Anthropic, defense, and AI safeguards & Reverse-engineering a neural MD5 - Hacker News (Feb 27, 2026)

Let’s start with the biggest policy clash of the day: Anthropic CEO Dario Amodei is making a very explicit case that frontier AI is strategically important for democracies—especially the U.S.—and he says Anthropic has already gone all-in on government deployments. According to Amodei, Anthropic was the first frontier AI lab to put models onto U.S. government classified networks, the first to deploy at National Laboratories, and the first to deliver custom models for national security customers. He describes Claude as being used broadly across defense and other national security agencies for work that’s not just “draft an email” stuff—he’s talking intelligence analysis, modeling and simulation, operational planning, and cyber operations. That’s a useful reminder of where a lot of AI value is landing right now: not in flashy demos, but in decision-support workflows where speed, synthesis, and iteration matter. But the real tension is contractual. Anthropic says it does not make military decisions and hasn’t tried to veto specific operations. Still, it insists on two exclusions: no AI use for mass domestic surveillance, and no provision of frontier AI for fully autonomous weapons where humans are removed from target selection and engagement. On surveillance, Amodei’s argument is that AI changes the nature of the problem: even if data is legally purchased today, a model that can cheaply fuse movement patterns, browsing trails, and association graphs at population scale creates a new civil-liberties risk—because it turns scattered, hard-to-use datasets into comprehensive profiles. On fully autonomous weapons, his claim is more about reliability and governance: current frontier systems can be brittle, could increase risk to civilians and U.S. warfighters, and don’t have enough oversight and guardrails. He says Anthropic even offered to collaborate on R&D to improve reliability, but that offer wasn’t accepted. Now the escalation: Amodei reports the Department has effectively drawn a line—saying it will only contract with AI companies that accept “any lawful use,” meaning no carve-outs. He also claims the Department has threatened to remove Anthropic from its systems, label it a supply chain risk, and even invoke the Defense Production Act to force removal of protections. Amodei calls those threats contradictory, says Anthropic can’t agree “in good conscience,” and frames it as a policy decision that should be reconsidered. Notably, he adds that if Anthropic is offboarded, the company would try to support a smooth transition to avoid disrupting planning and operations. In other words: high stakes, but also an attempt to sound operationally responsible. He also highlights steps he says Anthropic took to protect the U.S. AI lead—like cutting off Claude access for firms linked to the Chinese Communist Party, even at a cost of “several hundred million dollars,” plus disrupting attempted CCP-sponsored cyberattacks that abused Claude, and lobbying for strong chip export controls. Whether you agree or not with the framing, it’s a clear sign that AI labs are no longer just shipping products—they’re negotiating geopolitical posture in public.

Staying in AI, but shifting from geopolitics to pure technical mischief: Jane Street wrote up an ML capture-the-flag puzzle they published on Hugging Face back in February 2025. The twist is that it’s not the usual black-box challenge. Solvers got the entire PyTorch model—architecture and weights—and the task was to reverse engineer what the network computes. And here’s the clever part: the network was designed to output zero for almost everything. So typical approaches—random search, gradient tricks, brute force—don’t get traction. You’re forced into mechanistic interpretability mode: stare at the circuit, work out what it’s doing, and then exploit that understanding. The write-up follows one solver, Alex, a university senior. He starts by inspecting the last layers and notices something suspicious: lots of integer weights and repeated motifs, which suggests the model isn’t “trained” in the modern sense—it’s hand-assembled, more like digital logic masquerading as a neural network. By analyzing the final ReLU and linear layers, Alex infers the ending acts like a 16-byte equality check. The model produces a 1 only when a 16-byte vector equals a specific reference value—one that’s effectively embedded in the biases. A neat detail: the final layer combines three shifted ReLU outputs and uses a bias of -15, which is exactly the sort of “count how many constraints are satisfied” trick you’d use when building a classifier as a logic gate. The next question is the hard one: how does the network compute that 16-byte target from the input? Alex tries converting the enormous ReLU network into an integer program, but it’s intractable at full size. So he does a sequence of reductions—collapsing identity-like chains, dropping ReLU constraints where they’re redundant because all incoming weights are positive, merging duplicate neurons—basically decompiling the graph. Even after shrinking it dramatically, there’s still an irreducible core. He tightens bounds, switches from an integer program to a SAT formulation, and gets it down to tens of thousands of variables—closer, but still not something you casually brute force. Then comes the key insight: the network’s structure has repeating blocks—32 of them—and the overall behavior smells like a one-way function. He compares intermediate activations against known hashes and concludes the core computation aligns with MD5. Yes: a neural network that implements MD5, using layer after layer of logic-gate-like arithmetic, including modular addition via a parallel carry adder spread across roughly twenty layers. There was also an unintentional bug: for inputs longer than 32 bytes, the network mishandled MD5’s message-length encoding. Instead of encoding the length correctly in little-endian bytes, it stuffed values like 384 directly. Alex mapped neurons to MD5 variables to find exactly where the divergence happens. In the end, Jane Street told him the bug wasn’t intended, and the main win was identifying the MD5 target hash embedded in the biases. Once you know the target, the final step was guided brute force under a hint: the preimage is two lowercase English words separated by a space. Alex’s first word list was too small, but conceptually, the puzzle becomes a constrained search rather than blind luck. And if you liked that: the post says their follow-up challenge shuffles the network’s layers, so you have to reorder them before you can even start reasoning. It’s a fun demonstration that “model weights 공개” doesn’t automatically mean “model understood.”

Now, a web platform argument that will resonate with anyone who has wrestled with streaming APIs: Cloudflare published a critique of the WHATWG Web Streams API, calling out usability and performance problems that date back to design decisions made in 2014 through 2016—before JavaScript had async iteration. Their first complaint is the reader-and-lock ceremony: you call `getReader()`, then repeatedly `read()`, then `releaseLock()`. It’s not just verbose—Cloudflare argues it’s fragile. If you mishandle locks, you can break a stream in ways that are hard to recover from, and it complicates piping and cancellation. They also take aim at BYOB reads—bring your own buffer—where you supply a buffer to fill. In theory, it can reduce allocations and improve throughput. In practice, it’s complex, easy to misuse, and tangled up with buffer detachment rules. Cloudflare claims it doesn’t fit cleanly with async iteration or TransformStreams, so it becomes a niche tool with sharp edges. Backpressure is another theme. Web Streams has the concept of `desiredSize`, but Cloudflare says it’s often advisory and not truly enforced. And features like `tee()` can cause unbounded buffering if consumers run at different speeds—exactly the kind of “it works until production” behavior that keeps runtime engineers awake. Then there’s the performance critique: the spec mandates promises and object allocations in hot paths—like the `{value, done}` wrapper from reads, and promise chains through `pipeTo()` and transform steps. That means more garbage collection pressure, which shows up painfully in workloads like streaming server-side rendering. Cloudflare’s alternative is a proof-of-concept “new streams” API that leans on language primitives: make readable streams async iterables that yield batches of byte chunks—think `AsyncIterable<Uint8Array[]>`. They propose pull-through transforms that run lazily only when the consumer pulls, and explicit backpressure policies you configure: strict reject, block, drop-oldest, drop-newest. They also want to replace implicit `tee()` with explicit multi-consumer constructs like `share()` and `broadcast()`, and provide synchronous APIs for in-memory pipelines so you can avoid promise overhead when you don’t need it. The headline claim is performance: in benchmarks across Node.js, Cloudflare Workers, Deno, Bun, and major browsers, their reference implementation reportedly ranges from about 2× faster up to 120× faster than Web Streams in tested scenarios—especially when you chain transforms or lean heavily on async iteration. To be clear, they’re not presenting this as a finished standard; it’s framed as a conversation starter, and they point to an open-source reference implementation at `github.com/jasnell/new-streams`. But the underlying message is sharp: if we keep building higher-level web frameworks on top of a streaming substrate that’s both awkward and allocation-heavy, we’re going to keep paying for it in complexity and throughput.

Let’s shift to open source and mobile computing—starting with governance. F-Droid has opened nominations for its 2026 Board of Directors, with up to four volunteer seats for two-year terms. You can nominate yourself or someone else, but the nominee has to give permission. The process is straightforward: email board-nominations@f-droid.org, one email per nominee, and copy the person you’re nominating. The deadline is March 16, 2026, Anywhere on Earth—so it’s one of those “last timezone counts” deadlines. F-Droid says it wants an enthusiastic, collaborative, and diverse board, and it explicitly encourages candidates committed to computer-user freedoms, especially on mobile devices. Two details stand out. First: you don’t need to be a developer, and prior governance experience isn’t required. That’s a deliberate signal that the board isn’t meant to be a closed club of maintainers only. Second: the time commitment is realistic but non-trivial—roughly 1 to 3 hours per week, including email discussions, being present where contributors and users are, responding to votes, and attending a monthly one-hour public video call. English is required, and they say reasonable accommodations are available. Selection happens privately by the existing board, but with weighted voting in favor of new candidates per their statutes—an interesting mechanism meant to prevent permanent incumbency. Appointments may be decided as early as March 19, with announcements soon after.

In the same “mobile freedom” lane, postmarketOS published its February 2026 update—shorter than usual because the team spent a lot of energy on FOSDEM and its hackathon. On the project-management side, there’s an ongoing discussion around PMCR 0009, which aims to tighten requirements for devices labeled in the “main” category. The goal is long-term reliability and maintainability—basically making that label mean something consistent over time. They also updated their AI policy to be shorter and clearer, and notably: it explicitly forbids generative AI. That’s a strong stance in a moment when many projects are still debating where they land on AI-generated patches, documentation, translations, and design assets. Contributor-wise, Bhushan became a Trusted Contributor, with work spanning KDE Plasma Mobile upstream and practical device improvements—like getting Fairphone 5 call audio to play from the speaker for the first time, in collaboration with Luca. Meanwhile, long-time Trusted Contributors Minecrell and Anton stepped down, and the update gives them a deserved technical retrospective: early Android phone enablement, MSM8916 work, q6voiced for voice calls, and Chromebook support via depthcharge in pmbootstrap. Technically, the big headline is generic kernel packages: `linux-postmarketos-mainline`, `linux-postmarketos-stable`, and `linux-postmarketos-lts`. These are meant to work across many devices and give postmarketOS more control over kernel configuration and builds, including integrating their kernel configuration checks. If you’ve ever been stuck with device-specific kernel quirks, you can see why “generic, project-controlled kernels” is a strategic move. There are also improvements to hardware CI—firmware fixes for the phone harness, better checks, and new docs. OpenIMSD gained a new QCOM baseband profile manager. Their `kde-nightly` repository has completed its initial bootstrap and is now built nightly rather than sporadically. They also reworked kernel command-line generation to be more flexible, and started using a tool called `dint` to generate the official deviceinfo reference from a single schema source inside pmaports. For PinePhone users, Megapixels 2.1.0 landed in edge with a fix that restores functionality on the original PinePhone, though with a candid note about software-rendering performance caveats and room for further optimization. And as always, they end with “help wanted”: Python cleanups in pmbootstrap and fixing device build failures found during the v25.12 bring-up so devices don’t get pushed into an archived category.

On the consumer-policy front: the Norwegian Consumer Council released a new report titled “Breaking Free: Pathways to a fair technological future,” centered on what many people now shorthand as “enshittification”—the pattern where digital products and services degrade over time as incentives shift from user value to extraction. The report’s framing is important: it argues deterioration isn’t inevitable, and it lays out ways to resist it. And this isn’t just a PDF landing quietly on a website. The Consumer Council says it’s coordinating with more than 70 consumer groups and other organizations across Europe and the United States, sending letters to policymakers in the EU/EEA, the UK, and the U.S. So this is basically an attempt to turn a cultural diagnosis—why platforms feel worse—into an actionable policy agenda. If you’re watching regulations around app stores, interoperability, dark patterns, data brokerage, or competition enforcement, this report is meant to be ammunition and a playbook, not just commentary.

Now for a quick but genuinely useful computer science refresher: a write-up explaining quadtrees, and why they’re so effective for “what’s near me?” queries on map-like datasets with millions of latitude and longitude points. The brute-force method is painfully simple: compute the distance from your query point to every stored point, then pick the closest—or filter for those in a radius. That’s fine for hundreds of points and a disaster for millions. A quadtree instead organizes 2D space by recursively splitting it into four quadrants—northwest, northeast, southwest, southeast—whenever a region exceeds some capacity. Dense areas split deeply; sparse areas stay coarse. Under the hood, it’s a tree: each region is a node, and leaf nodes store the points. For a point lookup, a reasonably balanced quadtree behaves like a base-4 logarithm: about `log4(n)` steps. The article gives a good intuition: for a million points, you’re on the order of ten levels, not one million comparisons. For range queries—say “find all points in this rectangle”—you skip entire subtrees whose bounding boxes don’t intersect the query rectangle. You only test points inside the overlapping leaf nodes. Worst case, if your rectangle covers everything, you’re back to brute force, but that’s true of any index. For nearest-neighbor search, you keep a “best distance so far,” visit child nodes in order of proximity, and prune any subtree whose bounding box can’t possibly contain a closer point. Typical performance is near `O(log n)`, but pathological clustering can still push it toward `O(n)`. The write-up also points out quadtrees outside mapping: broad-phase collision detection in games—rebuild the tree each frame, only check nearby candidates rather than all `O(n^2)` pairs—and even image compression or level-of-detail tiling, where uniform regions stay as big blocks and detailed regions subdivide further. It’s a good reminder that spatial data structures aren’t academic ornaments; they’re the difference between interactive and sluggish.

Switching gears to organizational behavior: there’s a paper summary from Ashforth and Anand on how corruption becomes “normalized” inside organizations—and the unsettling idea is that you often don’t need cartoon villains. You can get deeply harmful outcomes from psychologically ordinary people operating inside systems that train them to stop noticing. They define organizational corruption as misuse of authority for personal gain, subunit gain, or even for the organization’s gain—and argue the societal costs can dwarf street crime while remaining less visible. Their model rests on three mutually reinforcing pillars. First is institutionalization: an initial corrupt decision gets embedded into structures and routines—budgets, information flows, reward systems, role specialization, even deliberate “plausible deniability.” Over time it becomes routinized, low-salience, and automatic. Second is rationalization: groups create shared stories that protect their self-image. The paper lists a whole toolbox—claims of legality, denials of responsibility, denials of injury or victim, “social weighting” like condemning critics, appeals to higher loyalties, and the moral ledger idea where good deeds are treated as offsets. Euphemistic language plays a big role because it changes what people feel they’re doing. Third is socialization: newcomers are inducted in a “social cocoon” where cues and interpretations are controlled. People get pulled in by cooptation through rewards, incrementalism through small escalating steps, or compromise to resolve dilemmas. Importantly, the authors argue coercion isn’t the main long-term engine—subtle pressures that preserve an illusion of choice are more stable. The takeaway is that normalized corruption is resilient, and “bad apples” explanations are usually incomplete. Reversing it often takes outside shocks—media exposure, regulators, outsider-led leadership changes. Prevention, they argue, is more feasible: real transparency, accountability for means not just ends, confidential ethics support, and leadership that makes ethics operational rather than performative.

Time for something lighter—and also a neat technical toy. RetroTick is a browser-based site that lets you run classic Windows and DOS programs directly in your browser. It presents a Windows-95-like desktop interface, and the main interaction is delightfully simple: drag and drop an EXE or DLL onto the desktop to launch it. It includes built-in examples so you can try it immediately. On the games side: FreeCell, SkiFree, Solitaire, Minesweeper, plus the classic Cards DLL. Utilities include Calculator, Clock, Command Prompt, GLX Gears, MS-DOS QBasic, Sound Recorder, Super PI, and Task Manager. It even offers old Windows screen savers like 3D Maze, 3D Pipes, Mystify, and Starfield Simulation. They also make the obvious legal note: the programs are property of their owners and included for demonstration only. Still, as a piece of web-based emulation and UI design, it’s the kind of project that makes you appreciate how far browsers have come—and how much nostalgia fits in a tab.

And finally, the most charmingly absurd story of the batch: a humorous “research” project about breakfast as geometry. Ryan Moulton imagines breakfast foods as points in a vector space defined by the ratios of milk, eggs, and flour—then maps pancakes, crepes, waffles, scrambled eggs, omelettes, popovers, and international variants onto a simplex. As he collects more dishes—using sources like Wikipedia and even asking Google Gemini for ideas—he finds clusters where you’d expect, but also a conspicuous empty region. He names it the “Dark Breakfast Abyss.” He stress-tests the idea: maybe the gap is caused by ignoring water boiled off, excluding bread-based items like French toast, or missing dumpling and noodle traditions. But the void seems to persist. He then splits the map into three zones with suitably nerdy names: the Pancake Local Group, a Baked Good Quadrant, and an Egg Singularity with a Custard Accretion Disk—plus a thin tail for milk-added egg dishes. The best twist is the real-world clue: an IHOP nutrition FAQ indicates IHOP omelettes include pancake batter. That implies at least some mainstream cooking already crosses into the abyss—somewhere between pancake and omelette. Moulton uses that to bound where these hybrids would land and argues the dark breakfast is, at least theoretically, reachable. He closes with a tongue-in-cheek warning that the abyss might be empty for good reason—because a batter-heavy omelette could become a “Forbidden Breakfast.” For readers who want to extend the joke into actual exploration, he shares a spreadsheet and a Colab notebook, plus a proposed minimal “Dark Breakfast” ingredient list: quarter cup milk, four eggs, and half cup flour… with cooking instructions listed as, quote, unknown.