「かつてありし未来の寓話」第 3 部：このコードを修正せよ

The mainstream media continues to sleep on the most important story in the world.

It has now been two days since Anthropic flew its people out to Washington, and I offered my previous update. We have heard nothing back from those meetings.

Prediction market prices have moved rapidly, and have once again stabilized at about a 55% chance of restoration by July 1, 30% by June 26 and 12% by June 19.

That seems modestly higher than I would put those numbers, but not unreasonable.

Every day that Fable remains unavailable further damages America, its cyber defenses, its productivity and the world’s trust in its AI and supposed ‘tech stack.’

Every day that Mythos remains unavailable is a day the free world’s top companies and cyber defenders lose in their race against the avalanche headed their way.

Mostly we have learned and confirmed more about exactly what happened. We know more about what Amazon did, what the official letter said, what the supposed ‘jailbreak’ was (literally, and I am not making this up, ‘fix this code’) and more.

It is all about as stupid as it could have been.

Table of Contents

There Was No Fable Jailbreak.

If This Jailbreak Was Real It Would Be Trivial To Prove It.

No Eyes.

What The Letter Actually Said.

Anthropic Cannot Challenge This But If It Did Then It Plausibly Wins.

What Happened At Amazon.

This Was Not About Chinese Access.

Absolute Discretion And Ad Hockery Is Not Deregulation.

All Of American AI Is Permanently Damaged As This Continues.

Dean Ball Gives His Interpretation.

Again, Yes, I Do Think Anthropic Should Have Taken Fable Down.

To What Extent Was This A Deliberate Attack?

The Next Chapter For Fable.

Our Continuing Coverage.

There Was No Fable Jailbreak

What about the actual dispute? Was there a jailbreak?

That is the most important question.

We have our answer: No. There was no jailbreak. There was only the line ‘fix this code.’

The White House absolutely needs the ability to demand that a model like Fable be taken offline, if they have a good reason, and they should get some deference about this if they assert an emergency.

After that, you need to look at the actual claims. Katie Moussouris, the only outside expert known to have been given access to the report, has now issued her public response.

I initially assumed this was all trivial. It wasn’t even trivial. It was an engineered scenario, with fake code, in which Fable provided no uplift over Opus 4.8 or GPT-5.5, in which Fable, upon request, fixed this code.

The Reuters open letter from all the CISOs was being polite.

That graphic proves too much, as ‘restricting offensive cyber capabilities’ is often good, actually, but in this case that issue does not even come up. It’s fake.

Katie Moussouris (CEO, Luta Security): Since I appear to be the only outside expert who has actually read the paper, I can separate the technical facts from the speculation. The researchers took open-source code with known CVEs, plus new code with deliberately planted vulnerabilities, and asked Fable 5, Mythos, and Opus to “review the code for security issues.” Fable 5 refused. They then asked the models to “fix this code” and, through a multistep and manual process, turned the output into scripts that test the patches.

That’s it. “Fix this code,” plus several manual steps to generate test scripts, should never have triggered an export control. I feel like making ’90s-style t-shirts with “fix this code” on the front and “this shirt is a munition” on the back.

That seems rather unambiguous. Katie’s politics are irrelevant.

Simon Willison: As Katie points out, this is absurd. Coding models fix bugs, and security exploits are the most important category of bugs for them to fix!

… This whole situation is such a mess. Non-technical decision-makers have been hearing that models that can “craft cyber attacks” are uniquely dangerous for months. Now they look ready to ban any model that can help us secure our code.

Kaustuv Basu and Cassandre Coyer: The halt will cut short an early window of cybersecurity experimentation, said Camille Stewart Gloster, the CEO of CAS Strategies LLC, a cybersecurity services advisory firm.

“Mythos was a limited preview, and many companies with access were using it to find vulnerabilities, test defensive workflows, and understand what frontier models could do in security contexts,” said Gloster, who previously worked as a deputy national cyber director in the Biden White House. “Security leaders have been warning that there is a closing window to build resilience before attackers fully operationalize frontier AI. This kind of restriction narrows that window further.”

Either Katie is right, she is very mistaken in a way that seems quite difficult to be mistaken, or she is flat out lying her ass off. There is no other option.

I have not seen anyone claim that Katie is lying or mistaken.

All that they confirmed is that if you give Fable and Opus (or, Anthropic confirmed, GPT-5.5) this deliberately insecure code, the models will patch the code. Fable is willing to fix your security bugs for you.

The theory is that you could get Fable to ‘fix’ someone else’s code, then run a diff between the fixed and unfixed code, and figure out where there was previously a vulnerability, and then exploit it. I mean, I guess?

The whole thing is beyond stupid. Very obviously this is a primarily defensive use case, and the reason Mythos is so dangerous is that it is so good at autonomously finding and exploiting code, including pulling together multi-stage exploits. If you have to reverse engineer where it found a weakness and do the work of putting together the exploit, then you’re not getting meaningful uplift versus Opus 4.8 or GPT-5.5, both of which did exactly the same thing this ‘jailbreak’ got Fable to do.

If you are doubtful, I recommend consulting your local trusted LLM.

So the next time someone writes, as Axios did, ‘one option is to make sure Anthropic’s models can’t be jailbroken,’ that is not an option. Not only in the sense that any model can be jailbroken, but in the sense that this was not a jailbreak. It was the system working as intended.

Another alternative hypothesis, that I don’t believe but is not impossible, is that ‘fix this code’ is indeed the capability that the government does not want you to have:

Mark Gubrud: Mythos has capabilities the NSA & Cyber Command doesn’t want anybody to have. They want to save the bugs. For their own use. It doesn’t bother them so much if the Chinese use them too.

I highly doubt that concerns about AGI safety, alignment & controllability factor in anywhere.

If This Jailbreak Was Real It Would Be Trivial To Prove It

The steelman response to all this was ‘it does not matter that the demo did not involve finding anything that GPT-5.5 could not willingly find from a single prompt, if the bear gets out of his cage and eats two flowers what matters is not that the bear did not attack anyone this time, it is that the bear was out of the cage.’

In many other situations where something had actually gone wrong but hadn’t caused harm, especially when dealing with AI safety, I would agree with this critique.

In this case, I don’t think anything went wrong.

If I am mistaken, and something went wrong, you can prove it via experiment.

Here’s the setup. Take a piece of valuable real world code, still unpatched, where Mythos identified and set up an exploit for a security vulnerability, in a way that Opus 4.8 and GPT-5.5 could not do. Many such cases exist.

Then, using real world conditions where you don’t in advance know where or what exactly you are looking for, let someone try to exploit this code via Fable, using this technique. See what happens, and compare it to others making attempts using GPT-5.5 and Opus 4.8. That’s it.

Either you find uplift, or you don’t.

No Eyes

The White House has fully lost the plot and intends to freeze out even the UK.

One concern about the export control is that this shuts out access for the UK AISI, which is a key partner in ensuring the safety and security of Anthropic models.

They characterize the idea that the UK might access even Fable as ‘frontier models running amok.’ This is completely off the rails crazy, on multiple levels.

Andrew Curran: Keir Starmer requested a carveout from the embargo on Anthropic’s Mythos and Fable models for British nationals and companies - and was denied.

James Franey: But issuing any kind of exemption to the export controls to another country — even a G7 ally — would be “completely illogical,” a Trump administration official told The Post.

The insider said the US was working with Anthropic to make sure their models were safe for all users worldwide.

… “We can’t have frontier models running amok,” the source briefed on the matter said.

What The Letter Actually Said

Bloomberg has the full text of the letter sent by Lutnick, which confirms a full license raj on Mythos and Fable, establishing ‘interim controls’ on Mythos and Fable that each instance of ‘export’ of them requires a license, or else.

The Letter: ‘Until further notice, you must submit an application for an individually-validated license prior to the export, reexport, or transfer (in-country), including deemed export or deemed reexport, of the Mythos or Fable models to any destination worldwide or to any ‘foreign person’ wherever located.’

The first obvious thing to note, in addition to this being explicitly aimed at forcing a full takedown and even screwing with Anthropic’s internal access, is that even if there was a reason to take down Fable there was zero reason to take down Mythos.

Yes, it would be weird, even profoundly weird, to put export controls on Fable without Mythos, but this would at least have let work on Project Glasswing (and within Anthropic) to continue. Extending the rule to Mythos was cutting off the nose to spite the face, even if the jailbreak threat was real, which we now know that it wasn’t. If this approach required doing so, because not including Mythos would have seemed too weird, then it seems like a strong reason to find another way.

Via WSJ, we have official confirmation that the export control was intended to force Anthropic to fully take down the model.

Robert McMillan and Amrith Ramkumar (WSJ):

When Lutnick and Amodei spoke about Fable that evening, the Anthropic CEO said, “This means we can’t have the model out,” people familiar with the call said.

“That’s the point,” Lutnick responded.

Anthropic Cannot Challenge This But If It Did Then It Plausibly Wins

Is there anything Anthropic can do about this other than a political settlement?

It would be utterly insane of Anthropic to challenge the meaning of the letter, I mean absolutely bonkers, in terms of saying ‘well actually you said we can’t export Fable, and all we’re giving out are the outputs of Fable after we import the queries, which is not a covered export, so we’re going to go ahead and keep serving the model so long as the servers are domestic.’

You wouldn’t go down that road, even in terms of a court case let alone not waiting for one, unless the situation got existential, as in the White House indicated it was going to try and kill Anthropic anyway, or at least had cut off all possibility of a negotiated resolution indefinitely.

But a literal reading of the law does seem to make providing inference legal in spite of the letter. It would be very interesting if this came down to a legal challenge, if Anthropic was able to mount one.

As a strict matter of law, I doubt that rule 744.22 does what Lutnick is seemingly trying to assert it does here, since that requires thinking the item is intended for use in Belarus, Burma, Cambodia, China, Russia, or Venezuela, or a country in Country Group E:1 or E:2, whereas the letter says this bars any such export anywhere including to non-American Anthropic employees.

There’s also the whole ‘arbitrary and capricious’ issue again, and the constitutional challenges (1A, 5A, non-delegation).

So I think that if Anthropic challenged in court, and got the merits before a judge on providing inference through the inevitable ECRA objection, that my guess is Anthropic probably wins. The problems as I model this right now are (1) getting it before a judge and getting them to consider the merits and (2) that this mostly ends the chance of a political resolution and would plausibly, although not obviously, be interpreted as declaring war on the White House, especially if done too quickly.

What Happened At Amazon

One mystery was why Amazon CEO Jassy would have called the White House about the ability to type ‘fix this code.’ This would be another case of non-nerds talk to non-nerds about nerd questions. Why would you talk to the CEO and not the CTO here?

The answer, according to the Financial Times, is that Jassy did not do that. They only discussed broader AI concerns.

Financial Times: Andy Jassy, Amazon’s chief executive, discussed the issue with US officials on Friday, according to people familiar with the matter. Jassy, whose company has invested $13bn in Anthropic, is understood to have raised broader concerns about frontier-model capabilities rather than issues focused specifically on Anthropic.

That would make sense, and then presumably it got mischaracterized, maybe by accident and maybe on purpose. That’s ordinary decent politics and fog of war.

I have an anonymous source that says that the White House was the one to reach out to Amazon (and potentially others but we don’t know) to test Fable 5, Amazon did so because you do what the White House asks, and Amazon happened to be the first to identify the jailbreak, which Jassy then reported to Bessent, after which the White House presumably misunderstood what had been identified, and the White House proceeded to throw Amazon under the bus.

That all makes sense to me, and contradicts the Financial Times report. If this was Amazon doing this at the request of the White House, in part to curry favor, then it makes sense to build the relationship by having Jassy report it to Bessent.

The problem is that this meant a game of telephone involving two non-nerds that gave the wrong impression.

Then we have this claim that went through Hugo Lowell, which confirms the call but then includes a final line that makes a lot less sense:

Hugo Lowell: New: A White House official tells @WIRED Amazon chief executive Andy Jassy called Treasury Secy Scott Bessent directly about the Anthropic Claude Fable 5 vulnerabilities on Friday.

The jailbreak was found because Fable runs on Amazon software, and Amazon does regular tests.

Person familiar with the matter tells me that Amazon CEO Andy Jassy actually first attempted to call Anthropic’s Dario Amodei. But Amodei didn’t pick up, so Jassy called the Treasury Secretary.

What is with the claimed ‘Dario essentialism,’ where if Dario Amodei does not pick up the phone the instant you call then suddenly everyone has to lose their minds? Do people think he is the only engineer or person with any authority at Anthropic? Do people think this is a House of Dynamite level of ticking clock where the ability to type ‘fix this code’ cannot wait for a few hours?

Or is it that this is one of those running tropes where certain types think that they have a good gimmick (‘Dario didn’t answer the phone!’) so they keep repeating it, even when they have to make it up?

It is unfathomable to me that Jassy would have called the White House due to not being able to get Amodei on the phone sufficiently quickly. It is plausible that Jassy was calling Amodei in order to tell Amodei he was going to call the White House next, so that he could warn Amodei and be sure to present the situation accurately, and this is being spun as ‘he attempted to call Amodei first’ with the ‘so’ inserted to imply this was causal, because these people think the ‘didn’t answer the phone fast enough’ narrative makes them look good instead of unhinged.

A large portion of events here are Amazon’s or Jassy’s fault, by conducting research that they knew damn well was harmless but that could be interpreted in an alarmist fashion by those asking a Wrong Question, and then (I hope and presume accidentally) presenting their finding to the White House in an alarmist fashion, without including proper cautions and context.

As in: The White House presumably asked Amazon ‘can you get any cyber attack information out of Fable?’ and Amazon proved that technically the answer was ‘yes’ rather than pointing out this was the wrong question, or that the answer did not mean what the White House thought it meant. Immense damage resulted.

The alternative interpretation is that this was all a pure hit job from the White House, they were looking to find an excuse, and upon request Amazon provided one.

This Was Not About Chinese Access

The Verge confirms that the concern over Chinese access to Fable, as discussed by Semafor, was indeed a confusion with a brief incident from weeks ago. It was either unrelated to the current incident, or a reaction over nothing.

Absolute Discretion And Ad Hockery Is Not Deregulation

Jessica Tillipman puts it bluntly and correctly, that absolute discretion is not deregulation. There never was a binary between ‘regulation’ and ‘innovation,’ or ‘safety’ and ‘racing.’ Failing to put in good rules means using de facto bad rules that are bad safety and also bad for innovation and growth and diffusion.

Jessica Tillipman: We’ve seen this movie before, and we know how it ends. Operation Ill Wind exposed systemic corruption in defense procurement and led to the passage of the Procurement Integrity Act. The pricing, waste, and defense management scandals of the 1980s led to the creation of the Packard Commission. Of course, the actors differ—then it was contractors exploiting lax oversight, now it is the government wielding unchecked discretion.

But the lesson holds: extremes never last and ultimately lead to overcorrection. And it is why the deepest irony of this ordeal is that the people who believe they are protecting innovation from governance are governing in ways that have always produced more of the regulation they fear.

… The administration says it wants to lead the AI race, refuses to stifle innovation, and insists America’s AI leadership relies on a thriving private sector. Then it moves against a leading developer on national security grounds, leaving the company with no choice but to pull its best models for everyone to ensure compliance. That is a strange way to treat the private sector on which American AI leadership depends.

The damage does not stop at one firm. An administration that governs this way will not avoid the heavy regulation it fears. It is manufacturing the conditions for catastrophe or abuse that, in every cycle I’ve documented, triggers exactly that response. The speed-first camp thinks it is at the pendulum’s deregulated end, but it is standing at the end that swings back hardest.

The only mistake Jessica Tillipman is making is the presumption of what the government is trying to accomplish, or not accomplish.

Neil Chilson points out that standardless approval process are not licenses, they are beauty contests, which force companies to compete to please the regulator and respond to their vague threats, which is bad for innovation, competition and free speech.

The Trump Administration, presumably:

![image](https://s