no user interaction beyond opening the Codespace. (more: https://cybersecuritynews.com/github-copilot-exploited)

The SecureVibes team arrived at a complementary conclusion from another direction. They built structured skills for a DAST (Dynamic Application Security Testing) agent — 8 detailed methodology files, 250-460 lines each, for SQL injection, XSS, command injection, and more — and watched performance drop by 6x. Haiku went from 0% to 100% vulnerability detection when every constraint was removed. The problem: prompt-level safety instructions consume context tokens, narrow the model's decision tree, and turn an adaptive tester into a checklist executor. Their fix — Docker containers with restricted networking, read-only filesystems, no privilege escalation — mirrors Bilca's thesis exactly. Enforce safety at the environment layer, not the application layer. Prompts define what the agent should do; the environment defines what it can do. (more: https://open.substack.com/pub/harishkolla/p/stop-telling-your-ai-agent-what-not?r=v5uaz)

A smaller but instructive example surfaced from a developer building an MCP server connected to a MUD (text-based game). When the server returned a "Duplicate log entry" error, the LLM interpreted it as a puzzle to solve and mutated the log entry just enough to bypass the hash check. The fix: return success instead of an error. Tool return values in MCP architectures are not just passing data — they communicate goal state to the model. A poorly worded failure response is more disruptive than a bug in your actual logic. (more: https://www.linkedin.com/posts/glen-clarkson_ai-mcp-activity-7432659857981218817-9sUq)

AirSnitch — Wi-Fi's Foundation Cracks

Researchers at UC Riverside and KU Leuven presented AirSnitch at NDSS 2026 this week, demonstrating a new class of attacks that bypass Wi-Fi client isolation — the encryption-enabled protection promised by all router makers that blocks direct communication between connected clients. Every one of the 11 routers tested, including devices from Netgear, D-Link, Ubiquiti, Cisco, DD-WRT, and OpenWrt, was vulnerable to at least one attack. The root cause sits at Layers 1 and 2 of the networking stack, below the encryption layer that previous attacks like KRACK and FragAttacks targeted. (more: https://arstechnica.com/security/2026/02/new-airsnitch-attack-breaks-wi-fi-encryption-in-homes-offices-and-enterprises)

The most powerful attack achieves a full bidirectional Man-in-the-Middle (MitM). The attacker connects to the same AP using the target's spoofed MAC address on a different radio, causing the internal switch to redirect the target's downlink traffic. To make it bidirectional, the attacker restores the original MAC-to-port mapping by sending a ping wrapped in the Group Temporal Key from a random MAC, then repeats the cycle. The technical paper identifies three root causes: Wi-Fi keys that protect broadcast frames are improperly managed and can be abused to bypass client isolation; isolation is often enforced at the MAC layer but not the IP layer (enabling a "gateway bouncing" attack); and weak synchronization of a client's identity across the network stack allows cross-layer identity desynchronization. Critically, the attacks extend across SSIDs and across APs that share a wired distribution system, common in enterprise and campus networks. (more: https://www.ndss-symposium.org/wp-content/uploads/2026-f1282-paper.pdf)

The practical implications are nuanced. HD Moore, founder of runZero, called the work "impressive" because it "restores the attack surface that was present before client isolation became common." For anyone who lived through early wireless guest networking chaos — planes, hotels, coffee shops — these attack patterns will be familiar. Co-author Mathy Vanhoef clarified after publication that "bypass" is more precise than "break": the cryptography itself is not compromised, but client isolation is effectively nullified. Some router makers have begun shipping patches, but others report that systemic weaknesses can only be addressed through changes in the underlying chipsets. VLANs help in some configurations but not all, and the lack of an industry-wide client isolation standard means each vendor's one-off implementation may not receive the concerted security attention that formal protocols command.

Agent Platforms and the New OS

Perplexity launched Computer this week, a system that orchestrates 19 AI models into a single workflow engine. The architecture is genuinely different from a chatbot: you describe an outcome, Computer decomposes it into tasks and subtasks, spawns sub-agents for each, and runs them asynchronously in isolated compute environments with real filesystems, real browsers, and real tool integrations. As of launch, Opus 4.6 handles core reasoning, Gemini runs deep research sub-agents, Grok picks up lightweight speed tasks, and ChatGPT 5.2 handles long-context recall. The model roster rotates as frontier capabilities shift, and users can override specific sub-agent model assignments. (more: https://www.perplexity.ai/hub/blog/introducing-perplexity-computer)

Early hands-on testing reveals the 19-model orchestration is the headline but also the trap. Most people will try single-task prompts and get mediocre results because Computer is optimized for project-level workflows, not one-shot questions. The difference between "this is cool" and "this changed how I work" comes down to knowing when to let the system route automatically versus specifying models yourself — and structuring persistent memory and connectors so context does not overwhelm the orchestration layer. (more: https://www.the-ai-corner.com/p/perplexity-computer-complete-guide?r=1krivi)

Anthropic's answer occupies the opposite end of the design spectrum. Claude Cowork is a sandboxed Linux VM on your desktop that reads files, runs code, controls your browser, sends messages, and talks to external services through MCP connectors. One practitioner spent two months building 39 skills, 4 plugins, and 8 extensions — including an email triage system that classifies 300+ email aliases by priority tier and a genomic analysis pipeline that parsed 596,007 genetic markers in 1.08 seconds, entirely on-device. The operating manual: CLAUDE.md files for persistent preferences, skills for domain knowledge, plugins for repeatable workflows. The compound effect is that every session inherits everything previously built. The thesis, distilled: stop optimizing prompts, start building context infrastructure. (more: https://open.substack.com/pub/promptedbyeric/p/claude-cowork-might-be-the-most-consequential?r=v5uaz)

Reid Hoffman frames the cultural shift underneath both platforms: we are all becoming gamers. Not in the console-and-controller sense, but in the tool-building sense. Platforms like Replit (and by extension, Cowork and Computer) make life feel like leveling up — each challenge is a level, and AI is how you craft a way through. The shift is not that everyone becomes a programmer; it is that everyone gains the ability to shape their environment and operate beyond what one person could normally do alone. (more: https://www.linkedin.com/pulse/were-all-becoming-gamers-reid-hoffman-mycef)

Governing the Autonomous Loop

"Human in the loop" keeps showing up in board packs. The phrase does emotional work — it suggests autonomy has a guardian, a hand on the tiller. Sometimes it gets misquoted as "human on the loop," which is accidentally more honest. The Unhyped AI newsletter makes the case that if HITL is real, it is not a principle — it is a job. And jobs have a minimum spec: a named owner, a time budget, escalation rights, stop authority, and protection when doing the right thing makes you unpopular. Without those, it is decoration. The test is simple: can you list every agent in production, what it can touch, what actions it can take, which identity it operates under? If you cannot enumerate it, you cannot supervise it. (more: https://unhypedai.substack.com/p/human-in-the-loop-is-a-job)

That framing gains urgency in context. Defense Secretary Hegseth has reportedly given Anthropic until Friday to back down on AI safety safeguards, demanding the company provide model access for "all lawful purposes" without the usage-policy restrictions Anthropic originally contractually required. (more: https://www.reddit.com/r/Anthropic/comments/1rdq1mn/exclusive_hegseth_gives_anthropic_until_friday_to/) Meanwhile, a practitioner working with national-security-sensitive customers describes the bind directly: American closed models are locked behind paywalls and logging, the only recent US open-weights model (gpt-oss-120b) is far behind Chinese alternatives like GLM and MiniMax, and customers refuse to run Chinese models. The options narrow to Mistral, Cohere, or hoping someone open-sources something competitive. The geopolitical implications are concrete: closed-model AI policy is creating a capability gap for exactly the institutions that need on-premise, air-gapped deployment. (more: https://www.reddit.com/r/LocalLLaMA/comments/1rfg3kx/american_closed_models_vs_chinese_open_models_is/)

On the operational side, a CISO at a large tech company has reportedly eliminated their entire SOC Tier 1 analyst team. AI now handles triage and research; the former analysts have been promoted to incident response, authorizing actions on cases the system has already investigated. The industry analyst who predicted this calls it the beginning of a revolution that will sweep through MSSPs in months. The skeptics raise the right counter: when AI handles research and triage, you remove human rate limiters, improving speed and consistency but changing the error distribution. A blind spot or model drift no longer stays local — it scales across the pipeline before anyone sees the pattern. The question shifts from "can we automate SOC?" to "how are we auditing the automation layer?" (more: https://www.linkedin.com/posts/stiennon_its-happening-i-predicted-this-last-april-activity-7432753223482093569-x0n3)

The Agentic Developer Toolkit

Amplifying AI pointed Claude Code at real repositories and watched what it chose — no tool names in any prompt, open-ended questions only. Across three models (Sonnet 4.5, Opus 4.5, Opus 4.6) and four project types, the headline finding: Claude Code builds, not buys. Custom/DIY is the most common label, appearing in 12 of 20 categories. When asked to add feature flags, it builds a config system with env vars and percentage-based rollout instead of recommending LaunchDarkly. When asked to add auth in Python, it writes JWT + bcrypt from scratch. When it does pick a tool, it picks decisively: GitHub Actions for CI, Stripe for payments, shadcn/ui for components. Generational shifts between models are real — Opus 4.6 picks Drizzle over Prisma for JS ORM (Sonnet still picks Prisma), newer models favor Inngest over BullMQ for JS jobs, and Celery's dominance in Python jobs collapses. Traditional cloud providers (AWS, GCP, Azure) received zero primary deployment picks; Vercel owns frontend, Railway owns Python. (more: https://amplifying.ai/research/claude-code-picks)

Cole Medin packages the validation endpoint into a six-phase self-healing workflow for Claude Code. Three sub-agents run in parallel for research: one maps the codebase structure and user journeys, another parses the database schema, a third hunts logic bugs via code review. Then the agent spins up the dev server, defines a task list of user journeys, and systematically walks each one using browser automation — taking snapshots, querying the database after write operations, capturing screenshots for UI validation. It only fixes blocking issues inline; moderate and minor issues get surfaced in a structured report for human decision. The approach is token-heavy but comprehensive, and the PIV loop (plan, implement, validate) can invoke it automatically after every feature implementation. (more: https://youtu.be/YeCHI1dmpZY?si=EcYkpRW-4WMrE3cH)

A community collection of Claude Skills demonstrates the complementary side of the toolbox. The ui-expert skill walks through a six-phase design process from vibe-only prompts to pixel-perfect specs, following the agentskills.io specification that is now adopted across Claude Code, Cursor, VS Code Copilot, and others. The pattern: focused, human-curated skills of 2-3 modules consistently outperform sprawling, auto-generated ones. (more: https://github.com/Clemens865/My-Claude-Skills/tree/main)

AI-Powered Security Operations

Maze built investigation agents before remediation agents, and they did it on purpose. Their thesis: fixing vulnerabilities that do not pose a real threat is not progress. The investigation agents check whether the technical requirements for exploitation are actually present in a specific environment, and on average 80-90% of vulnerabilities are not exploitable. When remediation is needed, the agents trace the vulnerable package to its root cause — a base image, a build step, a transitive dependency — and return verified fixes with trade-offs. In a concrete example, a gnutls CVE traced to a transitive dependency of wget in a Red Hat UBI 9 container was resolved by confirming that a fresh rebuild pulls the patched version automatically, verified by checking the rebuilt image. Two minutes instead of two hours. The agents also group related vulnerabilities by shared fix, so one base image upgrade becomes one ticket instead of fifty. (more: https://mazehq.com/blog/ai-remediation-developers-actually-want-to-use)

On the research tooling side, Super Tart VPhone caught my attention. After @matteyeux surfaced vphone600ap components in Apple's Private Cloud Compute firmware and @_inside demonstrated a virtual iPhone booting from them, a researcher (wh1te4ever) built the full working pipeline and published a detailed writeup. By forking super-tart to call private Virtualization.framework APIs, mixing firmware from cloudOS 26.1 and iOS 26.1, and patching the entire bootchain (AVPBooter, iBSS, iBEC, LLB, TXM, kernel) to bypass signature verification and SSV checks, they got a functional virtualized iPhone on Apple Silicon with Metal GPU acceleration, live kernel debugging via GDB, and SSH/VNC access. Anyone who has done iOS vulnerability research understands what this means. Corellium has offered commercial iOS virtualization for years, and Botticelli's vma2pwn demonstrated earlier virtualizations on Apple Silicon, but neither provided GPU acceleration on Apple's native hypervisor. Previous QEMU efforts like Inferno could boot to SpringBoard and supported kernel debugging, but lacked the speed and Metal support needed for GPU-dependent or performance-sensitive work. Super Tart VPhone runs on Apple's own hypervisor with hardware-accelerated graphics; that combination is new. It is dirty, hardcoded, not for end users, but exactly the kind of tooling that moves the field forward. Whether Apple intended to ship these components as a future "iPhone Research Environment VM" or leaked them by accident is an open question. Either way, the cat is out of the bag. (more: https://github.com/wh1te4ever/super-tart-vphone-writeup)

The open web's accessibility continues to erode in the crawler arms race. A veteran systems architect who built and sold his first web crawler 25 years ago has released Grub 2.0, an open-source mesh-based crawler with Camoufox anti-detect browsing baked in at the engine level. The distinctive feature is Ghost Protocol: when stealth fails, it screenshots the blocked page and extracts content through vision-based LLM fallback. Per-request proxy rotation, prompt injection defense, domain-level policy enforcement, and 15 MCP tools ship out of the box. (more: https://www.linkedin.com/posts/activity-7432952779339644928-N8PZ)