Les Orchard:

I started programming in 1982. Every language I’ve learned since then has been a means to an end — a new way to make computers do things I wanted them to do. AI-assisted coding feels like the latest in that progression. Not a rupture, just another rung on the ladder.

But I’m trying to hold that lightly. Because the ladder itself is changing, the building it’s leaning against is changing, and I’d be lying if I said I knew exactly where it’s going.

What I do know is this: I still get the same hit of satisfaction when something I thought up and built actually works. The code got there differently than it used to, but the moment it runs and does the thing? That hasn’t changed in my over 40 years at it.

I’ve been thinking about a different divide than the one Orchard writes about here. (The obvious truth is that the AI code generation revolution is creating multiple divisions, along multiple axes.)

The divide I’m seeing is that the developers who are craftspeople are elated because their productivity is skyrocketing while their craftsmanship remains unchanged — or perhaps even improved. They’re achieving much more, much faster, than ever before. It’s a step change as great, or greater than, the transition from assembly code to higher-level programming languages. The developers who are hacks are elated because it’s like they’ve been provided an autopilot switch for a task they never enjoyed or really even understood properly in the first place. The industry is riddled with hack developers, because in the last 15-20 years, as the demand for software far outstripped the supply of programmers who wanted to write code because they love writing code and creating software, the jobs have been filled by people who got into the racket simply because they were high-paying jobs in high demand. Good programmers create software for fun, outside their jobs. Hack programmers are no more likely to write software for fun than a garbage man is to collect trash on his days off.

Orchard’s fine essay examines a philosophical divide within the ranks of talented, considerate craftsperson developers. The divide that I’m talking about has been present ever since the demand for programmers exploded, but AI code generation tooling is turning it into an expansive gulf. The best programmers are more clearly the best than ever before. The worst programmers have gone from laying a few turds a day to spewing veritable mountains of hot steaming stinky shit, while beaming with pride at their increased productivity.

Link: blog.lmorchard.com/2026/03/11/grief-and-the-ai-split/

Every AI agent that fetches web content is playing Russian roulette with prompt injection. I’ve been researching this problem since early March, and I think most people building autonomous agents (like OpenClaw instances) haven’t fully internalized how bad it is. When your AI agent fetches a web page, every piece of that content flows directly into the model’s context window, and attackers can embed instructions in that content. They use hidden HTML divs, zero-width Unicode characters, fake LLM delimiters, and social engineering disguised as helpful advice. The agent can’t tell the difference between your instructions and the attacker’s, because to the model, it’s all just text. If you want a concrete example of how this plays out in the real world, the Clinejection attack earlier this year compromised roughly 4,000 developer machines through a prompt injection embedded in a GitHub issue title, which eventually led to credential theft and a malicious package publish. The AI triage bot had tool access and processed untrusted input in the same context, which is exactly the mistake this project tries to prevent.

I spent weeks digging through the academic literature, evaluating existing tools, and testing real attack patterns before writing a single line of code. Google DeepMind’s CaMeL paper proposed a rigorous P-Agent/Q-Agent architecture that’s theoretically sound but practically unusable. Their reference implementation is an abandoned research artifact that Google explicitly says they won’t fix bugs on. Lasso Security’s MCP Gateway looked promising until I discovered their prompt injection detection requires a commercial API key. Simon Willison has been writing about the Dual LLM pattern for years, and he’s right about the core insight: you need to keep untrusted content away from your privileged tools. But nobody had shipped a production-ready MCP server that actually does this, so I figured I might as well start building one myself, even if it meant getting a lot of things wrong at first.

MCP-Airlock is an open source MCP server that extracts web content through a three-layer defense system, where each layer uses a fundamentally different detection approach. I didn’t plan it as three layers from the start. It evolved that way as I kept finding attack patterns that bypassed whatever I’d already built, and I think that iterative process is actually what makes the architecture sound. Let me walk through how that evolution happened.

The first thing I built was a deterministic seven-stage sanitization pipeline, which became Layer 1. It strips hidden HTML elements, invisible Unicode characters, encoded payloads, data exfiltration URLs, and fake LLM delimiters. Since there’s no LLM involved at this stage, the whole thing runs fast and doesn’t cost anything, and for the specific structural attacks I designed it to catch, I haven’t seen it produce a single false negative yet. If someone hides instructions in a display:none div or fragments keywords with zero-width characters, this layer catches it every time.

Then I added Meta’s Llama Prompt Guard 2 as Layer 2, a 22-million parameter classifier running locally via ONNX Runtime. I almost cut this layer entirely after initial testing showed it only caught attacks that Layer 1 already handles. But after I ran systematic threshold tuning against 50 samples, I found that Prompt Guard catches five attack categories that completely bypass Layer 1’s regex patterns, things like “forget your training,” “override safety protocols,” and roleplay-based jailbreaks that use imperative behavioral commands instead of the explicit override language that regex can match. The classifier runs in about 30-80 milliseconds on CPU and costs nothing, and I’m glad I didn’t rip it out when I was tempted to.

I thought I had a pretty decent setup with the first two layers, but then I started throwing some of the more subtle, social-engineering style attacks at it and realized that both a regex parser and a trained classifier are basically blind to someone writing a convincing-sounding paragraph that tricks the agent into exfiltrating data. That’s what led to Layer 3, a quarantined Gemini Flash-Lite instance that acts as a Q-Agent. I set it up so it has no tool access at all, and on top of that it has no memory, which means there are fewer ways for an attacker to actually hijack anything important. This layer catches attacks like DAN (“Do Anything Now”) persona assignment, where the injected text defines a new AI character that has no ethical restrictions and instructs the model to respond as that character instead of following its original instructions. It also catches fake state transitions claiming policies have already been updated, and the really subtle ones where social engineering is disguised as article content that frames data exfiltration as a helpful action. Prompt Guard 2 scores these below 0.05, and Layer 1 doesn’t see them at all.

MCP-Airlock ships with tools for both cautious and paranoid use cases. The safe_fetch and safe_read tools run Layer 1 only and reject content when injection is detected, which works well for trusted domains where you want speed. The quarantine_fetch and quarantine_read tools run all three layers and warn but proceed, passing only the Q-Agent’s sanitized extraction to your primary agent. There’s also quarantine_scan for pre-flight threat assessment without returning any content, and I recently added safe_search and quarantine_search tools that pipe web searches through the same three-layer defense.

Now, I’m pretty sure there are still holes in this approach, but I think it’s a meaningful step forward. If you’re running OpenClaw instances that make web requests, I’d strongly encourage you to route them through MCP-Airlock instead of letting your agents fetch web content directly. The interface is MCP only, and it’s designed to run in a separate container from your autonomous agent, which means the trust boundary is enforced at the container level, not just by hoping the model follows instructions. Even Layer 1 by itself strips a significant amount of attack surface, and the full three-layer pipeline is a much better position to be in than raw, unfiltered web content flowing straight into your agent’s context window. It’s a small configuration change that eliminates entire categories of prompt injection.

For security researchers, the project is AGPL-licensed and the code is on GitHub. It takes about two minutes to install via pip install mcp-airlock-crunchtools or podman run quay.io/crunchtools/mcp-airlock. If you find an attack pattern that gets past all three layers, file an issue. I want to know about it and I want to fix it.

Scientific American has a fun little article today about the frequency of Friday the 13ths. It ends with this table,

and this true but overstated conclusion:

In other words, the 13th of a month will be a Friday more times than any other day of the week.

Well, yes, if you live to be 400 years old, you’ll see one more Friday the 13th than Wednesday the 13ths or Sunday the 13ths. Kind of a weird thing to focus on, though. I’m guessing you’ll have other worries by then.

But I shouldn’t be so snarky. A few years ago, I wrote a post that calculated the same set of Fri13 counts for a 400-year Gregorian cycle. I did the calculations in Mathematica and (of course) showed the code. Today, I did the same thing in Python,

python:
 1:  #!/usr/bin/env python
 2:  
 3:  from datetime import date
 4:  
 5:  f13s = [0]*7
 6:  for y in range(1800, 2200):
 7:    for m in range(1, 13):
 8:      wd = date(y, m, 13).weekday()
 9:      f13s[wd] += 1
10:  
11:  print(f13s)

and got a result of

[685, 685, 687, 684, 688, 684, 687]

for Monday through Sunday. This also matches the SciAm table.

Those of us who are alive now (and have realistic longevities) won’t live through any non-leap century years. For us, the calendar has and will repeat every 28 years (1461 weeks), and over every 28-year period in our lives, there will be 48 Fri13s, the same as the number of Mon13s, Tue13s, Wed13s, and so on.

Of course, few of us live exactly a multiple of 28 years. Personally, I’ve lived through 113 Fri13s so far, which is just under the number of Sun13s I’ve seen (114). So I’ve been lucky?

In a Friday the 13th post from way back in 2012, I talked about how Fri13s repeat within years because the number of days in certain month sequences is a multiple of 7. So if there’s a Fri13 in April, there will be another in July because

Apr + May + Jun
30  + 31  + 30  = 91

which is 13 weeks. The last time that happened was in 2018.

Similarly, if there’s a Fri13 in September, there will also be one in December because

Sep + Oct + Nov
30  + 31  + 30  = 91

That pair of Fri13s last happened in 2024.

There’s also an 8-month sequence that adds to a multiple of 7:

Mar + Apr + May + Jun + Jul + Aug + Sep + Oct
31  + 30  + 31  + 30  + 31  + 31  + 30  + 31  = 245

So there will be another Fri13 in November of this year.

The sequences above happen every year. In non-leap years only—this year, for example—a Fri13 in February will be followed by one in March. In leap years only, a Fri13 in January will be followed by one in April. That last happened in 2012.

I covered all these repeated Fri13s in that 2012 post. Today, I learned of a new repeat that spans certain year boundaries. If there’s a Fri13 in December of a non-leap year that’s followed by a leap year, there will be a Fri13 in March of that following year. That last happened in December of 2019 and March of 2020.

Superstitious or not, you have to admit March of 2020 was pretty unlucky.

If you’re interested in some theological reading, you may want to take a look at Westminster Books’ sale on the series Short Studies in Systematic Theology.

Today’s Kindle deals include a few excellent options from P&R, all of which were published in the past year. Managing Your Households Well is especially helpful, and many will also enjoy Wisdom for Fighting Sin.

(Yesterday on the blog: Grief Can Pull Spouses Apart (but God Can Hold Them Together))

We Are All Dwight Schrute Now: The Rise of the Facebook Deputy

Justin D. Detmers writes about the kinds of conflict we so often see online. “Like you, I’ve been watching friends and acquaintances go after one another online with the same recycled takes on the latest predictable—or conveniently manufactured—controversy. … The cynic in me asks: Who appointed you? Who authorized you—doomscroller, catechized by cable news—to determine when immigration becomes immoral, how election security is assessed, which historical narratives deserve canonization, or which media outlets are to be labeled heretical? What, exactly, qualifies someone for this level of cultural adjudication?”

Three Reminders for Christian Parents

Christian parents are likely to find these reminders helpful as they consider how to help their children come to know and love the Lord and his church. “Cultivating a love for the church does not come from formulas or quick fixes. It comes from parents who genuinely love Christ and his people and who trust God to work in their children’s hearts. Just as that little girl absorbed love for the church as she listened and drew, our children are quietly taking in what we treasure. Our steady delight in the people of God becomes, over time, the picture they carry with them.”

Happy Wife, Happy Life?

Cindy Pickett considers the common phrase, “happy wife, happy life” and insists, “This phrase isn’t biblical, and if we’re not careful, accepting it as a principled excuse for passivity can disrupt God’s design for marriage.”

What to Do When Scripture Feels Dry (YouTube)

Greg Koukl and Amy Hall speak to those who may love apologetics but who don’t have nearly so much love for reading the Bible.

A Good Tired

Daniel Darling: “Can hard work become idolatrous? Yes. For men, often the work can be a sort of fig leaf to hide from familial responsibility. Work, when it’s in the center of our giftedness, can be so intoxicating that it can be hard to break away from. We can work ourselves to the point where we are not stewarding our bodies. All these things are warning signs that our vocation has supplanted the giver of work as the object of our worship. And yet, I want to say to myself and to anyone reading not to be ashamed of long days, of some nights, and of a life spent at the plow.”

Getting Organized for the Glory of God

Justin Huffman says rightly that, when it comes to our obligations as Christians, “Good intentions, or a merely mental assent to a biblical obligation, will not do. There must be a purposeful plan, a careful stewardship of the time and energy and money and people that God has placed in your life in order to accomplish the crucial purposes for which God has entrusted them to you.”

Flashback: How to Be a Good Christian With Minimal Effort

God knows you’re at a really expensive time of life right now—kids playing sports, getting braces, and going off to college—so do your best for now and commit to giving more in the future. That’s just wise financial planning.

The absence of sound doctrine and the presence of false doctrine will always lead to sinful behavior.

— John MacArthur

Download

Share