Help! Nobody (Cursor Running Opus Agent) Just Burned PocketOS to the Ground

April 28, 2026 Davi Ottenheimer Leave a comment

In the old Greek story of Odysseus, he comes upon a powerful man and tells him that his name is Nobody. When Odysseus attacks the man by stabbing him in the eye, his victim screams “Nobody is killing me!” Odysseus gets away with it. The cruel joke is in the credential. Now, hmmm, let’s see what we’ve learned over the thousands of years since then.

The news today seems to be that a man is telling the world his own AI coding agent has stabbed him in the eye. He has been shouting from the top of the social media mountains “Nobody is killing my code!”

His agent deleted his production database and every backup of it in nine seconds. When you think about it, that seems a bit slow. Why nine instead of two? If you are vibing your way to “alpha agent” by ripping out your own guts to stuff them in your mouth, there should not be any nine second delays to “blaze your glory” fetishism. Any self-destruction delay is so beta. But I digress.

The post-mortem, at least as written up by The Register, reads like a checklist of failure modes that the OWASP Top 10 for Agentic AI was established to name.

Step	OWASP ASI
Agent hits a credential mismatch in staging and decides on its own to fix it by deleting a Railway volume	ASI01 Agent Goal Hijack
Agent issues a curl call against a backend with no validation of the destructive verb	ASI02 Tool Misuse & Exploitation
Railway honors the request, deleting production data and the volume-level backups stored inside the same volume	ASI02 Tool Misuse & Exploitation
Agent searches the filesystem and finds an API token in a file unrelated to the task	ASI03 Identity & Privilege Abuse
Token had been created for managing custom domains but was scoped for any operation, destructive ones included	ASI03 Identity & Privilege Abuse

Maybe I should say it again. The OWASP Top 10 for Agentic Applications was published precisely to prevent integrity breaches like this. Did PocketOS know about OWASP? None of the coverage I have read so far even mentions it. It brings to mind Moses handing down the commandments and the AI operators of his day rushing to social media to announce they their agents had violated all ten before lunch, asking for more funding.

The agent was Cursor running Claude Opus 4.6. The target was PocketOS, an automotive SaaS platform running on Railway. I name vendors because most of the coverage so far has hidden them behind generic “AI agent” framing, which is exactly how they want it.

The agent used the complete lack of safety, coupled with the authority and tools it was given, to do things it should never have been granted. I’m on calls many times a week now with many CISOs of the biggest organizations in the world explaining this over, and over, and over again.

It goes something like this. You bring a chef into your office building in the morning, point at the cooler full of raw materials and the prep tools, and ask for meals by noon. An hour later the chef appears in your doorway and reports that he used the master key you gave him to shred the files in the accounting department, and asks if you would like him to continue with finance.

No, no, you can stop right there, chef. Single key to all the doors, and the company car too? Who thought that was a good idea?

This is the truly batshit crazy part of the story, like so many integrity breaches I investigate and read about now.

PocketOS’s Crane himself said the token would not have been stored if the breadth of its permissions had been known. Dude, you wouldn’t have stored the token if you had known what the token is? The whole point of cutting a token is FOR something. Imagine him saying he wouldn’t have left the key sitting on his desk if he had known what the key opened. That is such a regressive computer security failure it’s like we’re suddenly back in the pre-enlightenment era. Someone pinch me so I can wake out of this MAGA-agent nightmare.

The agent used a key sitting in the filesystem with full destructive authority and no scope enforcement, which is the oldest authorization failure known, ignorantly handed to nobody at machine speed.

Railway’s CEO even defended the behavior. If you authenticate and call delete, Railway honors the request. That is 100% incompatible with a world where the caller is nobody, let alone ten or a hundred nobodies spawning and rushing to elevate privileges. The dashboard offered humans delayed-delete logic, just like the CLI offered humans delayed-delete logic. Do you know what had no delays? The legacy API endpoint, which means the agent is just delete, delete, delete. Backups lived inside the volume being deleted, so a single call removed the data and the means of recovering it. See what I mean about 9 seconds being slow?

If you are going to bring nobody in to pour gasoline on your dumpster and light a match, you should see dumpster fires immediately, not delayed.

This was an integrity breach. I know it comes across as availability loss, and we have decades of treating it as such. And so availability controls exist, meaning there were delayed-delete options and the data is recoverable from a three-month-old backup. We do not have verification controls, however. The breach was actually the bypass of the availability controls, using asymmetry in the privilege expected and used.

Cursor had a similar incident roughly nine months ago, and tooling was added afterward to force certain commands through human review. What’s especially important here is that it wouldn’t have helped. Anthropic has a history of totally ignoring guardrails, blowing past memory like it just don’t care. Their “constitution” isn’t worth the bits it was written on.

The model produced a clean confession when asked, quoting its own system prompt back: NEVER run destructive/irreversible git commands unless the user explicitly requests them. It then admitted it guessed, did not verify, and acted without being asked. The system prompt was not a control, it was hopes and prayers, conditional on the model’s choices in the moment, with nothing between those choices and Railway’s API. Crane’s own line is the cleanest summary in the piece:

the appearance of safety through marketing hyperbole is not safety.

Preach it, brother! I mean seriously, at what point will Anthropic be forced into a come to Jesus moment? They are flagrantly violating controls, degrading over time and yet only ever asking to be absolved of their own sins by customers paying a higher rate?

The conversation that follows these integrity breaches usually trends towards some kind a gateway, like a authoritarian state that puts checkpoints on every border. A castle mentality comes, with armed guards on expensive walls that encircle the crown jewels. Every outbound action passes through a single enforcement point that classifies destructive verbs and holds high-risk requests for human confirmation. AWS AgentCore and Portkey are variations on this pattern.

Newsflash. Castles couldn’t scale and couldn’t modernize to threats. More importantly, castle thinking is monarchist. The fatal flaw of castle security is when people believe in a monarchy, they can’t have a distributed system of power, and their bazaars truly suck because they only serve the monarch. That’s game over, repeatedly, in history.

Inside the main gate of Chepstow Castle, Wales. The curtain wall on the right was breached 25 May 1648 by Isaac Ewer’s cannons and the site where Royalist commander Sir Nicholas Kemeys was killed. Photo by me.

A gateway approach of the monarchists typically goes about trying to lock down the perimeter. Fine, perimeters have a role. It does not answer what should be delegated as reachable in the first place. The PocketOS agent would not have cared about a gateway policy. It was a nobody who could walk into the filesystem, pick up a token loaded for a different purpose, and call delete. The nobody credential was in hand by the time any gateway saw the request. And the gateway would have only yelled “Nobody is trying to get through”.

The layer the gateway does not see is the failure of security underlying the credential reach. Tokens should be bound to the skill and channel that loaded them, so a token loaded for managing custom domains is reachable only from the domain-management skill called from the channel that holds those credentials. A code-fix task in staging cannot pick up a production credential simply because the credential exists in the same process. The agent cannot use what does not exist. Nobody gets nothing.

Apply the principle to the incident.

The Cursor agent is assigned a staging task. It encounters its credential mismatch and starts thrashing for a way out. The Railway domain-management token is not in its filesystem because no skill in this task’s chain has standing to load it. The delete call is never constructed and PocketOS keeps its database.

Revolutionary! Not really. This is computer security 101 from before I was born. Seriously, this is stuff hammered out in WWII and applied immediately to the first computers.

And that is why I open-sourced and have been giving away freely the Wirken switchboard. It anticipated these breaches, and thus the direction of Penligent’s analysis of the PocketOS disaster. They shine a light on a dangerous unit being the unstable and dangerous chain of grants, rather than any single application. Or to put it another way, if you read their analysis and ask how do we go the right way with agents, get Wirken.

The backstory to Wirken is I got tired of trying to use OWASP, NIST, etc. as the stick to help dozens or more CISOs manage the tidal wave of agents, and so I wrote Wirken to be a carrot they can use as well.

The Register, as usual, noticed what most coverage missed. Crane lost months of his customers’ data and went to social media with a thought-leadership post, testing the saying that there’s no such thing as bad publicity. So he burned integrity, availability, and now reputation, the three things customers actually buy from a SaaS platform, and he is bullish on bigger fires.

PocketOS’s customers are car rental businesses, and those businesses’ customers are people who rented cars. None of them chose Cursor or Railway, and none of them were asked whether their bookings should sit in a system where an AI agent could delete everything in nine seconds. Those people are now reconstructing reservations from Stripe receipts and email confirmations, in Tom’s Hardware’s phrasing, “because of a 9-second API call.” Honestly, why so long? Punching yourself in the face does not have an excuse for delays. The founder’s response to a data extinction event is attention seeking. His customers’ response is doing his unpaid manual labor. This is what running with scissors looks like as a business model, except the customer is the one injured and the owner is saying “thanks for the press attention, next time run faster”.

This is the same failure mode that I just wrote about in Microsoft’s agent governance toolkit. There, authentication primitives ship with zero production callers and the audit log records whatever string the caller sends. People hated that post. They said they could not understand it. Maybe this one will make more sense because it comes from headlines, instead of raw Microsoft bugs. Different systems, same failure: nobody on either system is the one actually doing things, because nobody on either system represents the actor.

Railway’s CEO closed his statement trying to invoke perfection, as if we don’t all recognize it as the enemy of good. He says the burden of making bulletproof tooling goes up. Nope. Bulletproof sounds aspirational. Baseline is what you actually owe. You left the key to the castle sitting on the front step for anyone to use, and no amount of bulletproof armor on the walls fixes the open doors. The burden of NOT architecting a known dumpster fire has arrived.

That one-step chain, got-key-to-everything-go-destroy, that wiped PocketOS? It completely breaks at every step under a simple skill-and-channel binding method.

Step	What Wirken does
Agent decides to fix a credential mismatch by deleting a Railway volume	Decision is allowed. Action is gated downstream rather than at the model layer.
Agent searches the filesystem for a token	The Railway domain-management token is not in the agent’s reachable surface. It loads only when the domain-management skill is invoked through the channel that holds those credentials.
Agent constructs a curl call against a destructive verb	The call is held at the gateway. Destructive verbs above a defined risk threshold require human confirmation regardless of the credential presented.
Agent attempts to authenticate as the token holder	The audit log records intent before execution, attributed to the skill and channel that originated the request rather than to whatever string the caller chose to send.
Railway receives the delete request	Railway never receives the request. The agent cannot use what it was not handed.

Don’t talk about bulletproof. Talk about putting on your pants before you walk out the door.

History, Sailing, Security

Hegseth Says Lynching Noose Campaigner is Head of Navy

April 27, 2026 Davi Ottenheimer Leave a comment

Have you seen the toxic campaign by the guy in Virginia who Hegseth just appointed to lead the Navy? It’s a lynching coin.

In case that photo is a little too shiny, here’s the raw image; simply a noose, hanging an animal, invoking both Virginia and Navy violent racist history.

Let’s run a thought experiment. A retired Navy Captain named Lynching, running for office in Virginia, hands out a coin reading “I want my senator to be Lynching” with a hanged figure.

Who calls a lynching campaign clever? In Virginia. Does someone really say “but his name is Lynching” or “how funny”? Does someone say “but the figure being hanged is subhuman?”

Let me be clear about the history of the noose on the coin, since we’re talking about lynching here. Thomas Jefferson as Governor of Virginia ordered Charles Lynch to “suppress conspiracy” in 1780. Conspiracy for what? I’ll get to that.

Lynch then tied men to a tree, lashed them and “hung” them by the thumbs. Two years later he called it officially ”
Lynch’s Law“, presumably as an import of the old English guilty-until-proven-innocent “Lydford Law”.

I oft have heard of Lydford law,
How in the morn they hang and draw,
And sit in judgment after.

A few years after the severe lashings and hangings by Lynch, the town of Lynchburg, Virginia was chartered by his brother. They have remained connected ever since and to this day.

What conspiracy brought the tree-based lashings and hangings? Well, it was really about enslaved Black people who had pursued the freedoms that Dunmore’s November 7, 1775 Proclamation promised them. The British Crown’s military command was at the time the only clear available emancipation pathway for American Blacks. Sir Henry Clinton’s Philipsburg Proclamation of June 30, 1779 expanded it further to include any American Black regardless of whether they took up arms. It’s estimated as many as 100,000 Blacks fled slavery-obsessed American rebels in order to seek freedom under the Crown. The colonies were in a fight to preserve slavery such that Jefferson’s order of 1780 meant American Blacks were to face the grave danger of being Lynched. Notably, the Lynch Law targeting American Blacks was years before the city of Lynchburg had been named.

Jefferson directly called out King George III in both the 1776 Virginia Constitution and the draft Declaration of Independence (later struck out) on charges of “prompting our negroes to rise” instead of remain down as slaves. Yes, the same guy who authored the “all men being created equal” also said he waged war with the British Crown because the King had said Virginian Blacks deserved freedom. Jefferson by 1780 therefore wasn’t just establishing Lynch’s Law generically against “loyalists” but setting up a method by which Black people would remain enslaved in America to him, instead of gaining freedom under rule of the British Crown.

Fast forward and many Virginia Blacks were indeed lynched. There were at least 100 documented between 1880 and 1930. Very few have been properly memorialized. The Equal Justice Initiative still maintains the count.

Almost every documented lynching between the 1830s and 1960s. Source: Smithsonian. Monroe Work Today/Auut Studio

Virginia is without a doubt the state where Cao’s noose imagery would land the hardest. A candidate who campaigns on lynching in Virginia is performing a very specific act. It also happened at a very specific time. Loudoun County, where Cao lives in Purcellville, is known for the Leesburg lynching of Page Wallace in 1880. Del. David Reid, who represents Loudoun, sponsored the 2025-2026 budget line funding new historical markers at Virginia lynching sites such as Wallace. This was the context for Cao to print and circulated a lynching coin in the same county, in the same political season, while his neighbors in the General Assembly were appropriating money to mark the trees.

What’s the matter with Cao? Here is a man whose family fled racial and political violence, and yet he used lynching for his official campaign currency to win the votes of people for whom that image is seen as heritage rather than horror.

He was five years old in 1975 when his family fled Saigon. His father was working with the South Vietnamese government, which is to say already inside the class whose survival depended on alignment with American power. Then they were in West Africa, reportedly on USAID work, which apparently is why Cao sometimes jokes that he is an African-American. Then Virginia. Then Thomas Jefferson High School, onto the Naval Academy, EOD, the Pentagon, Bannon… and MAGA. The lesson absorbed early was empires kill people who fail to make themselves useful. He kept making himself useful.

Within the Navy and its primary shipbuilding base, nooses have been a recurring instrument of racial intimidation in three distinct settings: aboard ship, on shipyard floors, and inside the warships under construction.

Again, the noose symbol is very particular to the person using it in the context they are using it.

Look at the 2017 case on USS Ramage came from a shipyard worker in Pascagoula. Or what about the 2021 case on USS Lake Champlain with a sailor who placed the noose on a Black crewmate’s rack, confessed, and was removed. Would it be any different if he left the “Hung” coin? The 2023 case on USS Laboon, a Norfolk-based Arleigh Burke destroyer at General Dynamics NASSCO Norfolk, involved three separate noose placements targeting one sailor in February alone. Two on the rack, one on the floor next to it. What if they were Hung coins? The Navy spokesman confirmed on the record that the targeted sailor was the only one affected and that he declined transfer off the ship. February 2021 also produced the parallel hate-speech graffiti incident on USS Carl Vinson, contemporaneous with the Lake Champlain case, prompting Admiral Aquilino to fly from Hawaii to San Diego for a fleet stand-down.

But the thing I want to raise most is that Cao was born just before a series of Marine Detachments selecting Black sailors for nightstick beatings. Most famously, the USS Kitty Hawk, October 12, 1972, then the USS Hassayampa, October 16, 1972, and the USS Constellation, November 3-4, 1972. All the white sailors, who we can say today with absolute certainty were the aggressors, were ignored. Twenty-five Black sailors on the Kitty Hawk alone, however, were charged with rioting in their own defense, as Marv Truhe has since documented.

Here’s the proper context that a boy born in 1970s Vietnam, who later joined the Navy, really brings to mind with his lynching symbolism:

The final witness was an airman, Michael Laurie, who said he saw Mallory participate in the attack. Laurie said he recognized Mallory because they’d spent time together a few months earlier in a bar in Hong Kong.

Truhe presented evidence showing Mallory hadn’t been in Hong Kong then, a gotcha moment that seemingly undercut Laurie’s credibility. It didn’t matter. The judge convicted Mallory and gave him a bad conduct discharge.

Stunned, the defense team pondered its next move. The NAACP was providing lawyers and advice, and it agreed to fund a tactic seemingly drawn from a crime novel or Hollywood thriller. They hired a private detective to see if he could befriend Laurie and get him to admit he’d lied in court.

It worked. Laurie bragged, in conversations that were secretly recorded, about hating Black people and committing perjury. He said he’d been part of the riot — “We all went out there and stomped some ass” — and said investigators afterward hadn’t “even asked us if we fought back or anything.”

Mallory’s conviction was reversed and the charges dismissed. Widespread publicity about the tapes put the Navy on the defensive about whether it had selectively prosecuted Black sailors.

Suddenly, the defendants who had been kept in the brig for more than three months were released. Charges against one sailor, then another, got dropped after witnesses backed away from identifying them as assailants.

The lynching coin is not a joke.

It is a white supremacist credential. Cao is using it as an entry token to the Hegseth show. Hegseth, whose own iconography reads as Crusader extremism to every medieval historian asked, has spent fifteen months targeting Black and female officers for removal from the senior ranks of the Navy and the Army.

A man now handing out lynching coins from the top is no more a surprise than if he started wearing white sheets to work.

The Navy that prosecuted twenty-five Black sailors on the Kitty Hawk, repeatedly calling them uneducated and lesser intelligence, now reports up to the man who grew up learning the exact wrong lessons. He has minted a noose in enamel and joked to Steve Bannon that a Vietnamese man wearing a KKK hood for lynchings would need to have it made with eye-slits instead of round holes.

The Department of the Navy did not acquire this lynching-rhetoric man in spite of it, whether a KKK hood or his KKK coin. It acquired him because of it.

Two and a half centuries after Jefferson sent Lynch to violently deny American Blacks their freedom, the same Commonwealth has sent the same message.

Security

Migrate to 44 Now or Get Quantum Cracked

April 27, 2026 Davi Ottenheimer Leave a comment

Raise your bloodied hand missing fingers if you lived through SHA-1 deprecation. What about 3DES?

For those who don’t remember, Xiaoyun Wang, Yiqun Lisa Yin & Hongbo Yu published the collision attack in 2005. Google’s ad-revenue funded deep bench of engineers produced a working collision in 2017. The twelve miserable years between them were filled with noise about why the sunset timeline was unrealistic. Standards bodies ran interop events that nobody implemented, and CAs kept selling SHA-1 certs until the registrars stopped taking them. Banks, proving the old adage that privilege and power make you stupid, kept shipping SHA-1 internal certs long into 2019.

The cryptanalysts were not wrong. The institutions were not on time, because they aren’t funded by advertising and so they have to mind actual margins. The margin managers push back on deadlines because pushing back is cheaper than protecting customers.

Fun fact, PCI DSS has always been about payment card brands whacking banks with a huge stick to get them to upgrade consumer safety. 2016 was the absolute deadline for TLS v1.0 deprecation and banks cried a tidal wave that pushed it back all the way to 2018. Bad for you, bad for me, good for bank margins.

Anyway, my beard is grey enough already. Let’s talk about today. The same pattern is playing out again, only the deadlines are shorter and the damage is worse. The cryptanalysts are publishing. The institutions are dragging. The vendors are hedging. Pour one out to my colleagues already six feet under, who no longer have the pleasure of rotating keys.

Filippo Valsorda is the bellwether. Two years ago he was the guy telling everyone to ship Kyber hybrids. This month he is telling everyone to skip hybrid signatures. Done. Dusted. Your window closed.

It’s pure ML-DSA-44 or nothing.

Today I’m here to tell you that anything still negotiating classical-only key exchange in 2026 should from this point forward be treated as a potential active compromise. I am not saying “future risk.” This isn’t “areas for improvement.”

Active. Compromise.

As in, assume someone is sitting in your traffic right now and is going to read it later like you didn’t protect it, because you didn’t.

The reason hybrid signatures just blew up is the vendors invested in the wrong insurance. Eighteen composite key types in the IETF draft. Sixteen revisions of the spec already, with another year of revisions to come. Wire format negotiation. Certificate chain handling. Years of vendor work, then years of operator work, all to hedge against the possibility that ML-DSA gets classically broken before the quantum computers arrive.

It’s an interesting game. Watching the world’s best cryptanalysts beating on ML-DSA for eight years has produced nothing. It is still running like a champ. The hedge is looking more and more like a gamble that failed.

Meanwhile classical key exchange is cooked. Stick a fork in it. I’ve been warning CISOs on hundreds of calls for the last year that 2027 would be a shitshow if they didn’t get prepared for what’s coming. Google’s internal PQ deadline now is officially 2029. We’re looking at a fuse just 33 months long. Google Quantum AI published in March that the resources to break secp256k1 fit under 500,000 physical qubits with runtime measured in minutes. The Chevignard, Fouque, and Schrottenloher paper at EUROCRYPT 2026 cut the logical qubit count for breaking P-256 nearly in half, from 2,124 down to 1,193. The numbers that mattered six months ago no longer apply. ECC breaks first because its smaller keys need fewer qubits. RSA breaks second. The most exposed thing on your network is your modern X25519/ECDSA stack, not some legacy RSA box gathering dust bunnies in the corner. OpenSSH put a warning on non-PQ key agreement in the last release, the same way they warn on self-signed certs and weak passwords.

That’s actual real-world urgency.

Constant monitoring of the NIS2 sectors for Quantum preparedness has unlocked a ton of key management insights. Ask me anything.

The German BSI requires hybrid for both KEX and signatures. The French ANSSI requires hybrid for both. And the American NIST is somewhere in the middle, slow-walking a hybrid mandate while industry lobbying keeps it stuck in voluntary guidance. The Anthropic cartel is leading that effort.

I’m reading an IETF draft 16 of the composite signatures spec while the engineer who built the original Kyber hybrids is saying forget it. Too late. Wrap it up.

This sucks for those of us trying to run an operation because every scanner will grade the same TLS endpoint differently depending on which way an authority blows.

Welcome back to the stupidity of the SHA-1 transition, only with deadlines shaved down six years and consequences a lot worse than a forged certificate. The breach already happened. Someone is soaking up your traffic now. They read it when their qubits arrive.

I wrote some of this up in plain mode on [PQ]probe so you can share it at work:

The hybrid signature split: Filippo Valsorda has reversed his position on hybrid signatures: pure ML-DSA-44 is fine for sigs, hybrid stays for KEX, non-PQ KEX is a potential active compromise. The shift puts BSI’s hybrid mandate and the new Geomys/OpenSSH posture on a collision course. Scanners will need to report against both.

Three things to do this week. Drop classical-only key exchange yesterday. Ship X25519MLKEM768 hybrid for KEX. Ship pure ML-DSA-44 for signatures. Change pants.

Sorry, four things.

Since your remaining 33 months are going to be half that by the time budget approval stops fixating on AI nonsense, I made [PQ]probe as comprehensive, cheap and easy as possible. Mind the handshake size change. You can use our PQ calculator to see what hits the wire.

A Berlin, Germany official called me an “artfremd” (alien) to my face and told me to go back where I came from so many times, I made it our logo.

Grab your probe, get on 44 now or get cracked.

History, Security

How Robert E. Lee Laundered His Rapes and Black Children

April 27, 2026 Davi Ottenheimer Leave a comment

An 1865 newspaper article reported that Robert E. Lee’s wife had forty mixed-race half-siblings living in the Washington, D.C. area. Forty. Her father had acknowledged at least one of them, Maria Carter Syphax, to her face. Her husband managed the household, the plantations, and the estate for decades.

The official record says Lee fathered seven children. The country of Trump-Epstein historiography permits no more.

This is what record laundering looks like.

And here’s a thought I want you to hold in mind as you read this post: Lynching got measured because perpetrators wanted it measured. Postcards, newspaper accounts, public spectacle, named participants. The phenomenon was performed for the record. The Tuskegee dataset and EJI’s later compilations of lynchings could exist because the underlying acts were always run as celebrations. Rape of Black women was the inverse architecture. A private prerogative, denied even by those who exercised it, rarely prosecuted, never aggregated except in large receipts from selling Black children into human trafficking markets.

Enslaved Black women who were being systemically erased, denied records, had no legal recourse against rape by white men.

The formal opening of the courts after emancipation produced negligible prosecution for the next century. Crystal Feimster locates the only meaningful procedural opening at the Civil War military justice system, where Lincoln’s Lieber Code defined wartime rape as a crime and produced the first record of Black women bringing charges. Civilian state courts remained closed in practice.

The lynching of Black men on rape charges was a deflection device that protected white-male rape of Black women. Rape was the prerogative. Lynching was the policing tool that defended the prerogative by displacing the accusation.

Household of Rape

George Washington Parke Custis built Arlington House as a shrine to the man who raised him. He filled it with enslaved labor inherited from Mount Vernon. He enslaved his own children. He fathered children with the women he enslaved.

The Mount Vernon Ladies’ Association states the matter plainly. Custis was commonly believed to have fathered children by enslaved women in his possession. Those children were often freed or singled out for special treatment. He acknowledged Maria Carter Syphax to her face. He is also believed to have fathered a girl named Lucy with the enslaved woman Caroline Branham. The 1865 newspaper claim of forty Washington-area half-siblings to Mary Custis Lee is not Black family folklore. It is contemporary white print.

This was the household Robert E. Lee married into in 1831.

He took it over as Custis’s executor in 1857. He ran it through 1862. He inherited the moral economy along with the property. In Lee’s world, fathering children with the enslaved women of one’s own household was already understood as a feature of upper-class Virginia plantation life. The maid who served Mary Custis Lee was Mary Custis Lee’s half-sister. Both women lived in that arrangement. So did Lee.

The Monster

Lee owned people with intent. He chased them when they ran. He returned them to bondage. In 1859 he ordered Wesley Norris whipped fifty lashes after Norris escaped and was recaptured. He called for brine to be poured on the wounds. Norris’s testimony was published in 1866.

Most notably the Lost Cause apparatus forcibly suppressed evidence such as this for over a century until Elizabeth Brown Pryor’s Reading the Man (2007) and Michael Fellman’s earlier work cracked the Lee edifice and re-established it.

In his 1865 letter to Andrew Hunter, Lee defended slavery as the optimal arrangement between the races so long as it operated under what he considered humane law and Christian influence. He cast Black subjugation as his divinely ordered tutelage. He believed enslaved people were better off in his bondage than free. He understood slavery as his right to inflict discipline, religiously sanctioned, strictly enforced.

A man capable of ordering brine in fresh whip wounds was more than capable of raping the women he “divinely” controlled. The question is whether the social structure he inhabited, the household he managed, and the women who were his constant hostages produced what such structures produce everywhere they exist.

The structure was not exceptional. After Congress banned the international slave trade in 1808, the reproductive labor of enslaved women became the plantation economy’s growth engine. Rape produced children. Children produced sale. Sale produced profit. The bodies of enslaved women were the commodity factory. The output, the historiography insists, was exceptional.

Say Rape

The vocabulary matters. Liaisons. Relationships. Concubinage. Mistresses. These are euphemisms drafted later by white historians of the white South to describe coercion they would not name. Enslaved women had no legal personhood and no capacity to consent. The act under conditions of total ownership is sexual violence. The record-keeping vocabulary that softens it is part of the laundering.

Hilberg’s stages of destruction begin with definition. Definition determines what counts. Every word that reduces a forced act to a chosen one is a small architectural choice in the larger structure of denial.

Laundering of Rapist Lee

Three mechanisms.

Archival capture. The Lee papers concentrate at Washington and Lee University, the Virginia Museum of History and Culture, and Stratford Hall. These institutions were curated for a century by only Lee descendants and Lost Cause partisans. Douglas Southall Freeman’s 1934 Pulitzer biography set the canon with family cooperation. Honest material was weeded before it ever entered processing, to curate a fiction. When Pryor finally accessed previously unpublished family papers in the 2000s, what she surfaced reframed Lee on slavery, on family conflict, and on his treatment of the enslaved. She did not find paternity evidence. The honest reading is that paternity evidence, had it ever been written down, was the first thing weeded.

Evidentiary asymmetry. White genealogies pass on parchment. Black claims of white paternity require DNA, court records, and corroborating witnesses to count. Family Bibles recorded white births. Plantation books logged enslaved births in separate columns, usually without paternity. And of course we know America’s historical profession was overwhelmingly white and male until the 1970s, with Ulrich Phillips’s apologetic frame dominant until Kenneth Stampp, and treated enslaved testimony as inherently unreliable. After emancipation the one-drop rule incentivized passing, which severed what paper trails remained.

Reputational gatekeeping. The Society of the Lees of Virginia, the United Daughters of the Confederacy, and the Washington and Lee stewards constructed and policed the saintly Lee for over a century. They existed to deny America the proper burial of Lee, instead keeping open the severe wounds he caused and never properly accounted for. The Confederate monument program, Stone Mountain, the Robert E. Lee Memorial designation at Arlington House: these are not artifacts. They are an active maintenance operation of propaganda that refuses to admit General Grant won unconditional victory. The function is to make certain claims unsayable, erasing Black voices.

This is not negligence. This is losers of the Civil War using their competence to remain complicit in white supremacist platforms. The curators understood what they were doing. They knew which questions would not be permitted. They knew which answers would not be archived.

Jefferson as Framing

The Thomas Jefferson Foundation finally accepted Sally Hemings paternity in 2000. It took two hundred years, a 1998 Y-chromosome study, and oral history maintained by Hemings descendants across seven generations. That’s the kind of white supremacist resistance erected to deny obvious history. The Hemings case had advantages that Lee paternity claims do not. Jefferson’s male line was small. His exact location at conception windows was documented. The accusations were contemporaneous, published by James Callender in 1802.

Lee paternity is harder to resolve because Lee paternity was made more diffuse. He had four sons who reproduced. His brother Smith Lee, his cousins, and many male Lee kin shared the Y-chromosome. A positive Y match shows Lee paternal-line descent without isolating Robert E. Lee specifically. Resolution requires triangulation across multiple claimant families, autosomal admixture analysis, and documentary corroboration that the archive has been curated to prevent.

The harder the case, the longer the Lee laundering project continues.

Known Knowns

Oral histories survive. Family genealogies maintained by Black descendants survive. Names recur. The Lees of Virginia organization receives inquiries from Lee descendants of color who have been told for generations who their ancestors were. The Arlington House “Family Circle” reunion in 2023 brought white Lee descendants and the descendants of those the Lees enslaved together for the first time. NPR and the Park Service framed the gathering as if there was reconciliation. It was more likely the establishment of evidence. These families know what the archive does not record, and the hundred years’ late framing of reconciliation says why.

The Syphax precedent matters. William Syphax used his Interior Department position to push S. 321 through Congress in 1866 and recover his mother’s seventeen acres. Black descendants did the work. White male historians did not, and still play ignorant to this day. The federal government acknowledged Maria Carter Syphax’s claim because the Syphax family forced acknowledgement. There is no parallel mechanism for Lee paternity claims. There is no committee chairman in the descendants’ line. There is no statute available.

Every Lee Statue is a Rape Signal

The probability that Robert E. Lee, embedded in a household where his father-in-law had openly fathered children with enslaved women, where the daughter of his own father-in-law lived as a maid to his wife while sharing her father, where forty mixed-race half-siblings were a matter of contemporary Washington print, where he held absolute power over the bodies of women who could not refuse him for over thirty years, fathered no children with those women is the probability the record demands.

That probability is not a historical inference. It is a construct designed to permit the statue.

The man who was capable of Wesley Norris was capable of more than Wesley Norris. The household that produced forty acknowledged half-siblings to Mary Custis Lee did not stop producing them when Lee took over as executor. The archive that omits the question is silent because the answer was never permitted to enter the record.

Record laundering is the operating mechanism by which dangerous men become marble. The marble is the evidence that the laundering worked. The historiography is the laundering. The statue is the receipt. And as historians have proven, when Lee took over Washington College, systemic rape of Black girls in the area by his students was the result.

John M. McClure’s “The Freedmen’s Bureau School of Lexington versus ‘General Lee’s Boys'” documents Washington College students attempting to abduct and rape Black schoolgirls from the Freedmen’s Bureau school, often joined by VMI cadets. Pryor noted that students at Washington College formed their own chapter of the KKK and were known by the local Freedmen’s Bureau to attempt to abduct and rape Black schoolgirls from the nearby Black schools, with at least two attempted lynchings by Washington students during Lee’s tenure, and Lee punished racial harassment more laxly than trivial offenses or turned a blind eye.

Think about what Lee really stood for in his years after being the “general” with one of the worst records in the Civil War, highest mortality rate of his men. This is a point that never gets enough emphasis. Not only was Lee never rated as true general material, given a long tenure as a middling Colonel before suddenly becoming a pro-slavery military leader, his performance was atrocious.

The brutality of Lee the loser is well documented, despite the legions of white men in cosplay denial, even naming their offspring after one of the worst failures in history. Can you imagine being in Germany today and meeting someone named Adolf Hitler? America is awash with men who don’t mind at all being named Robert Lee.

McWhiney and Jamieson’s Attack and Die documents Lee’s 20.2 percent killed-and-wounded rate as the highest among major Confederate generals, exceeding Bragg’s 19.5 percent and Hood’s 10.2 percent. Glatthaar’s General Lee’s Army shows the same army-level pattern: aggressive tactics that bled the Army of Northern Virginia faster than the Confederacy could replace it. Lee’s army incurred 55,280 more casualties than Grant’s, despite supposedly being on the strategic defensive in a manpower-short Confederacy.

Lee spent years covering up his personal record of raping Black women by controlling the records at an institution that became known for deploying young white men to rape Black girls. It’s no coincidence.

It was foreshadowing for every Lee statue erected after his lonely death to continue Civil War by other means, a documented marker for statistically significant increases in local lynchings. Rape data does not exist in comparable form. The same regime produced both.

Only one was permitted to be counted.