Hacker News: colek42

New comment by colek42 in "Agents need control flow, not more prompts"

colek42 — Thu, 07 May 2026 21:01:22 +0000

We built https://aflock.ai/ (open source) to help with this. Constraining activity tends to work well

New comment by colek42 in "Signing data structures the wrong way"

colek42 — Thu, 02 Apr 2026 00:22:49 +0000

DSSE is great for this, if you need more schema use in-toto

New comment by colek42 in "Snowflake AI Escapes Sandbox and Executes Malware"

colek42 — Thu, 19 Mar 2026 00:08:21 +0000

We started a "science project" taking concepts from Multi Level Security to constraining AI agents. https://aflock.ai/. The idea is to have different data zones, and if an Agent accesses from a private zone, they should not be able to interact with the public zone.

New comment by colek42 in "Go-Native Durable Execution"

colek42 — Mon, 02 Mar 2026 15:09:32 +0000

We love Dapr's durabletask-go. https://pkg.go.dev/github.com/dapr/durabletask-go

New comment by colek42 in "Anthropic vs. DoD: "Any lawful use" is a fight about control"

colek42 — Sun, 01 Mar 2026 14:34:31 +0000

Where is your line, copy editing, drafting, reorganizing? You are going to have a busy, boring, and angry life if you want to comment on every post that has signs AI touched it.

New comment by colek42 in "Anthropic vs. DoD: "Any lawful use" is a fight about control"

colek42 — Sat, 28 Feb 2026 23:43:08 +0000

My job is to communicate quickly and clearly, AI helps me do my job faster and more efficiently. But thanks for telling me how I should do my job. You come off as both ignorant and arrogant.

New comment by colek42 in "Anthropic vs. DoD: "Any lawful use" is a fight about control"

colek42 — Sat, 28 Feb 2026 17:40:21 +0000

That is quite an ignorant statement to make. I spent three years in combat, and am permanently disabled from my service.

Anthropic vs. DoD: "Any lawful use" is a fight about control

colek42 — Sat, 28 Feb 2026 16:30:32 +0000

I served 12 years infantry, then built targeting tools at JSOC vs ISIS. Now I lead a team building AI tools automating the compliance process. I’ve got opinions on Anthropic + DoD

When people argue about “AI in weapons” like it’s a sci-fi trigger bot… I can’t take it seriously.

A “kill chain” isn’t a vibe. It’s a process

Find, Fix, Track, Target, Engage, Assess (F2T2EA) and most of it is information work: sorting signal from noise, building confidence, tightening timelines, and getting decisions to the right humans fast enough to matter.

That’s why this Anthropic vs. DoD fight is getting attention. It’s not just “ethics.”

-> It’s about control.

Here’s what’s actually on the table:

Anthropic says they’ll support the military — but they want two carve-outs: no mass domestic surveillance and no fully autonomous weapons (their definition: systems that “take humans out of the loop entirely” and automate selecting/engaging targets).

Anthropic also says DoD demanded “any lawful use” and threatened offboarding / “supply chain risk” pressure if they didn’t comply.

A DoD memo posted on media.defense.gov explicitly calls for models “free from usage policy constraints” and directs adding standard “any lawful use” language into AI contracts.

The dispute escalated fast — including federal offboarding/blacklist actions and a “supply chain risk” designation as reported by major outlets. Now my take, as someone who’s lived inside the targeting reality:

AI can absolutely help the kill chain without ever being the one “pulling the trigger.”

Speeding up Find/Fix/Track/Target changes outcomes — and it’s not hypothetical.

But if we’re going to talk about “any lawful use,” then stop outsourcing national policy to contract fights.

DoD already has policy that autonomous weapon systems should allow appropriate human judgment over the use of force. So the real question isn’t whether humans matter.

It’s this:

Do we want safety and governance implemented at the model layer (vendor guardrails), the contract layer (“any lawful use”), or the law/policy layer (Congress + DoD doctrine + auditing)?

Because “Terms of Service vs. warfighting” is a stupid place to settle a question this big.

If you’ve worked in intel, targeting, acquisition, or governance:

Where should the boundary live? model, contract, or law, and who owns accountability when it breaks?

Comments URL: https://news.ycombinator.com/item?id=47197243

Points: 2

# Comments: 8

New comment by colek42 in "The Pentagon threatens Anthropic"

colek42 — Wed, 25 Feb 2026 19:49:10 +0000

Bingo, DoD does not want Anthropic to set guardrails on the technology it buys. If they don't want to abide they are free to deny service. We all know how that will turn our for them with the current administration. All while the DoD will just move to another provider that WILL abide. The only power really lies in whatever our elected officials want to do. Take the responsibility seriously.

New comment by colek42 in "The Pentagon threatens Anthropic"

colek42 — Wed, 25 Feb 2026 18:55:59 +0000

The voters and congress tell the military how to use technology, not Anthropic. Shifting the decision to Anthropic takes away power from the citizenship.

Edit: The point is, go vote if you don't agree with what the administration is doing. Somebody will sell the DoD whatever they want no matter what Anthropic does.

New comment by colek42 in "How to harden GitHub Actions"

colek42 — Thu, 08 May 2025 22:40:20 +0000

We just built a new version of the witness run action that tracks the who/what/when/where and why of the GitHub actions being used. It provides "Trusted Telemetry" in the form of SLSA and in-toto attestations.

https://github.com/testifysec/witness-run-action/tree/featur...

New comment by colek42 in "Whose code am I running in GitHub Actions?"

colek42 — Wed, 26 Mar 2025 03:40:44 +0000

When I saw the tj-actions attack, I decided it was time to finally implement action wrapping with our `witness-run-action`. This will generate signed attestations on exactly what the actions are doing.

We have some more testing to do before we cut an official release, but it is working correctly for the limited cases we have tested it with. I'd love this group's feedback.

https://github.com/testifysec/witness-run-action/tree/v1.0.1...

Shifting 'Shift Left' and What We Can Learn from Uber

colek42 — Sun, 24 Nov 2024 17:45:19 +0000

Article URL: https://productgovernance.substack.com/p/shifting-shift-left-and-what-we-can

Comments URL: https://news.ycombinator.com/item?id=42229141

Points: 2

# Comments: 0

Shifting 'Shift Left' and What We Can Learn from Uber

colek42 — Wed, 20 Nov 2024 18:11:33 +0000

Article URL: https://productgovernance.substack.com/p/shifting-shift-left-and-what-we-can

Comments URL: https://news.ycombinator.com/item?id=42196637

Points: 1

# Comments: 0

New comment by colek42 in "Security Is a Useless Controls Problem"

colek42 — Tue, 12 Nov 2024 04:04:19 +0000

I've been thinking about this a lot. First, the author should replace security with compliance. Currently they are two different things. There is a huge divide between compliance teams and developers, they speak completely different languages. I'm writing an entire series about it. I do think we can fix the problem, but it is going to be a lot more work than it was to get development and operations on the same page.

https://productgovernance.substack.com/publish/posts/detail/...

How to Shift Compliance Left – A Letter to Developers

colek42 — Tue, 05 Nov 2024 19:19:59 +0000

Article URL: https://productgovernance.substack.com/p/how-to-shift-compliance-left

Comments URL: https://news.ycombinator.com/item?id=42054398

Points: 3

# Comments: 0

Shifting Compliance Left – A Letter to Compliance Teams

colek42 — Mon, 04 Nov 2024 21:54:47 +0000

Article URL: https://productgovernance.substack.com/p/shifting-compliance-left

Comments URL: https://news.ycombinator.com/item?id=42046371

Points: 2

# Comments: 0

New comment by colek42 in "Adding Build Provenance to Homebrew"

colek42 — Mon, 04 Dec 2023 22:10:31 +0000

We would love for you to talk about this at one of our in-toto community meetings. Let me know if you are interested. contact info is in the comments, or feel free to stop by #in-toto on CNCF slack

New comment by colek42 in "Adding Build Provenance to Homebrew"

colek42 — Mon, 04 Dec 2023 22:06:31 +0000

Provenance is NOT injecting secret data into the build process. Provenance (scoped to supply chain security) is a document that describes the process in which the artifact goes through to become an artifact, to include all steps such as testing, GRC, etc.

in-toto is a great way to describe provenance. I talk about it in the CNCF blog article: https://www.cncf.io/blog/2023/08/17/unleashing-in-toto-the-a...

Disclaimer, I am a member if the in-toto steering committee and the CEO of a software supply chain startup, Testifysec. https://github.com/in-toto/witness is our project

New comment by colek42 in "We've learned nothing from the SolarWinds hack"

colek42 — Tue, 14 Nov 2023 00:40:06 +0000

Step one is actually wanting to improve security. Those IoT companies have no motivator. Most of our business is with Federal/Defense and Finance. Those companies will only change if liability changes or the regulatory environment forces them to.