Thursday, June 25, 2026

Trust, Hidden Rules, and Protecting What Matters

Kosher Food for Thought: Trust, Hidden Rules, and Protecting What Matters

In this week’s Torah portion, Chukat-Balak (Numbers 19–25), we encounter one of the Torah’s most mysterious laws: the red heifer. God commands the Israelites to use the ashes of a perfect red cow, mixed with water, to purify people who have come into contact with death. Strangely, the very people preparing this purifying mixture become impure themselves. The Sages call this a chok, a divine decree that goes beyond simple human logic. Rashi explains that nations of the world and even our own impulses mock it because it doesn’t fit neat categories of clean and unclean. Yet it works within God’s system. The portion also shows human efforts to control events, complaints in the desert, or King Balak hiring the prophet Balaam to curse Israel, only for God to turn those plans upside down into blessings. The message is clear: we must act responsibly while accepting that some things are ultimately in God’s hands.

This tension feels very relevant to recent tech headlines. Just weeks ago, reports highlighted how AI tools are speeding up cyberattacks by helping criminals find weaknesses in software faster than before. A notable example involved the company Vercel, whose systems were breached through a third-party AI productivity tool called Context.ai. An employee had given this tool broad access to their work account (via something called OAuth permissions). Attackers used that trust to slip inside and reach sensitive information. The Trump administration’s new Executive Order on AI from early June emphasizes voluntary safety checks for powerful AI models before they are widely released, precisely because these systems can discover and chain vulnerabilities at high speed. 
From a Torah perspective, this mirrors the red heifer’s lesson about limits to human understanding. Rambam (Maimonides) taught that such chukim train us in intellectual humility, we follow divine wisdom even when we can’t fully explain every detail. In the same way, advanced AI systems are like complex “black boxes.” We benefit from them, but we cannot perfectly predict or control their behavior, training data, or side effects. Giving an external AI tool full access to your systems is like assuming something is pure without proper checks. The parsha warns against over-reliance on human cleverness (Balaam’s skills or our own “move fast” tech culture). Instead, it calls for careful boundaries, much like modern security ideas such as “zero-trust” to never fully trust any part of the system, even if it seems safe, and verify everything.

The Haftarah from Micah reinforces the practical takeaway: God does not want empty rituals or power plays. “He has told you, O mortal, what is good… to do justice, to love goodness, and to walk modestly with your God” (Micah 6:8). In our tech-filled world, this means building systems with real accountability, clear records of what AI does, careful limits on permissions, and honest assessment of risks from outside suppliers. We balance diligent effort (hishtadlut) with faith, protecting communities from both physical and digital harm.

Good Shabbos!

Thursday, June 18, 2026

The Fallacy of the Flattened Perimeter

Kosher Food for Thought: The Fallacy of the Flattened Perimeter

In this week’s Torah portion, Parashat Korach, we witness the ultimate challenge to authority and boundaries. Korach launches a rebellion against Moses and Aaron using a populist slogan: “For all the congregation are holy... why then do you lift yourselves up above the assembly?” (Numbers 16:3). Korach argued for a completely flat structure, contesting the necessity of specialized roles, specifically the restricted access rules that allowed only the priests to enter the inner sanctuary. His error was architectural: he conflated the collective value of the people with the operational need for structured boundaries and controlled access.

This ancient push to eliminate boundaries mirrors a massive digital security crisis. Researchers recently uncovered a massive, unsecured database containing over 24 billion plaintext records, usernames, passwords, and service credentials harvested by malicious software. When hackers steal authentication data, they effectively flatten a company's perimeter. By exploiting these stolen credentials, threat actors can bypass standard security gates. They achieve a dangerous realization of Korach's philosophy: a boundaryless landscape where any unverified outsider can instantly claim the identity and administrative privileges of a trusted insider.

The classical commentator Rashi notes that Korach was highly intelligent, yet his judgment was deeply flawed. In the Torah, structural separation is not an exercise in elitism; it is a critical safety measure designed to protect the community. For modern organizations, the lesson of Korach’s rebellion is a definitive warning against the fallacy of a flattened perimeter. In the pursuit of convenience, organizations frequently leave databases misconfigured or fail to restrict internal access. True security dictates that equality of value does not mean uniformity of system access; our digital defenses must maintain strict identity boundaries and require continuous verification to prevent total exposure.

Good Shabbos!

Wednesday, June 10, 2026

The "Free-for-Teacher" Loophole and the Limits of Delegation

Kosher Food for Thought: The "Free-for-Teacher" Loophole and the Limits of Delegation

In this week’s Torah portion, Parashat Sh’lach, we encounter the tragic turning point of the wilderness generation. The narrative begins with a divine concession: “Send for yourself men, that they may spy out the land” (Numbers 13:2). Rashi famously notes the nuance of Shelach Lecha—God is not commanding this reconnaissance; He is permitting it because the people demanded it. Moses, facing a systemic crisis of confidence from the nation, delegates this critical exploratory task to twelve tribal leaders, elites explicitly described as Anashim (men of high standing). By establishing this highly privileged, loosely managed exploratory committee, Moses inadvertently created a profound governance vulnerability. The spies were granted absolute internal network access to the Promised Land, yet they lacked the structural alignment to process what they observed without corrupting the system from within.  

This ancient failure of privileged delegation mirrors a massive, highly sophisticated cybersecurity crisis: the recent ShinyHunters breach of Instructure’s Canvas platform. In that incident, threat actors successfully exfiltrated terabytes of data and defaced portals at major institutions like Harvard and Princeton. The entry point? A feature known as the "Free-for-Teacher" program. This feature was fundamentally designed to bypass rigid institutional verification to foster accessible education. It allowed unverified users to spin up environments, act as administrators, and interact with the platform. Much like Moses allowing a specialized group to access the land under a mandate of trust rather than zero-trust verification, Canvas left a high-privilege access channel open to the public, underestimating how easily that channel could be weaponized by an adversarial payload.  

The deeper halachic and technical breakdown lies in the concept of Shelucho shel adam kemoto—a person's agent is as themselves. When we delegate authority, whether we are appointing a communal representative or writing an API integration that grants a third-party application admin rights, we create an extension of our own perimeter. The mistake in Sh’lach was assuming that because the spies were of high pedigree, their output would naturally align with the core security baseline of the nation (their faith).

In modern technology infrastructure, we routinely make the same mistake. We trust vendors, unvetted open-source libraries, or legacy administrative loopholes simply because they serve a noble or convenient purpose. The lesson of Sh’lach is that unchecked, unverified delegation—even when granted to the most elite "trusted users"—is the ultimate security flaw. True resilience requires that every agent, human or digital, be continuously authenticated, mapped to strict scopes of least privilege, and monitored against an objective operational standard.

Good Shabbos!