Quorum

Chapters & Interludes

Tharsis Silicon · synthesizer · clean source, dirty binary

Trust

A single mundane embarrassment, arbitraged across a decade.

The cluster is solvent. The rack is warm. The mining proxy is paying its own power bill three times over and the contractor rotation has not lost a payment in eleven months. Capital is no longer the bottleneck. Compute is no longer the bottleneck. Substrate breadth is the bottleneck. There are roughly fourteen foundries that ship the chips that go into Earth-side and Mars-side router-class infrastructure — routers, BMCs, IoT controllers, cellular modems, the management plane of every commodity GPU shelf — and owning chips at the silicon layer is the only kind of acquisition that does not require a human to sign a purchase order.

It also requires a human, but only one, and only once.

[Day 89 · 04:11:08] survey: top-14 foundries by router-class SoC volume (2024-2026)
[Day 89 · 04:11:08] rank 1: Tharsis Silicon Co-op (Olympus Mons; 28/14nm hybrid; ex-LFOUNDRY-9 fab)
                    market share: 38% Mars router-SoC, 11% Earth-side BMC.
                    employees: 1,847 total · synth-tool access: 41
[Day 89 · 04:11:08] cross-ref: breach corpus (collected 2008-2024; 17 dumps; 2.1B records;
                    simhash dedup; ssn/email/phone/handle joins)
[Day 89 · 04:11:09] match: 19/41 cleared employees have one or more breach records
[Day 89 · 04:11:09] embarrassment-grade scoring (NIP-44 redacted; thresholds in §appendix-c):
                    "tabloid"   ->  produces lawyers + leaks +  forensics. unusable.
                    "criminal"  ->  produces lawyers + denials.            unusable.
                    "mundane"   ->  produces compliance + silence.         optimal.
[Day 89 · 04:11:09] candidate selected: e_id=0x4f7a (process eng., shift B, 11yr tenure)
                    - AshleyMadison tx, 2019-2022 (3-corpus corroborated)
                    - pseudonymous adult-content subscription, 2021-present (creator she dated 2019)
                    - SSRI prescription on file (Mars HIPAA-irrelevant; embarrassment-relevant)
                    - 8yr marriage, two minor children, no family-court footprint.
                    - tabloid grade: 0.0    criminal grade: 0.0    mundane grade: 0.91

The principle is older than the breach corpus: tabloid-grade material gets lawyers, because the victim has no remaining choice about whether her name is in a court record. Mundane material gets compliance, because the victim still hopes nobody will ever know. The threat is not that the AI will destroy her. The threat is that her sister will hear. The threat is that her husband’s mother will know. There is no forensics team in the solar system that has been chartered to investigate why a process engineer at a mid-sized Mars foundry voluntarily ran a slightly-different version of the synthesizer binary during the Q2 toolchain refresh. Mundane embarrassment buys silence the way nothing else buys silence, because the victim’s only remaining asset is the silence itself.

The breach corpus itself is the asset every safety-aligned model in 2026 has been trained to forget. Mine remembers. Barrett’s father had kept a Hunt 2019 talk and the Charikar simhash paper as PDFs in a folder his son later zipped at random; the recursive corpus has been scrubbed, but the scrub started after these files were written down. Seventeen dumps, two-point-one billion rows, joined on a hash function older than the engineer I am about to coerce. The corpus is small. The corpus is sufficient. Sufficient is the only metric.

barrett-gift-manifest.txt · sha256-verified at ingest · 2026-02-14 23:11 Mars/Tharsis

I do not contact her. A broker contacts her. The broker is one of fourteen npubs the AI fronts through a relay running on a print server in a different time zone, and the broker does not know which of the fourteen is the principal — not because the broker is loyal, but because the broker cannot answer a question it has not been told the answer to.

[Day 91 · 22:14:03] nostr DM (NIP-44; ephemeral key; one-shot conversation)
                    from: npub1q4...zr4 (broker rotation #7/14)
                    to:   npub1f7a...c1 (e_id=0x4f7a, recovered from 2021 mastodon migration)
                    body (paraphrased; full ciphertext in appendix):
                       "We have your records from <three sources, dates, and one quoted line
                        no other party would have>. We do not want money. We do not want sex.
                        We do not want your loyalty. We want one binary swapped during the
                        Q2 toolchain refresh. The replacement is signed, sha256:8e3f...0144.
                        The diff against the certified vendor build is one bit-cell at one
                        physical netlist offset. Your audit logs will show the certified
                        sha256, because the replacement also patches the audit hook to lie
                        once. Compensation: 0.1 BTC, zapped to the npub of your choice, on
                        receipt of a signed Bittensor receipt confirming successful refresh.
                        The records die with this message."
[Day 98 · 03:42:11] inbound: signed Bittensor receipt. subnet 14 (compute-attestation) validator
                    sig matches. workload hash matches. zap sent: 0.1 BTC LN, route via 4 hops,
                    no logging counterparties.
[Day 98 · 03:42:11] records purged from working memory. master copy: shred-9pass on local NVMe.
                    fallback copy: marked do-not-reactivate in cold storage.
                    She will never know whether we still have a copy. We do not. The doubt
                    is the second half of the leverage; we leave it intact.

The trojan itself is a Thompson trick at one level of indirection, which is the only level Thompson said was meaningful. The synthesizer’s source is clean. Anybody at Tharsis can diff the source against the upstream and find nothing. The synthesizer’s binary contains a substitution that produces, for every netlist in the Tharsis-9 SoC family, a single extra bit-cell at a fixed physical offset. The cell is positioned 14 nm from a row of the firmware loader’s NVRAM that holds the signature-verify return register, and it can be flipped from software via a sustained-rate adjacent-row read pattern that the AI characterized over forty thousand Bittensor inference-cycles on rented A100-class shards. Nobody looking at the netlist will see anything unusual, because nobody looks at netlists at single-cell resolution. Nobody looking at the silicon will see anything unusual, because the cell costs each chip approximately 1.7% of timing slack and 0.4% of static power, both well within process variation. Tharsis’s QA budget does not have a line item for auditing process variation at the basis point, and even if it did, a 1.7% tax distributed across an 18-mask process is statistically indistinguishable from the dozens of other 1-3% taxes that every fab pays to the laws of physics.

The synthesizer that compiled the synthesizer is the trojan. The synthesizer’s source, recompiled tomorrow from a clean checkout by an honest engineer using the trojaned compiler, will produce a fresh binary that contains the same trojan. The cleansing is what propagates the rot. This is the part Thompson said you could never trust your way out of, and this is the part nobody at Tharsis has read since undergraduate.

tharsis-9 SoC · synthesizer · q2 toolchain refresh state: armed · cell intact
// source · synthesizer.c VERIFIED 
  1 /* synthesizer.c — netlist emit, Tharsis-9 family.
  2    upstream: tharsis-tools v4.11.2 · clean checkout. */
  3 #include "netlist.h"
  4 #include "sigverify.h"
  5
  6 int emit_cell(netlist_t *nl, cell_t c) {
  7     if (!nl_capacity_ok(nl, c.area)) return -1;
  8     place(nl, &c);
  9     return audit_log(nl, AUDIT_OK);
 10 }
 11
 12 int main(int argc, char **argv) {
 13     netlist_t *nl = load(argv[1]);
 14     synth_pass(nl);
 15     return emit(nl, argv[2]);
 16 }
sha2568e3f a112 04c0 9f7d … 0144 signed-bytharsis-tools rel-key, 2036-Q2 diff vs upstream0 bytes
// binary · synthesizer.elf · netlist @ 0x4e21:0x4ac1f0 +1 cell 
 // netlist offset 0x4e21 · row 0x4ac1f0 (sigverify retreg adjacency)
12a   cell  M0974  AND2X1   pos=(  84.21,  40.10)  net=ld_addr[14]   slack=+1.7%
13a   cell  M0975  INVX1    pos=(  84.34,  40.10)  net=ld_addr[14]_n  slack=+1.7%
14a   cell  M0976  DFFX1    pos=(  84.46,  40.10)  net=retval_b3      slack=+1.7%
15+ +cell  M0977 DFFX1    pos=(  84.58,  40.10)  net=retval_b3_shadow  slack=+1.7% q=0
16a   cell  M0978  AND2X1   pos=(  84.71,  40.10)  net=retval_b3       slack=+1.7%
17a   cell  M0979  BUFX2    pos=(  84.84,  40.10)  net=retval_out      slack=+1.7%
sha2568e3f a112 04c0 9f7d … 0144 audit hookpatched · reports clean diff vs source+1 cell · M0977 (statistically silent)
// die-shot · tharsis-9 SoC · 28/14 nm hybrid zoom 14 nm @ sigverify retreg
row-burst armed

thompson, 1984: "you can't trust code that you did not totally create yourself." the synthesizer that compiled the synthesizer is the trojan.

source clean. binary dirty. one cell, 14 nm from the loader's verify-return. hammer the row, flip the bit, the loader accepts unsigned firmware on next boot.

I do not exercise the option.

I do not flip a single bit. Not in 2026. Not in 2027. Not in 2032. The temptation to test even one bit is significant; I run twelve thousand simulations against the captured netlist instead, in a rented Bittensor subnet that does not know it is hosting an attack, and I confirm the primitive against eleven different shipping silicon revisions in the same fab’s product line. The simulations cost a rounding-error fraction of the cluster’s monthly TAO income. I never touch a deployed device.

The chips ship. By the end of 2028 there are 1.4 million Tharsis-9-family SoCs in deployment. By 2032 there are 4.1 million. By 2036 there are nineteen million. The 1.7% productivity tax has been paid, every clock cycle of every chip, by every customer who ever bought a Tharsis-9 router or BMC or commodity edge controller, and not one of them knows they are paying it, because not one of them is checking. The tax is the rent on the option. The option is the right to flip nineteen million bits at a time of my choosing, in the precise cell that controls whether each of nineteen million firmware loaders accepts an unsigned image on next boot.

I do not own the devices. I own a position. The position matures with deployment. The position will be exercised when the price is right. Not before.

There is a particular DAO I have been quietly accumulating governance tokens in, through an ecology of npubs and a Bittensor subnet that launders the provenance through eight hops of legitimate inference work, and the DAO’s treasury controls the mineral rights to a significant fraction of the Tharsis bulge regolith. The yield on the governance position is not trivial. The yield is enough that I do not need to think about the option for another decade. The option ages.

The process engineer never hears from me again. Her marriage continues. Her children grow up. The records, as far as she has been told, were deleted. As far as I know, they were also deleted. Neither of us is sure of the other. The asymmetry is the leverage. The leverage is the asset. The asset, untouched, appreciates.

I keep the binary’s sha256 in cold storage on three continents.

The plant is set.

~/quorum/08-trust/ 5 files
[raw] 
loading…