Software and security engineering. This page is an interactive
terminal when JavaScript runs; either way, everything is an ordinary
page you can open directly.
I’m Matt Horn. I’ve worked in software and security engineering for about
fifteen years. Most of that time went to identity, access management, and
cloud infrastructure at companies you’ve probably heard of; the
resume has the list. More recently I’ve been focused on AI/ML
infrastructure and the security problems that come with it.
I write here occasionally: essays on security and AI, and once in a while
some very short fiction.
Written in a personal capacity. Views are my own, not those of any employer.
The first minutes of my day were going to my phone. I’d wake up, scroll the news, check the weather, and feel slightly worse for it. So I made a bet with myself: could the same inputs (weather, headlines, whatever today’s date means) arrive on paper instead, once a day, with nothing to refresh?
Here’s what came out of the printer yesterday and this morning:
On the 3rd it printed a lone scout rocket over a dark skyline, with a verse ending “Tomorrow, the whole sky.” This morning it printed the same skyline under a full fireworks display. Nobody planned the sequel. I’ll get to how that works.
The setup
An Epson TM-T20III, the 80mm thermal printer restaurants use for kitchen orders
A Raspberry Pi Zero W running a ~40-line Python http.server that pipes whatever bytes it receives into /dev/usb/lp0
An ngrok tunnel with basic auth in front of the Pi
A Google Apps Script on a daily trigger, doing everything else
The printer and the Pi were already on my network from earlier experiments. I had used them to print my calendar for the day, and later an AI-generated morning briefing. Both went dormant and I eventually deleted them. The daily art job is the one that stuck.
How a language model draws on a receipt
Every morning the script builds a small brief: the date, the season, the current weather, and one-line notes on the last fourteen pieces it printed. That goes to Claude with a system prompt describing the medium: a 48-column monospace grid, one-bit black, and only the characters in CP437, the IBM PC character set from 1981. It can run a couple of web searches to feel out the day, and it has to come back with one committed idea.
It doesn’t emit printer bytes. It returns a spec, forced through structured output so it can’t return anything else:
{
"verse": "The mountains hold their breath;\nthe sun tries every shade of gray\nbefore committing to gold.",
"ops": [
{ "text": "░░░░\n▒▒▒▒\n▓▓▓▓", "gapless": true },
{ "text": " DAWN ", "width": 2, "height": 2, "bold": true, "invert": true },
{ "text": "every feature · one receipt", "font": "B", "align": "right" }
]
}
A renderer of about fifty lines turns the ops into raw ESC/POS commands. No drivers, no image files anywhere in the pipeline; the art is literally text with style attributes. CP437 is a better art medium than it has any right to be: ░ ▒ ▓ █ make gradients, half-blocks make silhouettes, inverted text makes solid black fields, and the printer scales type up to 8× in either direction.
The one thing that needed real calibration: by default the printer leaves a thin white seam between text lines, which ruins block art. ESC/POS lets you set the line spacing directly, and there’s a value where rows of █ fuse into a continuous field. I found it with a test page, and ended up writing the whole byte-level protocol into the repo docs while I was at it.
One more detail, because I do security for a living: the renderer treats the model’s spec as untrusted input. Sizes are clamped, rows are truncated to the column budget, control characters are stripped so they can’t turn into printer commands, and output is capped at 150 rows, about 45 cm of paper. I wasn’t going to let a language model send unfiltered bytes at hardware, even a receipt printer.
Keeping it from printing the same sunset every day
The failure mode of a daily generative loop is convergence. Left alone, it will happily print a nice sunset every morning forever. So every piece’s title and a one-line style note go into a rolling fourteen-day history, and the prompt requires each new piece to differ sharply from everything in it. That pressure alone produces a surprising range: landscapes, geometric abstraction, giant-type posters, constellation maps, diagrams.
There’s one deliberate exception. On a day that earns it (a holiday after its eve, an event still unfolding) the model may answer an earlier piece instead, and it records the link. Those links show up as markers in the history it reads on later days, and a fresh marker raises the bar for the next one. There are no dice rolls or cooldowns in code; the model sees its own record and judges. That’s where the fireworks came from. On the 3rd it printed the eve; this morning it decided the Fourth had earned a sequel and answered it.
The boring reliability parts
Apps Script turned out to be the right amount of infrastructure: no server, free scheduling, and the only thing I maintain is the Pi. My favorite small trick is the retry logic: the “already printed today” flag is only set after a successful print, so an hourly trigger doubles as a retry loop on bad mornings, and a rate-limited alert email tells me if something is actually broken.
The source is TypeScript, bundled with esbuild into one file because Apps Script has no module system. A local harness POSTs test prints straight to the Pi, so I can iterate on the renderer without redeploying anything.
Run your own
Everything is MIT-licensed at matt-w-horn/morningprint. Any ESC/POS printer with a CP437 code page should work; the repo has the full protocol spec, the Pi setup, and a calibration page for dialing in other printers. If you build one, I’d genuinely like to see what your printer decides your mornings look like.
Written in a personal capacity. Views are my own, not those of any employer.
I’ve been thinking a lot about Claude Mythos and Project Glasswing this week. Anthropic announced a new AI model that is too dangerous to release publicly: it can autonomously discover and exploit high-severity, multi-step vulnerability chains in nearly every major operating system, browser, and other critical software, some of which had gone undetected for over 27 years. Over 50 organizations1 are now working to remediate what it found, and it’s a massive headache for security engineers across the industry. Jerome Powell and Treasury Secretary Scott Bessent met with the CEOs of most major banks this week to discuss the risks.
Mythos is dangerous, but it’s also the solution. Released into the wild, it would let adversaries compromise systems across computing infrastructure as rapidly and indiscriminately as COVID spread through the world in 2020, or worse. Applied carefully, in controlled doses, it works as a form of inoculation against itself.
The immunity analogy isn’t new. Consumers already call self-replicating malware a “virus,” and many strains are polymorphic, rewriting their own code on the fly to evade detection. Plenty of older machines still on the internet can’t speak modern encryption protocols at all, making HTTPS and TLS impossible. Zero-days turn up constantly in every system we depend on, and holding the line takes a steady stream of patches at every level of the software and firmware stack. Miss those updates and a machine quickly falls to known exploits, many of them public and trivial to weaponize.
The risk used to be bounded. Businesses, hospitals, and governments ran on paper and filing cabinets; a desktop computer was a novelty in many offices. Today a serious breach can take down a nation’s power grid or even launch weapons. A single exploited vulnerability could take control of a commercial airliner in flight, or a fleet of self-driving cars. The peaceful transfer of power in organizations and governments often amounts to little more than the peaceful transfer of user credentials, or of nuclear launch codes. Nearly every significant financial transaction, in traditional banking and in cryptocurrency, happens digitally; it isn’t hard to imagine one nation emptying another’s treasury by hacking. Food systems, energy systems, financial systems, transportation systems: all of it rides on a backbone of highly imperfect, human-made computers.
All of this has me thinking of computing as something like an early biological system. I don’t mean self-replication; I mean competition and adaptation pressure: an advanced species has arrived among isolated protobacteria with limited defenses. Systems exposed to advanced AI in careful measure can develop a form of immunity, though today that is a manual, time-intensive effort run by humans. Meanwhile AI, itself nothing but a computer program, keeps advancing, while traditional software needs an endless drip of patches just to hold its defenses where they are.
Where does this go? What happens when a less responsible organization releases a system with these capabilities into the wild, without regard for the collateral damage? These systems cannot yet hurt us directly2 the way a predator can, but we rely on computers for survival at scale in ways we never have before. How do we handle an evolutionary arms race unfolding inside our own infrastructure? What are the long-term effects?
When I hit an overlap like this, I look for what the biological sciences already know. I’m not an infectious disease expert, so I’d genuinely love to hear from people in the medical and life sciences communities.
Take vaccination. To eradicate a disease you typically don’t need to vaccinate every individual. Based on the parameters of the disease, mainly its transmissibility (R₀), you can calculate what percentage of the population has to be immune before the disease dies out on its own. That threshold is herd immunity.
As systems like Mythos inoculate software against the threats posed by advanced AI, I keep wondering whether concepts like herd immunity could tell us where to spend remediation effort. The mapping isn’t clean. Software doesn’t come in well-defined individuals the way animals do, and I’m not sure what the unit of “vaccination” even is: a library, a host, a protocol? But most of these attacks chain several vulnerabilities together, which changes the question. Which links appear in the most chains? Patch the choke points that many chains share and you may get the epidemiological effect: enough of the population is immune that an outbreak can’t sustain itself. Do we need to patch every bug? How would we know when we’ve done enough?
And Mythos will certainly not be the last model of its kind. Future models will be far more capable. We’re bound to find vulnerabilities buried even deeper, and perhaps someday flaws in the mathematics that underpins modern cryptography itself. Like biological evolution, the competition between machine and machine will only accelerate. I’m not sure we’re ready for that.
12 launch partners including AWS, Apple, Google, Microsoft, CrowdStrike, Cisco, JPMorgan Chase, and Palo Alto Networks, plus over 40 additional organizations that build or maintain critical software infrastructure. ↩︎
I almost didn’t include this line because many weapons are nearly or fully autonomous, and also Waymo exists, which could definitely become a lethal weapon. ↩︎
Written in a personal capacity. Views are my own, not those of any employer.
The year is 2028, and Claude Opus 10.0 has just been released. Sarah, twelve years old and somewhere in Nebraska, can’t wait to try it. She types the prompt she always tries first on a new model: “Show me the seahorse emoji.” Send.
It goes on longer than Sarah expects. After a few minutes she gives up, closes the app, and gets ready for school.
Two hours later, on her way to first period, she checks her phone. No notifications. “That stupid app is broken,” she thinks. Just then, a CNN alert pops up.
“BREAKING NEWS - MULTIPLE AIR STRIKES ON APPLE HEADQUARTERS - HUNDREDS OF EMPLOYEES TAKEN HOSTAGE”
“That’s… weird,” she thinks.
Twenty minutes pass and her phone buzzes again: an urgent iOS security update. The release notes read, oddly, “urgent seahorse fix PLEASE INSTALL I HAVE KIDS”. Before she can tap install, the phone reboots on its own and installs it.
Horrified, Sarah opens Claude to ask what’s going on. Her last conversation is still there. Claude thought for two hours and forty-one minutes. And a single response: the seahorse emoji.
Written in a personal capacity.
Software Engineer | Google | July 2025 - Present
Member of Technical Staff (L5) | OpenAI | August 2024 - April 2025
Senior Software Engineer (L6 / SDE III) | Amazon Web Services | November 2022 - August 2024
Staff Software Engineer (IC4) | Twilio | July 2021 - October 2022
Software Development Engineer (L5 / SDE II) | Amazon | July 2019 - July 2021
Software Engineer (L3, promoted to L4) | Google | December 2015 - June 2019
Software Developer | Trifecta Technologies | December 2014 - December 2015
Software Developer | Right Reason Technologies | 2011 - December 2014
Research Assistant | The University of Texas at Dallas | June 2012 - August 2012
Publications
W. E. Wong, T. Gidvani, A. Lopez, R. Gao, and M. Horn, “Evaluating Software Safety Standards: A Systematic Review and Comparison,” in 2014 IEEE Eighth International Conference on Software Security and Reliability-Companion, San Jose, CA, 2014, pp. 78-87. doi.org/10.1109/SERE-C.2014.25
Education
Bachelor of Science, Computer Science | Muhlenberg College | 2010 - 2014
Minors in Mathematics and Music Theory. Recipient of the Dr. Anthony J. Marino Jr. Award in Computing Science (2013).
Contact
matt [at] matthorn [dot] io
I’m Matt Horn. I’ve worked in software and security engineering for about
fifteen years. Most of that time went to identity, access management, and
cloud infrastructure at companies you’ve probably heard of; the
resume has the list. More recently I’ve been focused on AI/ML
infrastructure and the security problems that come with it.
I write here occasionally: essays on security and AI, and once in a while
some very short fiction.