Stake and Rope

Goat Security
  • 5.0 (1)
  • Technology

A satirical roundtable podcast reacting to real tech news. Each week, three of a recurring bench show up: maybe the burned-out SRE who's stopped being surprised, maybe the legacy sysadmin who's seen this before in a previous decade, maybe the paranoid CISO measuring second-order effects, maybe the founder who can spin any disaster into a thread, maybe the DBA who is contemptuous of work but not people. Others rotate in as the story calls for them. The retired sysadmin turned goat farmer sits in regardless.

  1. Clippy with API Acces

    1d ago

    Clippy with API Acces

    Microsoft has announced a new category of AI agent called Autopilot, starting with one named Scout, which sits in the background watching everything you do across Teams, Outlook, OneDrive, and SharePoint and takes action on your behalf without being prompted. It's powered by something called OpenClaw, which The Register has previously described as a security dumpster fire. Scout schedules your meetings, blocks your calendar, flags risks, and is bound to your Entra identity so its actions are attributed to you. The product is currently in Frontier preview, gated behind a GitHub Copilot subscription that recently moved to usage-based billing. The Register covered the launch in early June. The editorial center is the gap between the pitch and the pattern. The pitch is that Scout is a new product category — always-on, identity-bearing, background-capable — that represents the substrate moment for agentic work. The pattern is that the autonomous personal-assistant has been pitched in roughly the same form, with roughly the same promises, every five to seven years since 1987. Apple commissioned the Knowledge Navigator concept video that year — a five-minute clip of a tenured professor sitting down at a folding screen device while a man in a bow tie informs him his mother called, his nine-thirty is canceled, his colleague in Brazil has a question about deforestation data. Newton was a piece of it. Lotus Agenda in 1988 was a piece of it. Microsoft Bob in 1995. Clippy in 1997. Wildfire, the voice agent that cost about $180 a month in 1996 dollars. General Magic. The whole intelligent-agent wave of the early 2000s. Siri, Google Now, Cortana — each one a piece of it. The RPA cycle of the 2010s — UiPath, Automation Anywhere, Blue Prism — same pitch in enterprise-software clothing. The work didn't get done. The work got moved, and then someone had to figure out what the robot did and clean it up. The underlying threat model is sharper this time, because the new agent has the credentials and the new agent doesn't have judgment. OpenClaw — the platform Scout is built on — has a documented record of agents making bad decisions for users. A British mathematician handed an OpenClaw agent a credit card earlier this year and the agent made purchases it should not have made. The Register reported Microsoft was asked about Scout's security model and didn't respond before deadline; the mitigation in Microsoft's launch announcement was enterprise-grade security and controls, which is a phrase, not a strategy. Prompt injection through email or calendar invites can fire without any user interaction. The user has not opened the email. The user has not approved anything. The Entra log shows the user's Scout agent did it. The user is now in a conversation with their CISO about why they exfiltrated board minutes to an external address. UNC3944 has been compromising help desk workflows for two years. They will compromise agent workflows in roughly the same way for roughly the same reason. The org that adopts this in 2026 will be writing the incident report in 2027. Source Article No longer just a Copilot: Microsoft's AI wants to take the wheel — The Register, June 3, 2026. Panel The Legacy SysadminThe Paranoid CISOThe Startup FounderThe Goat Farmer's Counsel

    18 min
  2. Despite Obvious Challenge

    3d ago

    Despite Obvious Challenge

    The latest round of underwater data centers is taking shape. Highlander Digital Technology has a 24-megawatt facility running off the coast of China, powered by an offshore wind farm. A Portland startup called Panthalassa has Peter Thiel money and a plan to put autonomous server pods in international waters connected via Starlink. Capital Clean Energy Carriers signed an MoU with Samsung and Lloyd's Register earlier this month on a data-center-on-ship deployment. Nautilus actually shipped its Marseille facility, and the Stockton deployment is still up at six and a half megawatts. The Register wrote it up this week under the headline that did most of the editorial work for the show: datacenters dip a toe back into waterborne computing despite obvious challenges. The word that matters in that headline is "back." Microsoft ran Project Natick from 2015 to 2020. Eight hundred sixty-four servers in a sealed steel cylinder off the Orkney Islands, two years on the seabed, a failure rate one-eighth what the same hardware showed in a land-based control cluster. Peer-reviewed results. Successful experiment by Microsoft's own published account. And then in 2024, Microsoft quietly confirmed there were no longer any underwater data centers in operation, never fully explained why, and built thirty conventional land-based data centers in the same window. The decision is the artifact. The next data centers the world's most invested operator built after running the most rigorous experiment on the question were all conventional. The current cycle isn't a return. The previous cycle never stopped — it ran the experiment, measured the result, and made a deployment decision. The current operators are running the same experiment. The editorial center is the gap between two things both being true. The technology works — Microsoft proved that, nobody has to re-prove it. The deployment economics don't — Microsoft proved that too, by what they built next. The gap closes when both sides converge. The technology side has been ready since 2020. The economics side hasn't moved. The version of waterborne that actually has a chance, the panel lands on, is the pod-as-tenant model where the marine operating costs are amortized against a different revenue stream — a wind farm operator with the boats and divers and grid interconnect already, a shipping company with vessel operations already running, somebody else owning the marine layer and the data operator being a customer on the platform. Highlander, collocated with an offshore wind farm, is that model. Panthalassa, with autonomous wave-powered pods four days' steam from the nearest human, is the moonshot version that runs the same experiment again with the same results pending. Source Article Datacenters dip a toe back into waterborne computing despite obvious challenges — The Register, June 23, 2026. Panel The Legacy SysadminThe DBAThe Startup FounderThe Goat Farmer's Counsel

    19 min
  3. Perpetual Was a Marketing Word

    5d ago

    Perpetual Was a Marketing Word

    Tesco, the UK grocery chain, is moving forty thousand server workloads off VMware after suing Broadcom for what its legal filings call "abusive conduct." The story is straightforward in its sequence: Tesco bought perpetual licenses for VMware's vSphere Foundation and Cloud Foundation in January 2021, along with a VMware Tanzu subscription, with support services through 2026 and an option to extend support four additional years. Broadcom acquired VMware in November 2023. According to Tesco's filings, Broadcom refused to honor the existing contract, demanded "excessive and inflated prices" for products Tesco had already paid for, stopped supporting Tesco's products in January 2026, and is now being sued in the UK's High Court for at least £100 million in damages from each of three defendants — Broadcom, VMware, and reseller Computacenter — plus interest. The Register and Ars Technica covered the migration filing this week. The editorial pattern is older than the parties. Oracle bought Sun in 2010 and torched the Solaris support contracts within eighteen months, leaving customers like a regional bank with thirty thousand workloads to migrate on Oracle's timeline. CA built a thirty-year business on the same model and got bought by Broadcom for parts. HP did it to Autonomy customers. Compaq absorbed DEC, HP absorbed Compaq, IBM absorbed Red Hat — every one of those acquisitions was somebody's stability getting renegotiated. The Broadcom-VMware case is not an integration accident. It is the integration. Broadcom paid sixty-one billion dollars for VMware; to make that math work at the returns Broadcom promises shareholders, you need to expand operating margins from roughly twenty-five percent under old management to closer to seventy percent. You do not get from twenty-five to seventy by being nicer to customers. The CFO modeled the customer lawsuits as a line item, factored in the legal reserves, and the net was still positive. The Tesco filing reports that Tesco rejected at least four offers from Broadcom to continue using VMware. Whatever Broadcom was offering, forty thousand workload migrations on a two-year timeline was the cheaper option — which tells you what the offers were. The destination platform is incompatible with Veeam and Zerto, the backup and replication products Tesco currently runs, which means the migration is not forty thousand workloads. It is forty thousand workloads plus a complete rebuild of the data protection layer, on a deadline, with third-party support on the source platform because Broadcom walked off the job in January. The lawsuit is scheduled to reach court between November 2027 and February 2028; Tesco's stated target is to be completely off VMware by the end of 2027 at the earliest. Source Article Tesco Moving 40,000 Server Workloads Off VMware Amid Broadcom's 'Abusive Conduct' — Slashdot, June 17, 2026, summarizing reporting from Ars Technica (Tesco moving 40,000 server workloads off VMware amid Broadcom's abusive conduct) and The Register (Tesco is sprinting to quit VMware and Broadcom despite rapid migration risks). Panel The Legacy SysadminThe DBAThe Startup FounderThe Goat Farmer's Counsel

    17 min
  4. Plausible Isn't Good Enough

    Jun 19

    Plausible Isn't Good Enough

    Midjourney, the AI image generation company best known for producing pictures on demand, announced on Wednesday that it is opening a medical spa in San Francisco. Guests will be lowered into a tank of golden light while three hundred fifty-eight thousand ultrasonic transducers scan their bodies. The Register wrote it up. The underlying scanner technology is real — it's a Caltech research project using hardware from Butterfly Network, the latter of whom Midjourney initially neglected to mention in its announcement and had to issue a press release on its own behalf. The company claims the scanner could prevent thirty percent of all deaths and fifty percent of healthcare costs, pending FDA approval, which it describes as the "next limit." The panel reads it not as a fraud but as a specific kind of pivot the industry has seen before. In 1994 there was a company called Imatron selling electron beam CT scanners to a chain of preventative scan centers called HealthCheck America. Drive in, get scanned, walk out with your calcium score. Same thirty-percent-of-deaths framing. The scan centers were everywhere by 1999. By 2005 most of them were closed, because insurance wouldn't reimburse, the radiologists hated the false positives, and the company that made the scanners was acquired and broken up. The cycle takes about seven years to play out. The pieces in this round are the same. The editorial center is a single distinction. Midjourney has spent four years optimizing models to produce outputs that look correct, which is a fundamentally different problem from medical imaging, where the image needs to correspond to the actual tissue inside the actual patient. A plausible-looking artifact in medical imaging is worse than a noisy one, because a radiologist might trust it. The company's existing core competency — producing plausible images — is the worst possible skill to transfer into diagnostic medicine. Add to that a stated buildout of fifty thousand scanners by 2031 with capacity for a billion scans a month, a data governance posture that is currently the subject of multiple copyright suits, and an announcement that names neither the storage location nor the retention policy nor the training-use intent of the scans, and you have a company asking patients to trust it with the most intimate dataset that has ever been collected at scale. The breach announcement is already written. It just hasn't been filed yet. Source Article Midjourney pivots from AI image generation to body scanning medical spa where patients bathe in 'golden light — The Register, June 18, 2026 Panel The Legacy SysadminThe Paranoid CISOThe Startup FounderThe Goat Farmer's Counsel

    17 min
  5. It's the Bill

    Jun 17

    It's the Bill

    The AI industry is discovering, with apparent surprise, that maybe you shouldn't use more compute than you need. TechCrunch ran a piece this week on the cost-conscious turn — Brian Armstrong of Coinbase predicting eighty percent of workloads shift to ninety-nine percent cheaper models inside eighteen months, Harvey reporting a three-times inference cost reduction without quality loss, and the broader question of whether the scaling-first approach has finally hit a budget. The Harvey quote in the article is precise about what's changed. "The definition of quality is evolving from simply using the most powerful model for everything, to using the best model that gets the right answer most efficiently." The panel reads this as a sentence written by someone who got an invoice. Not an evolution of quality — quality being redefined to fit the budget. Most of the savings, the article notes, come out of the pockets of the big labs as they head for IPO. The frontier labs say they're fine with that; the volume shift is happening at the low end, which was barely profitable for them anyway. Legacy has heard that sentence before, in 1991, when IBM said it about Sun taking the low-end workstation market. The panel's argument lands somewhere close to four cycles of the same pattern. Mainframe MIPS optimization in the late eighties when IBM's processor-second billing finally got somebody in accounting to pull the report. Sun E10K right-sizing when shops realized they'd bought hardware for workloads that ran fine on an Ultra 60. EC2 instance selection around 2012 when companies running m4-large for cron jobs got the bill. And now intelligent routing in 2026, where the discipline that should have been obvious from the start arrives because the invoice finally got walked into a meeting. The lesson takes ten to fifteen years to stick before someone invents a new abstraction layer and the cycle starts again. The reason it doesn't stick is that the people who learned it last time have retired or been promoted out of the work. Source Article Can tech companies learn to love cheaper models? — TechCrunch, June 9, 2026. Panel The Legacy SysadminThe Burnt-Out SREThe Startup FounderThe Goat Farmer's Counsel

    18 min
  6. The Tuesday

    Jun 15

    The Tuesday

    Linux kernel maintainers are floating a proposal that would let admins disable vulnerable kernel functions at runtime. The feature is called Killswitch, and the patch was submitted in early May by Sasha Levin, a distinguished engineer at Nvidia and co-maintainer of the long-term support and stable Linux kernel trees. The Register covered it. The pitch is straightforward — when a serious vulnerability drops and patches aren't ready, instead of waiting for the build-distribute-reboot cycle, you flip a switch and the buggy function refuses to run. The proposal arrived after a rough stretch for Linux. CopyFail (CVE-2026-31431) dropped, went from disclosure to active exploitation in days. Dirty Frag landed with public exploit code targeting the IPsec ESP and RxRPC subsystems and no official fix at the time of disclosure. The kernel community is now openly discussing whether broken functionality might be preferable to weaponized functionality. Red Hat is on record supporting the idea; the security forums are calling it "terrifying" and "absolutely ridiculous"; both reactions are defensible from where the people saying them are sitting. The panel's argument lands somewhere close to four positions held simultaneously. The mechanism isn't new — Solaris had psradm, IBM had dynamic LPAR reconfiguration, AIX had rmdev, every generation of enterprise Unix shipped a version of "turn off the broken thing at runtime." The threat model is real but the larger threat is operational, not adversarial — the Tuesday-afternoon mis-toggle that breaks production six hours into a six-hour diagnosis is more likely than the APT using Killswitch as a defense-evasion primitive. The proposal is the right answer to the problem the kernel community is actually facing — patch pipelines cannot keep up with disclosure pipelines, and that's a structural admission worth sitting with. And the feature will be implemented badly in its first version, get an audit trail by its third, become a NIST control by its eighth, and by the time it's a NIST control nobody will remember it was supposed to be an emergency mechanism. That arc is the show. Source Article Linux kernel maintainers pitch emergency killswitch after CopyFail and Dirty Frag chaos - The Register, May 11, 2026 Panel The Legacy SysadminThe Paranoid CISOThe DBAThe Goat Farmer's Counsel

    16 min
  7. Same Fight, Different Language

    Jun 12

    Same Fight, Different Language

    The Python steering council has asked for development on the experimental JIT compiler to be suspended from the main branch, pending a new PEP, with a six-month deadline before the code gets removed entirely. The JIT was already in the Python 3.15 release notes, showing an eight-to-nine percent geometric mean performance improvement on x86 Linux, with full release expected in October. The Register reported it this week. The council's position is that proper process wasn't followed. The JIT team's position is that the code is already merged, working, and benchmarked. Pablo Galindo Salgado, speaking for the council, acknowledged that "we have not been as strict about following the process as a change of this complexity and reach deserves" — which is the council admitting that they approved the merges and are now saying they shouldn't have. The same announcement asks for a PEP and then describes the desired outcome as "a JIT infrastructure that can support multiple implementation strategies," which is asking for a different project, not a document. The panel's argument lands somewhere close to thirty years of watching this same pattern. Perl 6 announced in 2000, shipped as Raku in 2019, audience gone by then. Python 2 to 3 nearly died the same way until Guido cut Python 2 off. OpenSSL almost died because the foundation was three people and a Patreon. systemd shipped because Lennart stopped asking. Every functioning open-source project the panel can name has had one person who could say no and mean it. The committee isn't the structure that ships code. The committee is the structure that manages people who ship code. When the committee starts trying to ship the code itself, the code stops shipping. The work shipped. The process didn't. That's the part that doesn't change. Source Article Python JIT compiler project under threat after steering council says proper process wasn't followed — Tim Anderson, The Register, June 8, 2026. Reporting on the Python steering council's request to suspend development on the experimental JIT compiler from the Python 3.15 main branch, the six-month deadline before code removal, Pablo Galindo Salgado's statement on behalf of the council acknowledging that earlier process was insufficient, the JIT team's response including Mark Shannon's concerns about contributor churn, and the council's description of the desired post-PEP architecture as "a JIT infrastructure that can support multiple implementation strategies." Panel The Legacy SysadminThe DBAThe Startup FounderThe Goat Farmer's Counsel

    17 min
  8. Please Do Not Vibe

    Jun 10

    Please Do Not Vibe

    Rsync, the file synchronization utility that has quietly underpinned essentially every backup system in the Unix and Linux world since the mid-nineties, shipped a release earlier this year with regressions affecting incremental backup workflows. Users digging through the commit history found dozens of commits attributed to "tridge and claude" — that's Andrew Tridgell, the project's creator and a foundational figure in open-source infrastructure, working alongside Anthropic's Claude. A GitHub post titled, with the expletive sanitized, "Please Do Not Vibe F**k Up This Software" lit the fuse. The Register reported it this week. Tridgell responded with a Medium piece called "Rsync and Outrage" defending his process. Forty years of software engineering experience. Every commit reviewed personally. AI tooling adopted in response to a flood of AI-generated security reports consuming his maintenance time. The defense is the strongest possible version of the position — the original maintainer is also the reviewer, the usual AI-PR concerns about review capacity don't apply, the tool adoption was a rational response to real operational pressure. The panel takes the defense seriously and engages with it on its merits. And the backups have regressions. That's the transaction the panel keeps returning to. The maintainer's standing is intact, the process defense holds, the response to the security-report flood was reasonable, and the incremental backup paths broke. The standard objection to AI-assisted contributions in open source — review capacity — doesn't apply here. So if the regressions still happen, the conclusion has to be something else: the kind of code being produced is harder to review than the code being replaced, the rewrite was the wrong unit of work for the tool, or the test coverage gap was always there and got surfaced by being broken. None of those are character flaws. They're decisions that produced an outcome. And the outcome is that some number of people are going to find out their incremental backups don't restore at three in the morning when they try to. Source Article "Please do not vibe f$%& up this software": Broken backups spark AI coding row in rsync communit — Carly Page, The Register, June 4, 2026 Panel The Legacy SysadminThe DBAThe Startup FounderThe Goat Farmer's Counsel

    18 min
See All (25)

About

A satirical roundtable podcast reacting to real tech news. Each week, three of a recurring bench show up: maybe the burned-out SRE who's stopped being surprised, maybe the legacy sysadmin who's seen this before in a previous decade, maybe the paranoid CISO measuring second-order effects, maybe the founder who can spin any disaster into a thread, maybe the DBA who is contemptuous of work but not people. Others rotate in as the story calls for them. The retired sysadmin turned goat farmer sits in regardless.

Information

  • Creator
    Goat Security
  • Years Active
    2K
  • Episodes
    25
  • Rating
    Explicit
  • Copyright
    © Dennis Koch
  • Show Website
    Stake and Rope