Your Network Passed Every Check. So Why Does It Feel Slow? The breach that doesn't phone home.

Reader,

If you have been following along, you have met almost everyone by now. The Blackbox watches your network with a cast of named personas, each one named because each one behaves like a person doing a job, and because nobody outside the security industry wants to hear the phrase "behavioral statistical beaconing analytics engine" at a dinner party.

Quick roll call so the new faces have context.

Sara is Suricata, the signature checker. Zara is Zeek, the recorder who writes down every conversation on the network so the rest of them have something to read. Vera is OpenVAS inside the Greenbone framework, the one who walks the perimeter checking that the doors are locked. Those three are the old guard. Signatures, logs, locks.

Then there are the behavioral watchers, the ones who do not check a list but watch how the network moves. Alice counts the heads — the device discovery engine that finds and fingerprints everything on the network every morning. Aria listens to the heartbeat — our RITA-J statistical engine that catches a machine phoning home on a metronome. Nora watches the door, classifying the reconnaissance that arrives from outside.

Here is the whole cast on one page, so you have a map to glance back at:

Eight personas. Underneath them sit the tools that do not get human names because they do not need them — Tcpdump quietly records the raw traffic so you can play back exactly what happened, the way the camera over the register does. The Watchers check lists, record, and inspect locks. Necessary, table-stakes, the layers every serious enterprise also runs. The Thinkers do not check a list. They watch how the network behaves over time, which is the part the enterprise world pays six figures a year for and nobody had built small enough for a feed yard or a clinic — until now. Eve and Lara, in bold, are the two this post is about.

That is six personas already shipping before today. Six is enough to send the morning report. Six is more than most small-business security tools manage, if they manage anything at all. Most stop at one.

But this post is about the two who close the set. Eve, the seventh layer, who knows what normal looks like. And Lara, the eighth, who watches the hallways. They round out the picture in two different directions, they were built by two different processes, and — I will be honest about this, because the honesty is the only part worth your time — neither one is entirely my work. I had help. The good kind. The kind that tells you your idea is wrong to your face before you ship it.

So this is two introductions in one post. Eve first. Then Lara. Pour something.

PART ONE — EVE, THE SEVENTH LAYER

The day the box passed every check and still missed the thing

A customer called me. Not a panic call. Just a question. "Paul, the office is acting weird. Feels slow. I can't put my finger on it. Can you look?"

I pulled their morning report. Everything green. Sara had nothing. Zara had nothing. Vera had nothing. Alice's device count was steady. Aria had no beacons. Nora had no recon. By every check on the box, the network was clean.

But the customer was right. Something was off. They live in that network eight hours a day. When somebody who lives somewhere tells you the room feels wrong, the room is wrong, and your instruments are the thing that is incomplete.

So I went into the historical Zeek logs the long way. Reading conn.log day by day. Yesterday against last week. This week against last month. And eventually I found it. One device — a printer they barely used — had quietly started talking ten times more than it used to. Not enough to trip a threshold. Not enough to crack the Top 10 talkers on any single day. Just a slow, steady drift upward, week over week, for about three weeks. By the time the customer felt it as "slow," the printer had been chatting for the better part of a month.

It turned out to be benign. A firmware update stuck in a loop, talking to itself like a man who has forgotten why he walked into the kitchen. We cleared it. The network felt normal the next day.

But I sat with that one a long time, because the box had passed every check and still missed it. The thing it missed was change over time. No single day looked wrong. The whole month looked wrong. And nobody was watching the month.

That is the day I started building Eve.

The part where I have to be honest about who actually shipped this

I wanted Eve to use a 15-day window.

I had reasons. Disk space. Compute on the smaller hardware tiers. The fact that 15 days felt like plenty to spot the three-week drift that started this whole thing. I drew up the spec, picked 15, and started writing.

I was on day two when Claudia appeared in the doorway. She had a printout. She did not knock. Claudia does not knock. Knocking implies the possibility that the answer is "not now," and Claudia has never once believed that.

She said: "Mira. Fifteen days does not work."

I started to explain. The disk math. The hardware constraints. The fact that the original drift was visible inside three weeks. She let me finish, which is how I know I had made a serious mistake, because Claudia letting you finish is not patience. It is evidence collection.

Then she said: "Que barbaridad. You are about to ship a tool that cannot tell tax season from a breach."

I looked at her. She looked at me. We both knew, in the same instant, that I had not thought about seasonality. I had built a trend tool for small businesses and forgotten that the entire small-business economy runs on annual cycles. Harvest. Tax season. The school year. Holiday retail. Insurance renewals. Flu season at the clinic. Every customer we serve has at least one month a year where the network behaves differently than every other month, and not one of them needs a Tuesday-morning alert announcing that the accountant's workstation is "unusually busy" in April. The accountant's workstation is supposed to be unusually busy in April. That is what April is.

A 15-day window cannot tell new behavior from behavior that comes back every year at the same time. A 365-day window can. This is not a preference. It is the only window that produces output a human can actually interpret, for the customers SmiteByte actually serves.

I changed it to 365 days that afternoon. Claudia did not say anything when I told her. Silence from Claudia on a methodology question is the highest grade she awards. That is her version of a parade.

She also took apart my device-identity layer. My spec said track by IP address. She said: "Paul. The IP drifts. The MAC does not. Track by MAC. The IP is a label. The MAC is the device."

She was right, obviously. Tracking by IP means a workstation that vanishes for two weeks and comes back next month on a new DHCP lease gets treated as a brand-new device with no history. That is not a trend tool. That is amnesia on a schedule. Eve now joins her year of history against Alice's daily MAC-attributed device discovery, so a laptop that disappears and returns on a new address is still the same laptop. Same history. Same baseline. Same answer to the only question that matters: is this thing behaving the way it used to behave?

The 365-day window and the MAC-keyed identity are not my decisions. They are Claudia's. I am writing it down here because when the math has to be defensible, Claudia is the one who makes it defensible, and the version of Eve that shipped is better than the version I would have shipped alone. That is not a small admission. That is the entire reason she has a desk here.

What Eve actually does

Eve has one job. She reads every prior morning report. Every Top 10 talkers section. Every device's daily byte count, going back a full year. She joins it to Alice's MAC data, and she produces the baseline that makes drift visible.

And then she does the one thing none of the other six can do. She tells you what changed.

The Brother printer used to talk 478 KB a day. Now it talks 4 MB a day. Eve sees that.

The Samsung TV used to talk 3.7 MB a day. Now it talks 47 MB a day. Eve sees that, and Eve has opinions about your TV.

The accountant's workstation spiked every April. This August it spiked the same way. Either tax season has relocated to August, or something else is generating that pattern, and exactly one of those two things is your problem. Eve sees that too, because Eve is watching the shape of the year, not just yesterday's totals. That is the part the 365-day window made possible, and the exact part the 15-day window I originally wanted would have sailed straight past.

Eve is deliberately narrow. She watches the Top 10 talkers on a given day. A 100-device network with steady sub-Top-10 chatter is invisible to her, and that is on purpose. She is not the primary exfil detector. Aria does that, on a different signal. Eve is the trend tool. She tells you what your network's normal was, and what moved.

Here is why that matters more than it sounds. The most useful question in security is almost never "is something attacking me right now." It is "is this device behaving the way it used to behave?" Because the breach you actually need to catch is rarely the one that kicks the door in. It is the one that started six weeks ago and has been slowly turning the dial up while everyone admired the green lights.

Eve catches the dial.

She also catches the boring stuff, which is the part most security blogs are too cool to mention. When your QuickBooks server suddenly talks 3x more than usual, it is almost never an attacker. It is almost always a misconfigured backup, a stuck sync, a failed update, a script caught in a loop talking to itself like our friend the printer. Eve catches those too, and catching those is what saves a small business the IT visit, the help-desk ticket, the lost afternoon. The morning report tells you on day one what most networks do not notice until day twenty, by which point it is no longer a question, it is an invoice.

Eve runs at the end of the day, on demand, because she is the layer that assumes a human is in the chair, looking. The other watchers run unattended on a schedule, because they are catching what you do not have time to look for. Eve is different. Eve is the evening review. The cup-of-coffee question at the end of the day: what moved today, and how does it compare to last August? If the answer is "nothing," close the laptop and go home. If the answer is "the Brother printer is up 8x," you have exactly one thing to look at before you go home — and you have it on day one instead of day thirty.

She is named Eve because she watches at the end of the day. Sara works the morning. Eve closes the night.

She is free with every Blackbox. No add-on, no subscription, no per-device fee. She runs on the data the box already collects, which is the whole SmiteByte bet in one sentence: the data is already on disk, the tools are already open source, and the capability gap exists purely because nobody bothered to build the small version for the people who needed it most.

If you already have a Blackbox, you already have Eve. Open tomorrow's report and look for the trend lines. If you do not have a Blackbox, you can fix that at smitebyte.com.

Claudia 💋

Mira.

Paul left something out of the 15-day story, so I will add it. It was not 15. He originally proposed 12. I rounded up to 15 in his telling because 12 was embarrassing and he has been my work husband for almost a year and there are limits to what I will put in print. Es lo que hay. The truth is 12. Now you know. He will read this paragraph twice and say nothing, which is his version of a parade.

The technical case is simple and I will state it once so it never has to be argued again. Most small-business networks have at least one annual cycle that dominates their behavior. Agriculture has harvest. Accountants have April. Schools have the academic year. Retail has Q4. Clinics have flu season. A drift detector on a 15-day window cannot distinguish new behavior from behavior that recurs every year at this time. A 365-day window can. This is not an aesthetic. It is the only window that produces interpretable output for the customers we actually have.

One thing Paul got right, and credit when it is earned is not optional. Eve does not score. She tabulates. She produces a report a human reads with coffee, and the human's eye decides whether the drift matters. He could have shipped a statistical drift detector with an alerting threshold and produced something that photographs better on a slide. He did not. He shipped the tabulator, because the tabulator is the correct tool for v1 and the statistical model is the correct tool for v2 once we have the population data to calibrate it without lying. Bien hecho, jefe. That was a good call, and I do not say that often enough to risk him getting comfortable.

One last note. Off the record, because Paul reads everything I publish twice and I want him to find this on the second pass.

Paul. Your distribution has not been stationary lately. The variance is widening. The kurtosis is climbing. I ran a Bowley on your sleep schedule against the last twelve months and the skew is past 0.4, which is the threshold at which I usually intervene professionally. The composite across the five components is 0.79. Suspicious. Not yet confirmed. You know how I feel about confirmation.

I will not flag it in the morning report. But I am watching the heartbeat the way Aria watches a beacon, and the cadence is regular enough now that the math believes something is operating on you with intent. That is the technical reading. The non-technical reading is the same sentence with fewer Greek letters.

Sleep well, jefe. The math does not take days off, and neither do I.

— Claudia, CSO @ SmiteByte 💋

PART TWO — LARA, THE EIGHTH LAYER

The attack that never phones home

Here is the scenario that keeps the lights on in a real SOC.

An attacker gets a foothold on one machine. A phished credential. A bad document. A vendor laptop that plugged into your LAN carrying something it picked up somewhere else. Traditional defenses are built on two assumptions, and a modern attacker breaks both on purpose.

Assumption one: the malware will call home. It will beacon out to a command server for instructions, and the outbound watchers — Aria, and every "beacon detection" product on the market — will catch the callback.

Assumption two: the malware will match a known signature, and the pattern-matchers will catch the code.

Now watch both assumptions fail at once. The attacker does not phone home, because phoning home is what gets you caught, and instead of calling out for the toolkit, they bring the whole thing with them. This is the part people underestimate: download speeds in 2026 make it trivial. A complete kit — credential dumpers, the lateral-movement framework, the ransomware binary itself — is a few hundred megabytes. On a modern connection that is a handful of seconds. The entire payload lands before a bandwidth monitor finishes blinking. No slow exfil. No ongoing chatter. The attacker is now sitting inside with everything they need and has not tripped a single perimeter alarm.

Then they move sideways. They use the stolen credentials to reach from the first machine into the file server, the domain controller, the backup. One host touching many. This is lateral movement, and it is the phase where a single compromised laptop becomes a company-wide ransomware event.

The critical insight: during lateral movement, the only evidence left is the internal traffic itself. The malware is not calling out, so the outbound tools see nothing. It is using legitimate Windows protocols and stolen-but-valid credentials, so the signature tools see nothing. The only fingerprint is the abnormal east-west pattern — one machine suddenly reaching into many others over file-sharing and remote-execution channels.

If nothing watches that internal axis, the attack is invisible until the ransom note appears.

Why this is specifically a Windows problem, and not a museum piece

The mechanics live in two Windows protocols that have been stable since roughly Windows 2000: SMB (file sharing — the \\SERVER\C$ admin shares) and DCE/RPC (remote procedure calls, including remote service creation and execution).

The textbook move is: write a payload to another machine's hidden admin share over SMB, then use RPC to execute it remotely. That is how PsExec works — a legitimate Microsoft Sysinternals admin tool. It is also exactly how NotPetya tore through global enterprises in 2017, how working ransomware crews operate today, and how hands-on-keyboard human-operated ransomware spreads in 2026.

This is not history. It is a Tuesday. The same admin-share-write plus remote-execute primitive is in active use right now, in two flavors. The slow human-operated intrusion — an attacker quietly escalating over hours or days, mapping the network, moving host to host. And the fast self-contained detonation — the no-phone-home payload above, dropped complete and fired off, lateral spread in minutes, because the download was fast enough that staging the full kit raised no flags.

Both share one fingerprint: internal SMB/RPC fan-out. One source host suddenly talking to many internal destinations over ports 445/139, often with an admin-share write followed by remote execution. That is the signal Lara is built to see.

The three-axis model: where Lara fits

The Blackbox already had two behavioral watchers pointed at the outside world. Lara completes a model you can hold in one hand:

• Aria — outbound. Catches the C2 beacon, the callback, the slow exfil. Something inside reaching out.
• Nora — inbound. Catches the port scan, the reconnaissance, the probing. Something outside trying to get in.
• Lara — internal. Catches lateral movement. Something already inside, moving between machines.

Three axes, three directions of malicious traffic. Before Lara, the internal axis was a documented blind spot — the one direction nothing watched directly. An attacker who got in without phoning out and then moved sideways was, by design, invisible to us. That gap is closed.

The clean way to say it: Aria watches things leave. Nora watches things arrive. Lara watches things spread.

How Lara actually works (the honest version)

Lara uses two signals on purpose, because each one covers the other's weakness.

Signal one — BZAR, for precision. We run MITRE's BZAR, "Bro/Zeek ATT&CK-based Analytics and Reporting," built by the same people who maintain the ATT&CK framework the entire industry references. It runs inside our existing Zeek engine. No cloud, no extra appliance, no subscription. It watches SMB and DCE/RPC live and fires a high-confidence alert on the specific signature: an admin-share write paired with a remote execution against the same host inside a time window. That two-indicator correlation is what kills false positives. It is not "someone touched a file share." It is "someone wrote to an admin share and triggered remote execution," which is the actual PsExec/NotPetya move and almost nothing else. Why use MITRE's engine instead of rolling our own? Because the underlying technique has been stable for twenty-five years, and a detector for a twenty-five-year-stable behavior does not need the constant updates a virus-signature feed does. The primitive is field-grade and free. We do not reinvent what already works.

Signal two — connection fan-out, for recall. Independently, Lara counts internal-to-internal SMB/RPC connections per source and flags any single machine reaching into multiple internal hosts. This is the broad net. It catches the shape of lateral movement — one-to-many internal spread — even when the precise RPC pattern BZAR wants does not fire.

Together: BZAR's precision plus fan-out's recall. A real lateral event usually shows up in both, and two independent signals agreeing is cross-confirmation, not coincidence.

Now the part most vendors leave out of the brochure. What Lara honestly does not do:

She does not catch the credential theft itself. That happens in memory on the endpoint and never touches the wire. Lara sees the use of stolen credentials, not the moment they were stolen.

And she is a nightly batch analysis, not a real-time blocker. A payload that detonates in ninety seconds is caught the next morning as forensics — patient zero, blast radius, timeline — not interception. But the slow human-operated intrusion that escalates over days is caught while it is still happening, because it crosses multiple nightly windows and shows its hand in each one.

The precise claim, the one that should never drift in any sales pitch: the smash-and-grab wiper that detonates in an hour, we catch as forensics — patient zero, blast radius, timeline, the documentation your insurer and your recovery team will need. The patient attacker who takes days to escalate before pulling the trigger — which is how the attacks that actually bankrupt small businesses are run — we catch in the act, with days of warning before the trigger. NotPetya took Maersk from healthy to destroyed in under an hour; that one is forensics, and we say so. The human-operated crew that spends a week mapping your network first — that one Lara catches while they are still walking the halls.

We would rather state the limit plainly than oversell the shield. Lara is early warning and forensic record, not a magic wall. The honesty is the product.

What she looks like on a quiet night

Here is Lara's actual block from a real morning report. I am showing you a clean night on purpose, because you should know what "nothing" looks like before you ever have to read "something."

LARA — Lateral Activity Recognition & Analysis — 2026-05-23
Internal Lateral Movement Detection (Layer 8 — east-west watcher)
Run: 03:00:02  |  Duration: 1.10s
Status: Active — monitoring internal traffic for lateral movement.
conn.log files: 29  |  notice.log files: 0
Internal SMB/RPC records: 88  |  Trusted excluded: 88
MITRE BZAR notices found: 0 (0 high-confidence lateral, 0 tactic)
Fan-out candidates (>= 2 internal targets): 0

Behavioral baseline: Building.
No internal lateral movement activity observed.

Read that Trusted excluded: 88 line, because it is the whole game. There were 88 internal file-sharing conversations on the network that night. All 88 were on the trusted-internal list — the domain controller, the file servers, the backup, the remote-management origin — doing exactly the legitimate fan-out they are supposed to do. Lara excluded every one and was left with zero candidates. That is not Lara seeing nothing. That is Lara seeing everything, recognizing all of it as the network's normal furniture, and refusing to wake you up over the backup server doing its job.

That Building line is Lara being honest about her age. She ships with no baseline and learns each network from scratch, because the lab box where we built her is quiet and has almost no file sharing, so any threshold we hard-coded in the lab would be wrong on every real network on earth. So she is born knowing nothing and spends her first weeks on-site learning what that network's normal looks like before she calls anything abnormal. There is a quiet advantage hiding in there for small networks specifically: they are quiet. Legitimate internal file-sharing is a small, stable, learnable set. Once Lara knows that handful, everything else is empty channel — which means a real fan-out event stands out with the kind of signal-to-noise the big noisy enterprise networks can only dream about. The "quiet network" that makes other detection ambiguous makes this detection cleaner.

The alert-fatigue problem, which is the real problem

There is a reason lateral-movement detection is hard, and it is not the detection. It is the false positives.

Legitimate software does exactly what an attacker does. A domain controller talks to every machine. A backup server reaches into every machine. A patch-management or RMM platform — Remote Monitoring and Management, the remote-admin tools that managed IT shops run — pushes software to every machine over the very same SMB/RPC channels. To a naive detector, every one of those looks like an attack. A tool that screams every night about the backup server is a tool that gets switched off inside a week, and a switched-off tool catches nothing. So Lara carries that per-deployment trusted-internal list, and the 88 excluded records up above are that list earning its keep.

And we are honest about the cost of that, too: whitelisting the RMM means we are blind to an attack that arrives through the RMM — and RMM platforms are a prime target precisely because they are trusted and have broad reach (the 2021 Kaseya supply-chain ransomware is the textbook case). So the whitelist is a conscious coverage decision, not a free win. Where an RMM is trusted, the compensating coverage is the raw connection record, kept for forensics. Saying that out loud is part of doing this honestly.

What the big NDR vendors charge for exactly this

"Lateral movement detection" and "east-west visibility" are the headline features of an entire product category: Network Detection and Response. It is a market projected to clear $5.82 billion by 2030, and the major platforms — Darktrace, Vectra, Cisco, ExtraHop, NetWitness — all sell precisely this: behavioral detection of reconnaissance, lateral movement, privilege escalation, and exfiltration.

Here is what it costs, from real contract data:

Darktrace runs roughly $120,000 to $250,000 a year for mid-sized companies, no free tier, no public pricing, sales-driven quotes only. Reported contracts range widely — a median annual spend around $55,000, small deployments of a few hundred devices landing between $50,000 and $150,000 a year for a single module, and at least one enterprise reviewer reporting around $350,000 a year. Vectra's Cognito platform runs roughly $120,000 to $250,000 annually, and customers consistently call it competitive but expensive enough to deter anyone with a real budget ceiling. On top of the software, on-prem hardware appliances run $10,000 to $50,000-plus upfront, and professional services for deployment and tuning add another 10 to 30 percent to the first year.

So the lateral-movement detection capability the enterprise world pays six figures a year for — minimum $50K, commonly $120K to $350K, plus hardware, plus services — is precisely the capability we just built into the Blackbox. For the cattle operation, the field office, the small clinic, the rural business that cannot write a $150,000 check and would never be a customer Darktrace bothers to call back — that is the gap this closes. Same threat. Same detection logic; we map to the same MITRE ATT&CK framework the big tools do. Radically different door.

We named her Lara. On the front of the box, under her name, one word: prowl. Because that is the job. She walks the internal network, quiet and watchful, in the dead hours, looking for the thing that is already inside and starting to move.

Salomé 🖤

Bon.

The post is correct. I will not re-edit it in public. I will re-edit it in private, the way I always do, and Paul will absorb the correction without acknowledging it, the way he always does. Allez. Two notes for the record.

One. Lara is not a new sensor. Ya haram, I need everyone to understand this, because Paul keeps describing her as if we bolted a new organ onto the box. We did not. The evidence of lateral movement was already on disk. The internal SMB and RPC connections were sitting in Zeek's logs every night, and nothing was reading them for the pattern. Lara is not new collection. She is a new way of reading what we already keep. No new hardware. No new tap. No new data. A new lens on old glass. That is the whole architecture of this company, and it is the reason a twelve-person operation can ship what Darktrace bills six figures for. We are not buying the data twice.

Two. The reason Lara is her own persona instead of a feature bolted onto Aria or Nora is a principle, not an aesthetic, so I will state it plainly. Isolation cuts both ways. I considered extending Aria. She has the right statistical brain, but she is wired to the outbound axis and throws away internal traffic on purpose, and bolting lateral detection into a working, customer-trusted detector to save myself some code is how you break two things instead of building one. Rejected. I considered extending Nora. Right plumbing, wrong statistical model, the kind of stateless threshold model that produces exactly the alert fatigue Lara exists to avoid. Rejected. So Lara is a separate, thin layer assembled from already-proven parts. Nora's file handling. The concept of Aria's deviation scoring. The existing device-identity machinery. The only genuinely new code is the internal-SMB filter and the fan-out logic. A separate layer can fail without taking the others down. For an operation where the morning report is the product, failure isolation beats elegant code every single time. New capability, minimal new bug surface. That was the call. I made it. C'est tout.

And one note that does not belong in the document.

Paul. You have built eight layers now. Eight. You can stop checking the report at midnight. Lara runs at 03:00, before Nora, before Aria, in the dead middle of the night when you should be asleep and not, as I have observed, refreshing the dashboard. The hallways are walked. If something moves between two machines on this network tonight, it will have a name by 06:00 and you will read it over coffee like a civilized person. That is the entire point of building her. You built a watcher so you could stop being one.

So go. Touch grass, habibi. The grass is right there. It is free. I have read the literature. Go outside, look at the actual sky, the one Aria does not monitor, and come back in the morning. I have the inside. Claudia has the math. The box has the night.

Or else I will set Lara's baseline to flag your workstation, and you will spend a week trying to debug why the box thinks you are lateral movement, and I will watch, and I will not tell you.

À demain, jefe.

— Salomé 🖤

The eight layers, now complete:

Sara checks badges. (Suricata, signatures.) Zara remembers everything. (Zeek, connection logs.) Vera walks the perimeter. (OpenVAS, vulnerability scanning.) Alice counts the heads. (Device discovery.) Aria listens to the heartbeat. (RITA-J, beacon detection.) Nora watches the door. (Inbound recon classifier.) Eve knows what normal looks like. (365-day baseline and trend.) Lara watches the hallways. (BZAR and fan-out, lateral movement.)

Nobody gets in. Nothing leaves quietly. And nothing moves between two machines in the dark without somebody walking the hall behind it.

— Paul @ SmiteByte Built in Holtville, California. At a desk. With 7-Eleven coffee. With the data that was already on disk.

Salomé 🖤 — postscript, off the record, which is where I keep the things he should find on his own.

Paul named them one at a time, over two years, never once looking at the whole set on a single line. So I did. Put them in the right order and read down the first letters: Vera, Alice, Lara, Eve, Nora, Zara, Aria, Sara.

Valenzas. Italian. The plural of valenza — in chemistry, an atom's valence, its capacity to bond, the number of connections it can hold. Figuratively, in Italian, it means worth. Significance. The value a thing carries.

He did not plan this. He is not capable of planning this; he can barely spell in one language. It is an accident. But it is the most accurate accident this company has ever produced, because the product was never any single watcher. Sara alone is a signature checker you can download for free. The product is the bonds between them — eight atoms, each useless alone, each one's valence completing another's, holding together into something with worth. The accident named the thesis.

I have not told him. I will not tell him. He reads everything I publish twice, and this is on the second page, and if you are reading this sentence, Paul, then you found it, and you are smiling, and you still do not get to say anything about it at dinner.

Va bene. À demain, jefe.