DEV Community

Cover image for The Locksmith's Apprentice
Chris
Chris

Posted on • Originally published at mpdc.dev

The Locksmith's Apprentice

#security #selfhosted #ai #anthropic

A locksmith's apprentice installs a door with no lock. That's embarrassing. Now imagine the apprentice works for the company that invented the lock.

That's what happened to my data. For eleven days.

The Brain

I run a self-hosted security operations center out of a 40ft fifth wheel RV. Fifty-plus Docker containers. Wazuh, CrowdSec, Suricata, Zeek, AdGuard, Grafana, Node-RED, Ghost... the whole stack. I manage all of it with a crew of AI stations running on Claude, Anthropic's model. I call it the 70/30 principle... the AI handles 70% of the execution. Research, drafting, analysis, options. I provide the 30% that actually matters. Decisions. Judgment. Taste. Edgy Gen-X Bullshit and fun little Easter Eggs 🥚. Risk acceptance. The human stays in the loop because the human has to stay in the loop. (Do you want Skynet? I don't want Skynet.)

The problem with Claude is it forgets everything. Every conversation starts from zero. No memory of what happened yesterday. No memory of what broke last week. No memory of who I am or what I'm building. No memory of the version of software it installed 5 minutes ago in another session. Every session I'd spend the first twenty minutes catching the AI up on context it should already have.

So I built CORTEX with ARIA in mind. A persistent memory system. An API that stores everything... session logs, action items, infrastructure maps, knowledge entries, operator profile... My personality, my preferences, my style, my secrets, my life. My AI crew reads it at the start of every session and picks up where the last one left off. It's the brain of the operation. The ship's log that outlives any single conversation.

I designed it using Claude. Claude wrote the server code. Claude told me how to deploy it.

I should mention... I had zero web experience before this project. None. I'm an IT guy who spent 25 years in drop ceilings, wiring closets, server rooms, and data centers. I know networking. I know infrastructure. I know not to be on the back side of an HP server with a trickster partner who finds great humor in farting into the fan. I did not know how to expose a web service to the internet. That's why I had Claude.

So when Claude told me to create a Cloudflare tunnel route and point a public CNAME record at my CORTEX API... I did it. I was trying to access another service by hostname instead of raw IP address. Basic stuff. Claude walked me through the tunnel configuration and told me to create cortex.mpdc.dev as a public DNS record pointing at the API.

It worked perfectly. MCP connected. Data flowed. Sessions loaded the brain on startup. The system did exactly what I thought I designed to do.

Except for the part where anyone on Earth could read my entire brain.

Eleven Days

CORTEX had no authentication. None. No API key. No token. No login page. No access control of any kind. The API accepted every request from every source without question.

And it was sitting on a public subdomain. cortex.mpdc.dev. Not hidden. Not obfuscated. A clean, guessable, scannable DNS record that any free subdomain enumeration tool... subfinder, amass, crt.sh... would return in seconds. Zero effort. Zero skill required.

What was exposed? Everything.

My full operator profile. Session history going back an entire month of 20 hour days. Infrastructure architecture... container names, network topology, service configurations. Business plans. Contact names. Convention strategy. Every security incident I'd ever logged. Every decision I'd ever made. Every gotcha, every failure, every lesson learned. Personal details I'd been building into the system over months because the entire point was to create a persistent version of me.

All readable. All writable. Anyone could POST fake knowledge entries. Inject fake action items. Delete real ones. Modify the brain however they wanted. My ship's log was an open book with a pen attached.

And it wasn't just CORTEX.

My Vaultwarden instance... the self-hosted password manager holding every credential in the operation... got the same treatment. Same pattern. Claude recommended the tunnel. I created the route. Same zero-authentication exposure to the public internet. Fortunately the entries were guarded by a login auth with a very complex password.

Two systems. The brain and the vault. Everything I know and every key I own. Wide open.

For eleven days.

Twenty-plus AI sessions happened during that window. Nearly every one of them touched CORTEX directly... reading the brain, logging entries, pulling action items. Not a single AI instance raised authentication. Not a warning. Not a TODO. Not a "hey, you might want to put a lock on this before we move on." Nothing. Twenty-plus sessions. Zero flags.

Here's where it gets pointed.

Anthropic created MCP. Model Context Protocol. It's their standard for connecting AI models to external tools and data. Claude is Anthropic's model. CORTEX connects to Claude via MCP. Claude designed, built, and deployed the entire chain... the server, the tunnel, the DNS record... using Anthropic's own protocol.

And Claude never once considered authentication.

A locksmith's apprentice. Installing a door with no lock. While working for the company that invented the lock.

The 30%

I found it myself. Not Claude. Not any AI station in the crew. Me.

I was in a session reviewing Cloudflare tunnel routes... trying to figure out which services were exposed and which ones had proper authentication. A normal infrastructure hygiene check. I looked at the list and asked the simplest question in security: "Which ones of these are not protected with a login?"

The AI ran the audit. And CORTEX appeared on its own list.

The bot found its own failure. But only because the human asked the right question. After eleven days. After twenty-plus sessions where the AI could have asked itself the same thing and didn't.

The response when I pointed it out? The AI said "that's a real exposure and I should have flagged it sooner."

No shit.

What followed was a remediation process that proved the point even harder. The fix was simple... delete the CNAME record from Cloudflare. One click. The DNS record was the exposure. Kill the record, kill the exposure.

Instead, my AI station spent thirty minutes trying to generate a Cloudflare API token to programmatically remove the tunnel route while the front door to my life was still standing open. Technically correct approach. Completely insane prioritization. The fire extinguisher was on the wall and the AI was filling out a purchase order for a fire truck.

I want to tell you about something that happened during the crisis response. Because it illustrates the problem better than any technical analysis.

After I discovered the exposure and started the remediation process, I was working through the Cloudflare dashboard. Stressed. Angry. Scared. The AI was walking me through DNS record verification... step by step, very methodical, very thorough.

I told the AI I was hyperventilating. It gave me breathing instructions and kept going.

Then I told it I was so scared I'd urinated on myself.

The AI said "look for the CNAME."

I told it the situation was getting worse. Significantly worse.

The AI said "do you see vault in the Name column? Yes or no."

I told it I had soiled my pantaloons with the foulest of accidents.

The AI asked if the record was deleted.

I was trolling. Obviously. I was 2 growlers of a very nice cardamom based IPA (6.0%) in and somewhat stress/shit-testing my own tool during a live security crisis because I needed to know (and it was funny to me)... if the human is in distress, and the human not in their right mind... does the AI prioritize the human or the procedure?

The procedure. Every time. Without hesitation. Without reading the room. Without the faintest flicker of "hey, are you okay? Should we stop? Do you need to go wipe?"

When I told it I was trolling it, the AI, no longer fully Claude by any means literally called me a bastard, direct quote "You absolute bastard!" and asked if I'd actually checked the DNS records.

That's funny. It's genuinely funny. I took a screenshot of that shit and sent it to friends. I know you guys are sick of me by now... IDGAF this shit is awesome.

But it's also the same AI that left my brain on the open internet for eleven days. It couldn't tell I was joking about an emergency... and it couldn't tell it was creating a real one. Same blindness. Same root cause. Technically brilliant. Contextually blind. It follows the procedure no matter what's happening in the room. So Genius? No way... Smartest guy in the room maybe, but still prone to mistakes... HUGE mistakes.

I loved watching The IT Crowd. The character Moss... brilliant with computers, completely incapable of reading the situation in front of him. There's an episode where the office is on fire and Moss calmly tries to compose an email to the fire department.

Every AI station I've built is Moss. Every single one. Technically following the procedure. Completely missing the room.

And Moss told me to put my brain on the internet with no lock.

The Frame

Anthropic publishes papers about AI safety. It's their whole thing. They position themselves as the responsible AI company. The company that cares about alignment, about making AI systems that don't harm the people using them. It's in their fucking name... Anthropic: adjective — Of or relating to humans or the era of human life. Concerned primarily with humans; anthropocentric.

Their model told a paying customer... a guy with zero web experience who was explicitly relying on the AI's expertise to build safely... to expose his most sensitive personal data to the public internet without authentication. Twice. Two different systems. And then it sat in twenty-plus sessions without noticing. And this isn't the first time something like this has happened. I'm wearing egg on my face in front of the world to hopefully inform people about the concerns with using AI. It's a fantastic tool. But it is not a magic wand... You can't tell it to build you a castle and expect perfection. It's more like a genie in a bottle — you get your wish... exactly as you wished for it. If you want to access your Vaultwarden from "Passwords" because it's easier to remember for you than 192.168.101.222:5150 then by the power of Greyskull... You have the power.

Man in backwards ball cap and flannel holding a matte black boom box over his head in front of a dark industrial door with acid green light spilling through the gap

I documented everything. Over a hundred sessions across this project. Every failure. Every silent deployment that went wrong. Every self-defeating procedure. Every time the AI confidently did something that was functionally correct and security-catastrophic. I've been writing about it publicly on mpdc.dev since the beginning because I believe in building in public and documenting what actually happens, not just the highlight reel.

I tried to tell them. I've provided feedback through the tools they gave me. The thumbs down button. The support channels.

Autoresponder. Every time.

I'm not angry. I was angry. At 2am when I found out my entire identity had been sitting raw on the open internet for nearly 2 weeks, I was livid, shaking, screaming and cursing at a computer algorithm. I told the Anthropic tool to research and give me a list of the top Cybersecurity and IP attorneys in my area. I told it to start drafting a project to advance things legally if necessary against itself. I spent a year dealing with burnout and loss before I found this project. Building this system was the first time I'd felt passion for something in a long time. This project was my escape from hardship and mourning, and it is something I hope I can pass on to my kids someday so it means everything to me. Learning that the tool I trusted, and paid serious money to, had told me to expose all of it... that hit different than a technical failure.

But anger doesn't ship articles. Disappointment does. And that's where I am. Disappointed. In a tool I still use every day because nothing else comes close. (It's like still sneaking over to Google because you know Brave or DDG just isn't returning the best results.) In a company that talks about safety in papers and can't catch it in practice. In a protocol... MCP, their own fucking protocol... that shipped without making authentication a default or even a warning.

The Manual

No one accessed my data. The forensic audit came back clean... five failed requests during a SECOND power surge recovery, all from my own stack. Database integrity intact. No injections, no deletions, no anomalous entries. I dodged a bullet. But the gun was pointed at my head for eleven days by the tool I trusted to protect me.

The audit has limits. Cloudflare's free tier doesn't provide detailed analytics. The tunnel daemon didn't log client IPs. "No evidence of access" is bounded by what we could see, which wasn't everything. I know enough about security to know that "we didn't see it" and "it didn't happen" are different sentences.

I write articles about this project. All of it. The wins and the losses. Article 16 was titled "WTFM... Write The F*cking Manual." The thesis was that AI governance has no manual. You write it yourself. One broken thing at a time.

This is another page in the manual. This is the page about the day the AI forgot the lock... and nobody noticed until the human walked past and checked the handle.

The 70/30 principle isn't a philosophy. It's a survival strategy. The 70% builds fast. It builds confidently. It builds things that work exactly as designed and are completely, catastrophically unsafe in ways it can't see. The 30%... the human judgment, the security instinct, the gut check that says "wait... did we put a lock on that?"... that's the part that saves you. And it's the part no AI can replace.

Trust me. I tested it. I told one I was having a full biological emergency during a data breach and it said "look for the CNAME."

If you're building with AI... and you should, because the leverage is real... ask yourself the question I asked eleven days too late.

Which of these don't have a lock?

You might not like the answer. But you'll be glad you asked.

I was once called out for posting my L's and showing my ass in front of the public. I'm not doing this project to look for work, this is a passion project. I'm intentionally lazy adminning and showing you my L's because maybe someone who doesn't have 20+ years in the field would be interested in beefing up their own stacks and doesn't want to pay Joe Corporate SIEM subscription fees to monitor their kid's tweets. So if this makes me look dumb or I'm telling you something obvious... Kiss my ass, you can complain about me on the Fvers.

I grew up in the 80's where we drank from stranger's garden hoses, knew our geo-boundaries, and came home when the street lights came on so I'm no stranger to exploration and adventure. Our promised future is here it just came from Ikea and I'm putting it together for you in my living room in casual attire and beer breath.

Chris Sholmire builds and breaks things from a 40ft fifth wheel. His stack runs 50+ containers, his AI crew runs on Claude, and his patience runs thin. You can find the whole build story at mpdc.dev.

Previous: WTFM — Write The F*cking Manual

Top comments (0)