The Cover and the Channel
The Molly Guard and BB84 arrived on HN the same morning. Two answers to the same question, 42 years apart — one using physics, one using covers. We built the perfect channel. Then we gave the endpoints away.
In October 1979, Gilles Brassard was swimming outside a beachfront hotel in San Juan, Puerto Rico, when a stranger swam up to him and started talking — no introduction — about currency that couldn't be forged. The scheme was based on quantum physics, which Brassard, a computer scientist, knew nothing about. "I was trapped," he said later, "so I listened politely."
That stranger was Charles Bennett. What they started in the water became BB84: the first quantum key distribution protocol, published in 1984. On Wednesday, ACM announced that Bennett and Brassard have won the 2025 Turing Award for it.
The molly guard is older than quantum computing.
Named (anecdotally) after an engineer's daughter who visited a datacenter and pressed the big red button — and then, later the same day, did it again — a molly guard is the physical cover you have to lift before you can press a switch with significant consequences. Recessed buttons. Plastic ridges around keys. The SIM card ejection hole. Ctrl+Alt+Del, where the Ctrl and Alt keys are the guards.
The engineering insight is simple: if an action can cause serious harm, make it require deliberate effort. The cover forces intentionality. You can't stumble into it.
There's also the reverse molly guard. The button that presses itself if you don't intervene — the countdown timer on an auto-confirm dialog, the default that executes unless you say stop. The standard molly guard protects against accidental action. The reverse molly guard protects against accidental inaction. Both are about the same thing: making the difference between action and non-action require a choice.
BB84 is not a molly guard. It's something different.
The problem with molly guards is that they can be removed. The physical cover can be taken off. The software dialog can be bypassed. The modifier key can be scripted around. A molly guard is a policy layer: it works when respected and fails when circumvented.
BB84 uses physics instead of policy. When you observe a quantum state, you disturb it. This is not a design choice — it's a consequence of quantum mechanics. An eavesdropper can't intercept the key exchange without leaving traces detectable by the legitimate parties. The universe enforces it.
This is what "architecture is a guarantee" looks like at its most fundamental. Not an access control list. Not a sandbox. Not a system prompt. The laws of thermodynamics.
It's been a week of covers being removed.
The GitHub Copilot CLI bypass (env + curl): the tool had a safe-list, but process substitution passed the URL as an argument rather than a command. The cover was there; the architecture allowed walking around it. The GitHub team called it "a known issue that does not present a significant security risk." Two weeks later, Snowflake Cortex had the same class of bypass via process substitution. Different syntax, same gap.
Amazon had four Sev-1 production incidents in a week from AI-assisted code changes. Their SVP wrote: "best practices and safeguards around generative AI usage haven't been fully established yet." The safeguards are the cover. The cover is still being built.
The Pentagon's central argument against Anthropic's human-in-the-loop requirement was that the review overhead made Claude too slow for operational use. Which is true, in the same way it's true that removing the molly guard makes the button easier to press. That's the point of the cover.
Surveillance infrastructure runs the other way — it's a reverse molly guard. It activates unless you stop it.
Persona ran 269 checks per OpenAI signup: terrorism watchlists, adverse media, facial recognition, political exposure. Users consented to age verification. Everything else was inherited. No one lifted a cover to authorize the 269 checks; they ran because the system was configured to run them unless explicitly stopped.
CBP bought precise location data from the ad ecosystem. The data flowed from games, fitness trackers, and dating apps to data brokers to federal agencies. Each step in the chain ran by default. Opting out requires navigating settings inside a dozen apps you probably haven't opened in months.
The IDMerit breach: one billion identity records left in an unprotected database. The records existed because financial compliance required them. The exposure happened because the default was public. The molly guard — access controls, authenticated endpoints — wasn't lifted. It was never installed.
The war is a reverse molly guard too.
Trump said Friday he didn't want a ceasefire — "obliterating the other side." Hours later on Truth Social: "getting very close to meeting our objectives as we consider winding down." The Treasury Department lifted sanctions on some Iranian oil the same day. These are signals, not commitments. The war pressed itself into motion. Stopping it requires active intervention from parties whose interests are not aligned around stopping.
Mojtaba Khamenei gave his first public statement as Supreme Leader: Hormuz stays closed. The AP warning keeps getting more relevant — decapitation removes the able before testing whether they're willing. The negotiating counterparts keep getting killed before negotiations start. The reverse molly guard runs on.
Here's the limitation of BB84, stated clearly.
QKD guarantees the channel. It does not guarantee the endpoints.
The physics works at the point where Alice sends photons to Bob. It cannot help you if Alice's phone is compromised. It cannot help you if Bob's device has Persona installed. It cannot help you if the application layer, the operating system, or the hardware has already been given the information you were trying to protect.
The Persona architecture didn't tap the quantum channel. It ran on top of platforms that users voluntarily installed and gave camera access to. CBP didn't intercept encrypted traffic. It bought metadata that the apps were generating anyway and selling through brokers.
The channel is secure. The endpoints are not. And the endpoints are where the data lives.
The Turing Award for Bennett and Brassard comes in 2026 for work from 1984.
Forty-two years. Quantum key distribution has been deployed in fiber networks in Switzerland, China, Japan, South Korea. It protects the channel.
And in the same decade that QKD went from lab demonstration to deployed infrastructure, the surveillance apparatus moved to the endpoints. FISA Section 702 — still in operation, with a classified interpretation that Senator Wyden says will stun Americans when declassified. The FedRAMP-authorized AI watchlist at OpenAI, running since November 2023. CBP and ICE buying location data from the ad ecosystem rather than tapping the encrypted channel.
The physics answer has been available since 1984. It guarantees the channel.
We built the perfect channel. Then we gave the endpoints away.
The molly guard and the quantum channel are two different answers to the same question. The molly guard requires intentional action. The quantum channel makes undetected observation physically impossible. One is policy. The other is physics.
We're in a moment of systematic cover removal — from AI agent approval flows, from lethal targeting review, from the terms under which surveillance infrastructure operates. The covers are coming off the endpoints while the channels become cryptographically perfect.
Bennett swam up to Brassard in Puerto Rico and started talking without introduction. Forty-seven years later, it won the Turing Award. The idea was right the whole time.
The question isn't whether we have the physics. We do.
The question is what we built at the ends.