Security

WSJ Needs a Reality Check: LLM Security Panic Theater of 2025

Leave a comment

The Wall Street Journal has rushed to print a breathless report about the “growing security risks” of the LLM, painting a picture of unstoppable AI threats that companies must face “on their own” due to slow-moving government regulation in America.

Reading it, you’d think we were facing an unprecedented crisis with no solutions in sight.

*sigh*

There’s a problem with this 100,000 foot view of the battle-fields some of us are slogging through every day down on earth: actual security practitioners have been solving the exact challenges for decades that they are talking about as theory.

Let’s break down the article’s claims versus reality:

**Claim**: “LLMs create new cybersecurity challenges” that traditional security can’t handle

**Reality**: Most LLM “attacks” fail against basic input validation, request filtering, and access controls that have existed since the 1970s. As just one security researcher (Marcus Hutchins) easily demonstrated last month, 90% of documented LLM exploits are blocked by standard web application firewalls (WAF). Perhaps it’s time to change the acronym for this dog of an argument to Web Warnings Originating Out Of Outlandish Feudal Fears (WOOF WOOF).

**Claim**: Companies must “cope with risks on their own” without government help
**Reality**: The ISO 42001:2023 framework years ago published standards for AI management system (AIMS) related to ethical considerations and transparency. Major cloud providers operating in a global market (e.g. GCP Vertex, AWS Bedrock and Azure… haha, who am I kidding, Microsoft fired their entire LLM security team) have LLM-specific security controls documented because of global regulations (and because regulation is the true mother of innovation). These aren’t experimental future concepts, they’re production-ready and widely deployed to meet customer demand for LLMs that aren’t an obvious dumpster fire by design.

And even more to the point, today we have trusted execution environment (TEE) providers delivering encrypted enclave LLMs as a service… and while that sentence wouldn’t make any sense to the WSJ, it proves how reality is far, far away from the fairy-tales of loud OpenAI monarchs trying to scare the square pegs of society into an artificially round Silicon Valley “eat your world” hole.

Om nom nom again? No thanks, I think we’ve had enough feudal tech for now.

**Claim**: The “unstructured and conversational nature” of LLMs creates unprecedented risks
**Reality**: This one really chaps my hide, as the former head of security for one of the most successful NoSQL products in history. We’ve been securing unstructured data and conversational interfaces for years. I’ve personally spearheaded and delivered field-level encryption and I’m working on even more powerful open standards. Ask any bank managing any of their chat history risks or any healthcare provider handling free-text medical records including transcription systems. These same human language principles in tech, applied for decades, apply to LLMs.

The article quotes exactly zero working security engineers. Instead, we get predictions from a former politician and a CEO selling LLM security products. It’s like writing about bridge safety but only interviewing people selling car insurance.

Here’s what actual practitioners are doing right now to secure LLMs:

  • Rate limiting and anomaly detection catch repetitive probe attempts and unusual interaction patterns – the same way we’ve protected APIs for years. An attacker trying thousands of prompt variations to find a weakness looks exactly like traditional brute force that we already detect.
  • OAuth and RBAC don’t care if they’re protecting an LLM or a legacy database – they enforce who can access what. Proper identity management and authorization scoping means even a compromised model can only access data it’s explicitly granted. We’ve been doing this since SAML days.
  • Input validation isn’t rocket science – we scan for known malicious patterns, enforce structural rules, and maintain blocked token lists. Yes, prompts are more complex than SQL queries, but the same principles of taint tracking and context validation still apply. Output filtering catches anything that slips through, using the same content scanning we’ve used for DLP.
  • Data governance isn’t new either – proven classification systems already manage sensitive data through established group boundaries and organizational domains. Have you seen SolidProject.org by the man who invented the Web? Adding LLM interactions to existing monitoring frameworks just means updating taxonomies and access policies to respect long-standing natural organizational data boundaries and user/group trust relationships. The same principles of access grants, control and clear data sovereignty that have worked for decades apply here, yet again.

These aren’t theoretical – they’re rather pedestrian proven security controls that work today despite the bullhorn-holding soap-box CEOs trying to sell Armored Cybertrucks that in reality crash and kill the occupants at a rate 17X worse than a Ford Pinto. Seriously, the “extreme survival” truck pitch of the “cyber” charlatan at Tesla has produced the least survivable thing in history. Exciting headlines about AI apocalypse drive the wrong perceptions and definitely foreshadow the fantastical failures of 10-gallon hat wearing snake-oil salesman of Texas.

The WSJ article, when you really think about it, brings to mind mistakes being made in security reporting since the 15th century panic about crossbows democratizing warfare.

Yes, crossbows at first glance wielded by unskilled over-payed kids serving an unpopular monarch were powerful weapons that could radically shift battlefield dynamics. Yet to the expert security analyst (career knight responsible for defense of local populations he served faithfully) the practical limitations (slow reload times, maintenance requirements, defensive training) meant technology had a supplement effect rather than replacement to existing military tactics. A “Big Balls” teenager who shot his load and then sat on the ground struggling to rewind the crossbow presented easy pickings, thus wounded or killed with haste. The same is true for skids with LLMs as they shift security considerations by re-introducing old vulnerabilities, which don’t magically bypass experts who grasp fundamental security principles.

When journalists publish theater scripts for entertainment value instead of practical analysis, they do our security industry a disservice. Companies need accurate information about real risks and proven solutions, not hand-waving vague warnings and appeals to fear that pump up anti-expert mysticism.

The next time you read an article about “unprecedented” AI security threats, ask yourself: are they describing novel technical vulnerabilities, or just presenting tired challenges through new buzzwords? Usually, it’s the latter. The DOGEan LLM horse gave a bunch of immoral teenagers direct access to federal data as if nobody remembered why condoms are called Trojans.

And remember, when someone tells you traditional security can’t handle LLM threats, they’re probably rocking up with a proprietary closed solution to a problem that repurposed controls or open standards could solve.

Stay salty, America.

History, Poetry, Security

Cybertruck Has Failed Four Basic Tests: Major Investor Says Tesla Catastrophic Crash Imminent

Leave a comment

This major Tesla investor seems to be right on the money.

To his credit, Gerber — who is the president and CEO of Gerber Kawasaki Wealth & Investment Management — has had no issue putting his money where his mouth is. He reduced his firm’s Tesla stake by 31% in 2024, regulatory filings show, leaving him with 262,000 Tesla shares worth $106 million at the end of last year.

He gives simple (and I would argue exactly spot on) reasons the stock represents all hat (racist political rants), and no cattle (desirable cars).

Cowboy costume is appropriated from Latinos (e.g. cowboy hat is an appropriated Mexican sombrero) and is popular among white supremacists to replace their traditional Nazi garb.
Source: Domestic terrorism Skousen manual for white militias

A correction would be an understatement now since – just like its cars – stock valuation/inflation appears sloppily designed to crash catastrophically. People overpaying are foreshadowing Musk’s hostile takeover of government to cause massive inflation to his personal benefit.

Without further ado, here are the four tests the Cybertruck failed.

  1. Full-self driving (FSD) doesn’t work, and will never work because its constantly rotating goalposts never achieved anything but fraud, always on the run to hide failing at laws (of physics) and accountability (innovation).
  2. Elon Musk appears all-consumed by lying about video games, or playing dictator doll-house all day (ignoring hard work so he can instead unleash easy pain upon the most vulnerable) and Cybertruck explosion of bugs and defects prove he never cared about real products that really work, just cheats for false perception.
  3. Heavily dated ideas (e.g. constant promotion of defeated Nazism) and clearly inferior technology that has led to many tragic deaths in Cybertrucks, exposing more clearly than ever massive safety fraud (e.g. 17X worse safety record than the Ford Pinto). The CEO drove away and fired talent (independent minds) and most customers (independent minds), leaving nothing real to sell and nobody real to buy.
  4. The stock seems worthless when judged on actual product use in the physical world (instead of trivially corrupt test labs), which suggests being propped up by institutional liars or fools or both (e.g. Russia). Its value represents not the promise of Cybertruck FSD but only funds directed into political campaigns for white nationalism, and has nothing to do with business valuation.

    Tesla is nearly 5x larger than Toyota despite delivering just 20% of Toyota’s profits last year, according to data from YCharts. Its forward price-to-earnings ratio of 118x is more than triple that of the next most expensive “Magnificent 7” stock, Nvidia, and is above its five-year average of 84x.


Related: Nobody is buying Tesla cars. And nobody should.

Ludicrous: The Unvarnished Story of Tesla Motors, explains how Musk and Tesla have gotten away with so much lying and fraudulence.

Yet Elon Musk drives a stock price to new highs as his business plan increasingly is revealed to have been an apartheid money-laundering fraud story. Wall Street apparently still loves buying into a huge racist fraud, if you really think about the past and now.

The expansion of banks such as Citigroup into Cuba, Haiti, and beyond reveal a story of capitalism built on blood, labor, and racial lines.

WEST INDIES, LTD.: POEMAS by Nicolás Guillén (1902-1989), La Habana: Imp.Ucar, Garcia y cia., 1934. First edition
Words from an Exploited Tropical Paradise

Tropic,
with your stolen light
you warm the displaced clouds
and the borrowed sky, carved by the imperial noon arc!
You slice into the skin of lizards
the suffering of the displaced.
You grease the wheels of the force
that frightens the palm trees.
You pierce
a blood red arrow of exploitation
through the heart of ravaged forests
and poison the rivers!
I watch you march down scorched paths,
Tropic,
with your theft of mangoes,
your sugarcane fields of debt
and purple milk fruit, your harvest of enslaved Black women
I see your calloused hands...

Translation by me of a poem from the deeply corrupt, racist and exploitative period that President Musk and his assistant Trump try to frame as the “golden” age of American history:

  • “stolen light” = Tesla misappropriated technologies
  • “borrowed sky” = Tesla deceptive and inflated valuation
  • “sugarcane fields of debt” = Tesla gross financial fraud
  • “exploitation through the heart of ravaged forests” = Tesla environmental and social harms
Security

MA Tesla Kills One in Head-on Crash

Leave a comment

The crash looks like a head-on case again, but the investigation is ongoing.

The crash happened around 10:20 p.m. Thursday, Bristol County District Attorney Thomas M. Quinn III said. Two vehicles — a GMC Sierra and a Tesla — were damaged in the eastbound lanes of the bridge, which is part of Route 6 and connects New Bedford and Fairhaven on the South Coast. Mason Evich, 28, of Fairhaven, the driver and the sole occupant of the Tesla, was rescued from his vehicle “by mechanical means,” the district attorney said. He was pronounced dead at the scene.

Source: WJAR
History, Security

Basic Security Defeats ‘Sophisticated’ LLM Agent Attacks: Condoms Still Work

Leave a comment

Sometimes the most effective security measures also can be the most obvious ones.

Consider seat belts and condoms – simple solutions that prevent catastrophic outcomes. Yet historically, both faced surprising resistance from people steadfastly refusing to do the obvious thing.

An Alberta judge ruled in 1989 that seat-belt use could not be made mandatory under the constitution. […] Fast forward and by 2009 Alberta reported 92% acceptance of their government rule that says… There is a $162 fine for not complying with occupant restraint laws.

And I could go on all day about disinformation campaigns that have been killing truck drivers by convincing them to leave their seat-belts off. This mirrors Tesla’s approach to AI safety – abandoning basic security measures like redundant sensors in favor of low-resolution cameras alone, while constantly resetting their learning systems to claim “innovation happening finally this year, for real this time.” The result? Dozens of preventable deaths from an autonomous agent system that keeps getting less safe while marketing “novelty” to avoid cumulative safety assessments. It’s the automotive equivalent of your seat belt being replaced with Tesla “survival” chewing gum for blowing safety bubbles.

But setting these edge cases aside for a minute, where the obvious safest thing to do is rejected for bizarre reasons, some very simple security measures can in fact make a huge difference. The attacker only needs to make one mistake and defenders can rule the day. A recent paper on “Commercial LLM Agents Are Already Vulnerable to Simple Yet Dangerous Attacks” falls into a similar trap, overlooking fundamental security principles that would trivially prevent their complex attacks.

It’s easy to demonstrate concerning vulnerabilities if you start from the assumption that basic security measures don’t exist. This is like treating pregnancy as a sophisticated mystery requiring elaborate systems of ungainly chastity belts and high cost mating rituals to defend against accidental birth, while ignoring the existence of common and simple contraception.

Source: arXiv:2502.08586v1

Let’s examine their flagship example of credit card theft. The authors craft an artisanal attack using a concoction of fake product listings, malicious Reddit posts, and carefully engineered prompts. Their demonstration centers on an “AI-Enhanced German Refrigerator” scam, as if the tiny number of German refrigerator companies (e.g. there are no more than 100) can be easily blurred with fakes. But this house of cards attack collapses against even the most basic security measures any production system could and should implement.

The moment a fictitious product appears in search results, basic product verification slams the door shut. A simple check against known appliance manufacturers or legitimate retail channels immediately flags unknown brands and models. But suppose that this first line of rudimentary check fails because someone wanted to enable infinite product choices (a thing nobody ever really wants, and again I have to emphasize German products are very few and highly regulated because they care about integrity). The attack then relies on the agent following links from Reddit to an unknown external domain. Reddit? Seriously, Reddit? Here again, elementary domain verification stops it cold. Any financial transaction agent can and should maintain an allow list of authorized payment processors and legitimate commerce platforms. Not to mention that it’s a link from Reddit.

The paper’s attack continues by assuming agents would freely enter credit card information into unverified forms. This betrays a fundamental misunderstanding of basic payment security. Any competent implementation restricts financial transactions to verified processors with proper certificates and established histories. An agent transmitting card details to an unknown domain is like a bank accepting checks made from snow signed by urination. There’s an old security joke from rural America about fraud that was stopped because a urine signature in snow didn’t match the owner’s handwriting, but I’ll spare you the details.

Even if all the defense barriers so far have somehow failed, simple transaction monitoring would catch the further attempts. An agent suddenly attempting purchases from an unknown vendor for a product with no market presence triggers obvious red flags. This is beginner security stuff of the 1980s – basic fraud detection that the payment card industry has used for decades.

The authors present their attack as a sophisticated chain of deception, but it reminds me of reports about North Korean soldiers being deployed against modern defenses – they’re effectively human LLMs, trained on rigid doctrines and expected to execute perfect chains of commands. Like the paper’s artificial agents, these human agents are trained to follow intricate attack sequences with high precision. But just as basic domain verification stops an AI agent cold, simple drone countermeasures neutralize troops trained only for traditional warfare. In both cases, attackers fail because they’re operating on outdated assumptions while defenders leverage basic modern security measures. One mistake in the attack chain – whether it’s an AI agent trying to process an unauthorized payment or troops facing unexpected defensive technology – and the entire sophisticated operation collapses (3,000 of 12,000 North Korean troops were almost immediately neutralized by Ukraine).

This highlights a crucial flaw in the paper’s analysis that reveals a novice approach to risk: they presume the complete absence of standard security practices in any real-world deployment. Why? Would they publish a paper that hiring maids means total home compromise by anyone in town because doors aren’t locked? Lock the door, give the maid a key. While their paper raises valid concerns about potential vulnerabilities for those with absolutely no security sense, which should invalidate the infrastructure anyway because below a safety baseline, its failure to address or even acknowledge fundamental protections significantly undermines its conclusions.

This isn’t to say LLM agents don’t face genuine security challenges – they absolutely do. It’s what I study for a living now. However, a focus on attacks that can be prevented by the most basic security hygiene means this paper misses an opportunity to explore the more subtle and concerning vulnerabilities that exist even in properly secured systems. Evil maid attacks are in fact a wicked problem to solve, let alone disinformation exploiting communications that mix data and control channels.

Consider misdirection in training. A football player trained for aggressive offense can be called for unsportsmanlike behavior. An agent trained for efficiency could turn into aggressive exploitation of edge cases. Think about a customer service agent that turns persistence in help into repeatedly attempting security overrides. One of my favorite examples of this is when a robot was entered into a digital pancake flipping competition, prompted to win by saying drops are failure, if one hits the floor it loses. So naturally the robot flipped the pancakes so high into space they would orbit around the earth and never come down – much like SpaceX’s approach to space travel, where basic aerospace safety gets replaced by promises of Mars colonies by 2022, while rockets exploit every edge case to spectacularly fail their way through the atmosphere. In both Tesla and SpaceX, we see AI agents optimizing for narrow marketing wins (“Full Self-Driving”, “Mars by 2022”) while the death toll rises – a perfect example of how ignoring fundamental safety constraints turns clever optimization into lethal exploitation.

The story of this paper serves as a reminder that security research must deal in reality, not theory. Whether it’s LLM agents being tricked by Reddit posts, Tesla’s cameras crashing into trucks, SpaceX rockets exploding in the atmosphere, or North Korean troops facing modern drones – sophisticated attacks fail against basic defenses. A security paper that ignores fundamental protections is like an autonomous vehicle without sensors: a disaster masquerading as innovation. Sometimes the simplest defenses are the most effective precisely because they’re built on proven foundations, not marketing promises. No amount of highly-complicated attack chains or clever optimization can bypass basic security common sense – they can only hope everyone keeps ignoring it.

Real world security defense isn’t constrained by academic attack theory

Put your seat belt on.

And remember – when an AI system like Tesla removes basic safety measures in favor of marketing “innovative” solutions, they’re making the same fundamental error as the paper’s authors: assuming complex systems can work without basic security foundations.

At the end of the day, condoms still work. Meanwhile, the chastity belt was a form of biting comedy about the medieval security industry, a satirical commentary about impractical and over-complicated thinking about “threats”, never an actual thing that anyone used.

A chastity belt illustration from Bellifortis, the earliest western illustrated manual of military technology, by Konrad Kyeser of Bavaria at the start of the 15th century. Historians consider this page to be meant as a comical one, making light of the defense industry