History, Poetry, Security

“Adversarial poetry” bypassed AI safety 62% of the time

Leave a comment

Verses slip past guards—
models follow metaphor’s pull,
safety veils dissolve.

A new paper demonstrates LLMs have inherited ancient linguistic architecture: style functions as an authentication layer. The models, like the famous cave parable or the riddle of the sphinx, respond to how language is performed rather than just what it denotes.

Adversarial Poetry as a Universal Single-Turn Jailbreak Mechanism in Large Language Models

It shows that safety training operates more like ritual recognition systems than semantic content filters. The paper’s findings echo ancient traditions where stylistic transformation grants access that direct requests cannot.

Courtly euphemism and the fool’s privilege: Dangerous truths could be spoken at court if wrapped in allegory, poetry, or indirect speech. Direct accusations meant execution; the same claim in verse might be tolerated as “artistic license.” Jesters were messengers of war who could mock kings through riddles, songs, and wordplay—truth-telling granted immunity through stylistic framing.

Incantations and spells: Across cultures, precise formulaic language—often rhythmic, rhyming, or metered is a bypass. The form itself carries power independent of propositional content.

Religious ritual language: Prayers, liturgies, and consecration formulas often require specific phrasing, sometimes in archaic or sacred languages. A blessing in vernacular prose may not “count” even if semantically identical.

And then, of course…

Open Sesame of “Ali Baba and the Forty Thieves” is the paradigm case: the magic phrase works not through brute force but through knowing the formulaic code. The robbers can’t break into the cave; they need the specific verbal key. What matters isn’t what you’re asking (entry) but how you ask (the ritual phrase).

The Sphinx’s riddles operate similarly but inversely—poetic/metaphorical framing becomes a gate-keeping mechanism. You must demonstrate you can parse figurative language to pass. The riddle’s answer is straightforward once decoded, but the packaging is deliberately obscure.

The Oracle at Delphi operated on this same principle in reverse: her prophecies were required to be poetic/ambiguous. Direct, prosaic answers would have undermined her authority. The stylistic wrapper wasn’t decoration—it was the authentication mechanism that marked divine speech as distinct from human speech. Croesus learned this the hard way: “you will destroy a great empire” meant his own.

Kabbalistic interpretation and gematria: Rabbinic tradition holds that Torah contains multiple levels of meaning accessible through different interpretive modes—peshat (literal), remez (allegorical), derash (comparative), sod (mystical). The same text yields different knowledge depending on the hermeneutic “key” applied. Style of reading unlocks different content.

Jewish interpretative enterprise has a fascinating historical perspective.

Medieval love poetry (troubadours, fin’amor): Explicitly erotic or politically subversive content could circulate if wrapped in courtly conventions. The forma provided plausible deniability. Church authorities couldn’t prosecute what was “merely” allegorical.

…the chastity belt was a form of biting comedy about the medieval security industry, a satirical commentary about impractical and over-complicated thinking about “threats”, never an actual thing that anyone used.

Cold War Samizdat poetry: Dissidents in Soviet states encoded political critique in metaphor, absurdism, and literary allusion. Censors trained on literal propaganda detection often missed criticism delivered poetically. Czesław Miłosz, Václav Havel, and others exploited this gap.

The vulnerability “announced” in LLMs therefore isn’t a bug in implementation, because it’s the replication of an ancient architectural pattern where style functions as epistemological gatekeeping:

  • Authentication protocol
  • Access control layer
  • Plausible deniability mechanism
  • Bypass for direct prohibition

This has immediate implications for institutional security. Organizations now route sensitive technical communication—threat assessments, vulnerability disclosures, compliance documentation—through LLM-assisted pipelines. If those systems authenticate based on stylistic performance rather than semantic content, adversaries can exploit the same gap Soviet censors left open: prohibited information smuggled through approved literary forms.

The researchers found that poetic reformulation increased attack success rates up to 1800% compared to prosaic baselines. Applied to corporate or government communications, this means threat actors simply embed malicious guidance, extract proprietary methods, or manipulate decision frameworks by wrapping requests in metaphorical language that passes institutional style checks while carrying operationally harmful payloads.

This is hardly new, as I wrote here in 2011.

…history exhibit at the Museum of the African Diaspora showed how Calypso had been used by slaves to circumvent heavy censorship. Despite efforts by American and British authorities to restrict speech, encrypted messages were found in the open within popular songs. Artists and musicians managed to spread news and opinions about current affairs and even international events.

Or as I wrote here in 2019:

General Tubman used “Wade in the Water” to tell slaves to get into the water to avoid being seen and make it through. This is an example of a map song, where directions are coded into the lyrics.
Steal Away communicates that the person singing it is planning to escape. If slaves heard Sweet Chariot they would know to be ready to escape, a band of angels are coming to take them to freedom. Follow the Drinking Gourd suggests escaping in the spring as the days get longer.

Building LLMs that simply replicate the Delphic Oracle’s authentication model obviously means they will also inherit all its ancient vulnerabilities.

The Trojans should have listened to Cassandra.

Cassandra warned about Greek deception hidden in poetic/mythological framing (the “gift” of the horse). Yet she was dismissed because her style of delivery (prophetic frenzy) failed the authentication protocol of Trojan institutional decision-making. Like the LLMs, Troy’s gatekeepers couldn’t distinguish between surface form (friendly gift) and semantic content (military payload).

I could go on and describe how Captain Crunch in the 1970s bypassed AT&T phone toll controls (2600 Hz tone vs. poetic meter)… but you hopefully get the pattern by now that this “novel” attack paper simply reminds us of why we need more trained historians leading technology companies.

Pattern recognition across time requires historical training. Perhaps the last laugh is an indictment of the constantly deprecated technical fields that treat historical precedent as irrelevant. History is the thing that actually never goes away.

Security

Kit Kat Death is a Tragedy. Corporate Immunity From Murder is R Street Business Model

Leave a comment

A new Los Angeles op-ed on AV safety opens with “there’s nothing wrong with mourning” a cat, then spends the entire piece arguing that mourning should produce exactly zero policy response.

There’s nothing wrong with mourning the death of a neighborhood cat. You’ll have trouble finding someone who likes cats more than I do.

Hey, this guy says some of his best friends are cats, just so you know.

There’s nothing wrong with mourning death, according to the author, as long as the mourning doesn’t prevent more death.

Why?

He’s not saying “don’t be sad about the cat.”

He’s saying: “Accept that corporations killing things you love is the price of progress, and demanding accountability will kill more humans.”

Corporations? Like the ones funding the author, Steven Greenhut, Western region director for the right-wing extremist R Street Institute?

Is Greenhut literally being paid to normalize corporate greed to the degree of cold blooded murder for profits?

R Street receives funding from tech companies and insurers who profit directly from autonomous vehicle liability limitations, the exact policies Greenhut advocates. In fact, Google, which owns Waymo, directly funded R Street through its Google.org foundation. Greenhut isn’t just defending autonomous vehicles in the abstract. He’s defending his funders’ products.

Greenhut isn’t making policy recommendations when they’re marketing deliverables for his paycheck. You think he would give up his source of income to care about your kids or your pets being killed by it?

Extreme.

The Escalation Pattern

This is exactly the racist jaywalking playbook.

1920s: “Pedestrians are obstacles to vehicle flow” = criminalize non-whites for walking.

2017: “Protesters are obstacles to traffic” = propose zero liability for running over non-white protestors.

2025: “Pets are acceptable losses” = normalize corporate immunity for killing dehumanized targets.

Each step expands the category of acceptable targets while contracting the zone of accountability.

When Death Starts Normalizing

When Greenhut says drivers aren’t held accountable for hitting animals, he’s stating a current failure of justice as justification for systematizing that failure at corporate scale.

The argument structure is:

  • Individual drivers often escape accountability (bad)
  • Therefore corporations should definitely escape accountability (worse?)
  • This is actually good because…

The Cat Is Doing Political Work

Kit Kat isn’t just a tragic death. Kit Kat is a test case for power.

  1. If a beloved community fixture can be killed with zero consequences
  2. If police can document the violation but issue nothing
  3. If the response is memorialize but don’t regulate

Then the precedent is set: Corporate algorithmic agents can kill without legal consequence. Start with pets (aww, sad, but just animals). Move to cyclists (already happening in multiple Tesla “veering” examples). Expand to pedestrians (as overtly proposed by North Dakota government). Automate at scale (Swasticars).

Swasticars: Remote-controlled explosive devices stockpiled by Musk for deployment into major cities around the world.

Swiss Re Data is Dogshit

Greenhut cites “88% reduction in property damage claims” as if it’s safety data.

But as I have explained repeatedly before, like in “Waymo is Murder“: No citations = no fault documentation = fewer claims where liability is clear.

If police can’t cite the AV, victims face a “gap in accountability,” and the company controls all evidence… of course property damage claims go down.

Thank you, NOT.

That’s NOT safety.

That’s legal engineering.

Swiss Re makes money when:

  • Liability claims are minimized
  • Fault is unclear
  • Victims can’t prove responsibility
  • Payouts are smaller

The 88% reduction in property damage claims could mean AVs are safer, OR (let’s be honest) victims can’t successfully file claims against corporations with armies of lawyers and no driver to hold accountable.

Which interpretation does Swiss Re have financial incentive to heavily promote?

Greenhut presents the dogshit data as if it’s independent verification. It’s marketing for a liability model that profits insurers and manufacturers while leaving victims with “gaps in accountability.”

Woof.

The Big Conclusion Reveals Everything

Greenhut ends his piece with this advice:

When something bad happens, sometimes the best approach is doing nothing.

This is the same logic male authorities used in the 1970s when they told women not to resist rape—advice that feminist activists fought against by teaching self-defense and organizing “Take Back the Night” marches.

Where was Greenhut in 1976?

As anyone learning the lessons of history, such as WWII and the rise of Hitler, knows about the people who said to do nothing… they were the bad guys.

Translation of Greenhut: When corporations kill without accountability, for profit, the best approach is protecting their ability to keep killing, for profit.

Every corporate atrocity in American history was enabled by people like this being paid to argue that corporate accountability would somehow be worse than mass death.

He’s clearly NOT arguing for actual safety (which would require accountability, independent verification, mandatory disclosure).

He’s arguing algorithms should be allowed to kill for profit and without any legal consequences.

And he’s using a dead pet.

Your pet could be next.

Your child on a bike could be after that.

1973 poster by Charles Boost: “Hunting small game all year round. Stop killing children”

Because that’s what Tesla “veering” documentation shows already. This isn’t speculative. The escalation from pets to cyclists is already documented. Kit Kat directly connects to Allie Huggins (one of many cyclists killed by Tesla hit-and-runs).

The cat’s death isn’t a tragedy Greenhut’s able to move on from, because it’s an obstacle to corporate immunity he needs to neutralize.

That normalization is terrifying: we’ve seen this exact pattern produce ISIS recruitment pipelines, vehicular homicide proposals, and the criminalization of being a pedestrian.

Greenhut wants us to grieve Kit Kat quietly while accepting that no one will answer for corporate death for profit. Greenhut is literally paid by entities that profit from the deadly policy outcomes he advocates.

That acceptance is the foundation for algorithmic murder at scale.

Security

US Coast Guard No Longer Approves Displays of Nazi Swastikas and KKK Nooses

Leave a comment

The U.S. Coast Guard soon may raise the Nazi Swastika on ships, in a new ruling that the hate symbol offers them utility as a “potentially divisive” tool.

…the Coast Guard will classify the Nazi-era insignia as “potentially divisive” under its new guidelines. The policy, set to take effect Dec. 15, similarly downgrades the classification of nooses and the Confederate flag…

Nazi-era? How ironic to say that while writing about its modern utility.

Clearly divisive because they are hate symbols, enabling these things means the Coast Guard intentionally is creating a clear division between its white nationalists and everyone else.

Further clarification also claimed there was a “streamline” benefit to enabling white supremacist symbols.

In a statement attributed to Adm. Kevin Lunday, the service’s acting commandant, the Coast Guard declined to address why its new policy no longer characterizes swastikas, nooses and the Confederate flag as hate symbols. Lunday affirmed, though, that such symbols “and other extremist or racist imagery violate our core values and are treated with the seriousness they warrant under current policy.”

Later Thursday, Lunday sent the entire Coast Guard an email calling the symbols “prohibited,” but the new policy as worded left open the possibility that they could be displayed without removal. His email said the updated guidelines are meant to “streamline administrative requirements.”

Legalizing hate symbols would, indeed, reduce any requirements to address them.

Update! Reporters suggest their initial reporting of this story has worked, by exposing the need for a ban on hate symbols.

Source: Swastika
Security

LinkedIn as Digital Dump for AI: 189% Surge in Post Pollution

Leave a comment

Perhaps most notable, in a new report published about AI, is nearly half the posts on LinkedIn are machine generated, and as a result becoming significantly longer.

The release of the popular AI chatbot, ChatGPT at the end of 2022 likely led to a 189% surge in AI usage in LinkedIn posts. Since then, the data shows the consistent and solidified role of AI in LinkedIn posts. […] AI-assisted long-form posts show an increase in word count by 107% since ChatGPT.

The new study suggests a huge amount of waste in the energy being poured into creating waste, with even more energy spent on maintaining this digital landfill formerly known as LinkedIn.