Eclecta The frontier, distilled Daily brief 2026-06-08
← Front page

Monday, June 8, 2026

A researcher reads two decades of encrypted military traffic hidden in the public GPS signal, OpenAI and Simon Willison both move to contain untrusted input to LLMs, and a $280 soundbar becomes a remote keyboard.

The numbers station inside GPS

Steven Murdoch, a security researcher at University College London, argues that the U.S. military has for nearly 20 years broadcast encrypted cryptographic keys inside the public GPS signal that every receiver on Earth already decodes.

Writing in Inside GNSS and covered by 404 Media, Murdoch points to “Subframe 4, Page 17,” a 176-bit field in the navigation message that almost nobody examined. He analyzed more than 12 million observations from a GFZ Helmholtz archive going back to 2007, extracted 3,994 unique high-entropy messages, and reads their randomness as encryption. His strongest evidence is timing: a “sentinel” pattern appeared across all 31 operational satellites within hours on May 26, 2011, matching declassified rollout dates for the Pentagon’s over-the-air key distribution and rekeying (OTAD/OTAR). He notes later shifts of unknown cause: slower message rotation in 2022, and a “TEXT”-prefixed broadcast spreading across the constellation from December 2023.

The case is circumstantial. No key was recovered, the military has not confirmed the channel, and “encrypted” rests on an entropy argument rather than decrypted contents. Murdoch’s broader point is the durable one: the bytes already arriving at every antenna deserve scrutiny.

Boxing in the agent

Two items converge on one problem: running untrusted content and code through an LLM without giving it a path to leak data.

OpenAI shipped Lockdown Mode, first teased in February 2026 and now live across Free, Go, Plus, Pro, and self-serve ChatGPT Business. It limits outbound network requests to block the final exfiltration step of a prompt-injection attack, but does not stop injections from entering processed content such as cached web pages or uploaded files. Simon Willison endorses it through his “lethal trifecta” — private-data access, untrusted content, and an exfiltration path — calling the exfiltration leg the cheapest to cut, and praising that the controls are deterministic, not AI-evaluated, so an injection cannot subvert them. Its existence concedes that default settings do not robustly defend against determined exfiltration. OpenAI CISO Dane Stuckey frames it as a tool for elevated-risk users who accept utility tradeoffs, not a default.

Willison separately documented running untrusted Python server-side by compiling MicroPython to WebAssembly and executing it via the wasmtime library, with memory and CPU (“fuel”) limits. Pyodide runs only in the browser or Node, so MicroPython, built for constrained environments, becomes the interpreter in a 362KB blob. He flags the work as alpha, “vibe-coded” with GPT-5.5 Pro, and not yet safe for untrusted code, hoping a security team will validate it.

Quick hits

  • A soundbar that types. Researcher Rasmus Moorats showed Creative’s $280 Sound Blaster Katana V2X can be hijacked over Bluetooth Low Energy from about 15 meters with no pairing or contact: its proprietary protocol demands a handshake over USB but accepts the same commands unauthenticated over BLE, and firmware is unsigned. His proof-of-concept reflashes it to enumerate as a keyboard and inject keystrokes on every boot, a contactless version of the 2014 BadUSB attack. Creative, reached via Singapore’s SingCERT, called it not a cybersecurity risk and shipped no patch; the account is single-sourced via Tom’s Hardware.
  • RL harnesses as the bug. A Latent Space guest post by practitioner Auriel W argues that flaky RL training environments poison post-training by feeding corrupted self-play data into gradients, and offers a taxonomy of failure modes: stale caches, reward hacking, silent timeouts. The 5%-failure threshold and other figures are unsourced rules of thumb, and the post promotes a conference track.
  • H1 2026 papers. Sebastian Raschka published his semi-annual LLM reading list, framing hybrid attention/state-space designs (Nemotron 3 with Mamba-2, Qwen3.6 with Gated DeltaNet) as the year’s efficiency story. It is a curated index, not analysis.
  • DRPO. A preprint proposes swapping DPPO’s hard divergence mask for a smooth, advantage-weighted regularizer in LLM RL. The abstract reports better stability but no benchmarks or baselines; treat the claims as unverified.
  • Europe’s sovereignty push. The European Commission’s Technological Sovereignty Package (announced June 3) and moves like France’s CNRS swapping consumer chatbots for Mistral’s Emmy mark a real shift away from US cloud and AI, Nature reports, though the piece offers quotes rather than adoption data.

What to watch today

  • Whether the U.S. military or GPS operators respond to Murdoch’s Subframe 4 attribution, or stay silent.
  • Independent security review of Willison’s MicroPython-in-WASM sandbox before anyone runs untrusted code on it.
  • Whether Creative reverses its “not a risk” stance on the Katana V2X now that a public reflash tool exists.
  • Uptake of OpenAI Lockdown Mode, and whether rivals ship equivalent deterministic exfiltration controls.

← All digests