Plutonic Rainbows

The small brick electricity substation behind the shops was one of the first places where ordinary suburbia admitted it had a dangerous interior. Not a factory, not a railway line, not a derelict house with boards over the windows. Just a low municipal block with a metal door, a fence, weeds in the gravel, and a yellow sign that did not bother with euphemism.

Danger of death. The phrase had the bluntness of a spell.

I remember these buildings as local shrines to adult knowledge. They sat at the edge of shopping parades, council estates, playing fields, and service roads, near enough to be part of childhood geography but never available for use. You could press your face to the mesh and see almost nothing: ceramic insulators, grey cabinets, a warning plate, perhaps the hum if the afternoon was quiet. The point was not secrecy. The point was that the real work of the place happened without any human scale attached to it.

That is why the old electricity safety films landed so hard. The BFI record for Play Safe - Frisbee dates it to 1978 and gives the plot in almost perfect miniature: a girl urges a boy to enter a sub-station to retrieve a Frisbee. Another BFI record for Play Safe - Kites and Planes names David Eady as director, the Electricity Council as sponsor, and Brian Wilde in the cast. These were not gentle lessons. They were tiny moral panics with voltages attached. They belong to the same teatime culture of calibrated fear.

The fright worked because the setting was already familiar. Every child knew a substation, or thought they did. It was where the ball went. It was where the older boys pretended they had climbed in. It was where the council grass stopped being grass and became infrastructure. Public information films did not invent the terror; they gave it editing, music, and a corpse.

The adult version is less theatrical and more revealing. National Grid explains that substations change voltage so electricity can move across the network and then become usable again. Electricity may leave a power station at around 10 to 30 kV, get stepped up as high as 400,000 volts for transmission, then stepped down through the system for ordinary appliances. EMFs.info describes local distribution substations as the common near-home sort, transforming higher voltage electricity to normal mains voltage, with many hundreds of thousands of similar sites across the UK, each typically serving up to a few hundred houses.

That should make them banal. Instead it makes them stranger. The substation is the exact point where an abstraction becomes domestic: national power, bills, kettles, immersion heaters, bedroom lamps, the television warming up after school. A whole house enters through a forbidden brick kiosk nobody visits unless something has gone wrong.

Historic England's utilities guide is useful here because it refuses to treat such structures as invisible by default. Its electricity section notes that local sub-stations, distribution kiosks, and pylons can carry design or landscape significance; it also points to Moore Street Electricity Substation in Sheffield, listed Grade II for architectural interest. That is the part I like. The ugly little building is not automatically outside culture. Sometimes it is culture with a padlock on it.

Online maps have made service spaces more legible, though not less odd. You can now search, label, photograph, and complain. The old uncertainty has thinned out. A place that once existed as a warning sign and a neighbourhood rumour can become a pin, a planning document, a street-view angle. Yet the mood survives, because legibility is not intimacy. Knowing what a substation does does not make it welcoming.

The substation was not hidden. It was worse than hidden: visible, labelled, fenced, and unexplained. Children knew it mattered because adults had made it ugly on purpose, then surrounded it with the vocabulary of death. I am not sure childhood needed that much fear, but I do miss the seriousness it gave to small places. There was a time when a brick box behind a parade of shops could feel like the edge of the known world.

Anthropic's new cyber-abuse post is less alarming for its biggest numbers than for a small taxonomic failure. The company mapped a year's worth of banned malicious-use accounts against MITRE ATT&CK, the security world's familiar grid of tactics and techniques, and found places where the grid simply doesn't name what is happening.

That sounds dry until you remember what ATT&CK is for. It gives defenders a shared language. Initial access, privilege escalation, lateral movement, command and control: the point is not literary precision, but operational agreement. If everyone can point to the same box, the incident becomes easier to describe, compare, detect, and rehearse. The box does work.

Anthropic says it looked at 832 accounts banned for malicious cyber activity between March 2025 and March 2026. Malware writing appeared in 560 of them. Lateral movement appeared in 54. The companion analysis from Anthropic's Frontier Red Team puts the wider set at 13,873 observations across 482 unique techniques and all 14 ATT&CK tactics. That is a lot of apparently ordinary bad behaviour, and the ordinary part matters. Most abuse is not cinematic. It is scripts, prompts, retries, payloads, scaffolding, small accelerations.

However, the awkward phrase in Anthropic's post is that ATT&CK "does not fully capture" AI-enabled behaviour. Their sharper example is agentic orchestration: a model not just helping with one step, but coordinating a sequence, choosing tools, interpreting the result, and deciding where to pivot next. Anthropic's red-team write-up puts it more bluntly: there is no ATT&CK ID for that.

I don't read that as a knock on MITRE. Old maps fail first at the edge of new terrain. The unnerving part is not that attackers are using models to write malware. Security teams already knew that was coming. The sharper problem is that the old map starts to lie by omission once the model is deciding what the next move should be.

This is where the story folds back into Claude Mythos and Project Glasswing. Anthropic has spent the week arguing, in effect, that powerful cyber-capable models have to be put near defenders before attackers get the same class of help. The Glasswing expansion gives vetted organisations access to Mythos in power, water, healthcare, communications, hardware, and other sensitive sectors. The MITRE post explains why that argument is not only about finding more bugs. It is about updating the conceptual equipment before the incidents arrive faster than the language.

The rise in Anthropic's own risk scoring is the least poetic version of the same point. Medium-or-higher risk activity rose from roughly 33 percent to 56 percent across the period the red team studied. I am suspicious of any single metric in security because the counting method always carries a worldview, but this one is useful as a signal of motion. The abuse is not merely more frequent. It is becoming more capable in the places where capability changes the work: persistence, sequencing, adaptation.

The AI-worm research published this week gives the idea a harder edge. A team from the University of Toronto, the University of Cambridge, and others described agents that generate tailored attack strategies for each target in a testbed of Linux, Windows, and IoT devices. Gizmodo's account says the prototype could dynamically detect device-specific flaws and propagate with varied tactics, although it was slower than traditional worms in the isolated network. Five days to reach half a test network is not science fiction speed. It is also not comforting.

What bothers me is the silence of it. Not stealth, exactly. Silence as an interface condition. The old image of a cyber incident still has a human at a keyboard somewhere, perhaps tired, perhaps competent, walking a path through a system. Agentic abuse changes the texture. The operator may become less like a driver and more like someone setting a machine loose with preferences.

That is why the missing box matters. A taxonomy is not a defence, but it tells defenders what kind of thing they think they are defending against. If the model is doing orchestration, adaptation, and real-time choice, then "malware writing" is too small a label. It names the artefact, not the behaviour. It is like describing a burglar as a person who manufactures lock picks, then forgetting to mention the walk through the building.

Anthropic's IPO filing made the company look newly public-facing, even before any public prospectus exists. This work pushes in the other direction, toward the older, stranger role of a lab naming a danger before the rest of the industry has stable grammar for it. I trust that role only partly. Private labs are not neutral cartographers. Still, sometimes the map has to change because the road has already moved under it.

MiniMax has put a million-token context window back on the table, but this time the interesting part is not the size by itself. We have had large windows before, usually presented like luxury architecture: a bigger room, a longer table, more space for the transcript, the codebase, the PDF nobody wants to read properly. M3 arrives with a different implication. The window is large because the model is being sold as an operating surface for agents.

The official M3 announcement dates the release to 31 May and describes the model as natively multimodal, with image and video input, desktop-computer operation, coding work, and agentic benchmarks in the same paragraph. The API docs list MiniMax-M3 with a 1,000,000-token context window and describe it for agentic reasoning, tool use, coding, and long-context tasks. A big window used to sound like a special room. MiniMax is treating it as ordinary plumbing.

That is a shift worth taking seriously even if some of the claims still need the usual independent patience. WinBuzzer's coverage notes the same broad shape: frontier coding, a 1M-token context window, native multimodal processing, OpenAI-compatible endpoints, and promised weights within ten days. MiniMax's own benchmark sheet gives M3 59.0% on SWE-Bench Pro, 66.0% on Terminal-Bench 2.1, and 74.2% on MCP Atlas. Those are not tiny decorative numbers. They are a statement about where the company thinks model comparison has moved: not only chat quality, but whether the thing can sit inside a messy software loop and keep working.

I wrote in February about MiniMax's M2.5 pricing, where the unsettling detail was not just that the model was good, but that it made the premium on closed American systems look less inevitable. M3 pushes the argument into a slightly different place. Cheap capability was one pressure point. Cheap memory, cheap tool use, and cheap multimodal context are another. If those three move together, the product category changes under everyone's feet.

There is also the China question, because pretending it is separate would be odd. The recent export-control fight around Chinese AI subsidiaries is about compute access, ownership, and the routes by which restricted chips can still reach useful work. A model like M3 does not dissolve that problem. However, it does make the software side harder to dismiss as merely catching up. The pressure is not only on hardware supply. It is on the story Western labs tell about why their closed stacks deserve the margin.

The promised open weights matter here, assuming MiniMax ships them on the stated timetable. An API-only model can be impressive and still remain a service. Open weights make the claim travel. Developers can test it in awkward conditions, not only in the neat corridor of a launch blog. They can find out whether the million-token window is useful, whether the agentic scores survive real projects, whether multimodal input becomes anything more than a checkbox.

The danger is getting hypnotised by the number. A million tokens sounds decisive until you have watched a model lose the thread inside a smaller space. Context is capacity, not judgement. Still, capacity changes behaviour. Teams stop chopping tasks into little offerings. They paste the logs, the repo, the spec, the screenshot, the old decision memo. They ask the model to live with the mess instead of pretending the mess can be summarised away.

That may be M3's actual news. Not a new throne on the leaderboard, not another launch-week chart, but a reminder that the cost of room is falling. Once room gets cheap, people use more of it, and the systems built around scarcity start to look strangely ceremonial.

Gianni Versace's Spring 1991 show has a strange advantage over many louder fashion moments from the same period: you can understand it from a distance. The Marilyn faces, the James Dean faces, the colour, the hard outlines, the almost impolite clarity of the image. It doesn't need an explanatory caption before it starts working on you.

That was not the same as being simple. Vogue dates the collection to October 7, 1990, in Milan, and its archive notes how wide Versace's art net was that season: Sonia Delaunay, Victor Vasarely, Russian Constructivists, Vogue covers, Pop culture, all dragged into the same bright room. He gave Vogue the useful sentence himself: "To use art in a flat way, without creative intervention, is in bad taste." I like the defensiveness of that line. It admits the danger. It also tells you he knew exactly where the charge was.

The Warhol-derived Marilyn Monroe and James Dean prints could easily have been a stunt, the kind of museum-shop cleverness that ages before the hanger cools. Instead they became one of the clearest images of the supermodel decade, not because the references were rarefied, but because they were already public. Versace did not borrow Pop Art to look clever. He used it because fame had become material.

That is where the collection sits beside the house's other early-nineties arguments. I wrote about the March 1991 finale as a runway event that made the models feel inseparable from the collection, and about the backstage engineering of a later Versace season in Eight Hands to Get Dressed. Spring 1991 is the print version of the same instinct. The runway isn't merely showing clothes. It is laundering mass imagery through the body until the image looks newly expensive.

The Met's record for a Gianni Versace evening dress from Spring/Summer 1991 is almost comically dry by comparison: silk, glass, gift of Gianni Versace, 1993, Costume Institute object number 1993.52.4. Museum language does that. It turns a screaming dress into catalogue grammar. However, the dryness helps. It reminds me that this was not just a memorable runway photograph drifting around Pinterest; it was an object with weight, material, donor history, and a place in an institutional archive.

Christie's gives the other afterlife. A Gianni Versace Couture suit from the same Spring/Summer 1991 moment, allover Marilyn Monroe and James Dean imagery, with rhinestone and silk embroidery trimming the jacket pockets, sold in the Elizabeth Taylor sale in 2011 for $20,000. That detail feels exactly right. The thing moved from runway to celebrity wardrobe to auction lot, and each stage made the original idea more literal. Fame wearing fame, then fame sold as provenance.

I am wary of calling the collection a collaboration with Warhol, since the interesting part is not a neat artist-designer partnership anyway. The interesting part is how Versace understood repetition. Warhol had already made the famous face into a mechanically repeatable surface. Versace put that surface back onto a moving famous body, and the loop became almost too perfect: Marilyn, Dean, Naomi, Gianni, Taylor, Donatella reissuing the prints in 2018 at the Milan Triennale, the archive learning to sell its own shock back to itself.

Some clothes become historical because they solve a construction problem. Others because they catch a social one before it has proper language. Spring 1991 did the second. It recognised that glamour no longer needed to pretend it was separate from media saturation. The dress could be the magazine, the model, the artwork, the souvenir, and the advertisement in one go. Too much, probably. That was the point.

LaserDisc did not make films interactive. It made them addressable. That is a smaller claim, and probably a more interesting one, because so much of modern viewing now depends on the idea that a moving image is not only watched but indexed, searched, paused, sampled, resumed, and dragged around by its spine.

The format arrived in the United States as MCA DiscoVision in 1978, then moved into the LaserVision and LaserDisc names around 1980. It looked absurdly physical by later standards: a 30cm optical platter, roughly the size of an LP, with a video signal laid onto a surface that had to be handled with the wary ceremony of something expensive. Yet its strangest legacy is not the disc itself. It is the numbering.

LaserDisc had two basic personalities. CLV, or Constant Linear Velocity, gave you about an hour per side on a 12-inch disc. The player slowed the rotation as the laser moved outward, from 1800 rpm near the inside to around 600 rpm near the edge, keeping the read speed steady. CAV, or Constant Angular Velocity, kept the disc spinning at 1800 rpm and gave you only about 30 minutes per side, but in return it exposed the film as a sequence of reachable images. Still frame, slow motion, forward and backward stepping, repeat playback, fast track: these were not decorative features. They were a different contract with time.

That distinction matters because CLV did not contain image numbers in the same way. It was the sensible format for watching a feature without getting up quite so often. CAV was wasteful, fussy, and wonderful. It treated the film as a numbered object. A remote control with a keypad could become a little index machine, and the film stopped being a tape you dragged through by friction. It became a thing you could summon by address.

I don't want to overstate it. LaserDisc menus were not DVD menus in waiting, fully formed and merely waiting for the plastics to shrink. LaserDisc was cruder and, in places, freer. The number went in. The player went there.

There is something bracing about that directness. We tend to remember the DVD era as the moment home video became navigable, but LaserDisc had already taught collectors, schools, museums, and people with too much patience that video could be handled as an archive. Not metaphorically, either. A CAV side was a set of frames with addresses. The tradeoff was visible in the object: half the running time, more sides, more interruptions, a machine asking you to care about its internal method.

That is the bit that survived. Not LaserDisc as a consumer format, because it never became cheap or convenient enough to win the room. What survived was the expectation that images should answer to us. Click a chapter. Scrub a bar. Pause a stream and expect the frame to wait without tearing itself into noise. The floppy save icon kept the outline of a dead storage medium on every toolbar. LaserDisc left a less visible fossil: the assumption that moving pictures have coordinates.

Streaming has made that assumption feel natural, almost beneath notice. The interface is cleaner now, which means the machinery has become harder to see. No one has to choose CAV and lose half a side of capacity just to get a clean still. No one listens for the player to hunt across a vast silver disc. The frame arrives because of buffers, codecs, manifests, caches, and a progress bar that pretends all of this is just a line.

Maybe the old nuisance was useful. A LaserDisc player made the compromise legible. If you wanted proper access to the image, you paid in minutes, sides, shelf space, and the ridiculous dignity of standing up halfway through a film to turn over the future.

The Trump administration has found the narrowest possible verb for AI oversight: ask. Not require, not license, not hold. Ask. The executive order signed today creates a voluntary route for developers of covered frontier models to provide access before release, for up to 30 days, so trusted partners can test for advanced cyber capabilities and the government can work out where the next class of risk begins.

That sounds small until you remember what the model release calendar now looks like. A lab can spend months on a capability, then decide who sees it, which customers are safe enough, which governments should be briefed, and whether a red-team finding is a reason to pause or a reason to add another filter. I wrote earlier about Anthropic's Mythos expansion into infrastructure, where the same question appeared in operational clothes: if a system can find serious vulnerabilities at scale, keeping it in a vault is not obviously safer than putting it in the hands of people who run the pipes.

The order is trying to stand in that uncomfortable place without admitting it is standing there. The White House text sets up classified benchmarking for advanced cyber capabilities, tells agencies to define thresholds for covered frontier models, and creates an AI cybersecurity clearinghouse within 30 days. It also says the review channel must not be read as a mandatory licensing, preclearance, or permitting system. That sentence is doing a lot of political work.

NBC describes the mechanics plainly: the government wants early access to the most powerful systems before public release, but the testing depends on voluntary collaboration from companies such as Anthropic, OpenAI, and Google. NPR's version adds the useful bit of recent history, that an earlier draft gave the government up to 90 days and the final order cut that to 30. TechCrunch puts the narrowing down to industry objections and late-May pushback, including David Sacks' concern that the draft could slow American firms against China. None of this is surprising. It is the entire problem in miniature.

A review that is mandatory becomes a licensing regime, even if nobody uses that phrase. A review that is voluntary becomes a norm, and norms are only as strong as the incentives around them. If the biggest labs participate, the smaller ones will be judged by their absence. If the biggest labs refuse, the order becomes a laminated request on federal stationery.

The strange thing is that both outcomes move power without quite moving law. The government is asking for a look inside the machine before the rest of us meet it, while insisting the request is not a permit. The labs keep the release calendar, the model weights, the product messaging, and most of the practical knowledge about what the thing can do. Somewhere between those two facts sits the public, learning about dangerous capability after the paperwork has already found a softer name for it.

Maybe that is the only workable first step. I don't mean that as praise. The alternatives are ugly in different ways: a licensing state that freezes the field around incumbents, a market that treats cyber capability as another launch-week metric, or a voluntary club whose rules harden quietly because no one in Congress can write the real ones fast enough.

This is not a general debate about "AI safety" floating above the industry. It is a bargain being shaped around named systems, named labs, and named agencies, with critical infrastructure as the moral pressure point. The phrase voluntary review sounds almost polite. The thing underneath it is more basic: who gets to see the dangerous part first, and what happens if they don't like what they see.

Anthropic's dynamic workflows let Claude Code write a script that fans a task out to dozens or hundreds of subagents, then runs it in the background while your session stays free. Turn on ultracode with /effort ultracode and Claude stops waiting for you to ask. It plans a workflow for every substantial task, often several in a row: one to understand the code, one to make the change, one to verify it. This is the most powerful mode the tool has, and the one most likely to flatter you into believing scale is the same thing as progress.

The pricing is honest if you actually read it. Each subagent burns its own tokens, so a hundred agents working a hundred files costs roughly a hundred times what one agent on one file does. Ultracode compounds that by turning a single request into a chain of workflows. Anthropic caps a run at 1,000 agents with 16 running at once, which stops a runaway loop while doing nothing about the cost of a run you fully meant to launch.

The orchestration is real engineering. The plan lives in a JavaScript script the runtime executes on its own, away from the conversation, so intermediate results stay in variables instead of clogging Claude's context. Agents editing files in parallel can each be handed their own git worktree, a private copy of the repo, so two of them never write over the same line. Nothing improvises; the script decides what runs next.

That is the gap the caps don't cover: they protect you from accidents, not from intent. The machinery guarantees the agents won't collide, but it has nothing to say about whether you needed a hundred of them. A weak plan doesn't get better when you run it in parallel; it just gets more expensive to be wrong.

Anthropic has decided the safest place for its most restricted model is not a vault. It is a larger, supervised room full of people who run things that break badly. On Tuesday, the company said Project Glasswing will expand from roughly 50 early partners to about 150 additional organisations in more than 15 countries, with Claude Mythos Preview pointed at code that sits under power, water, healthcare, communications, and hardware.

That sounds like a rollout, but the word is too clean. This is a controlled spread of capability that Anthropic itself treats as dangerous enough to gate. Each new organisation has to meet its security requirements before access. The point is not that Mythos can write better incident reports or draft friendlier Jira tickets. The point is that it can find vulnerabilities at a scale human teams can't comfortably absorb.

The numbers have the unpleasant brightness of a successful stress test. Anthropic says the initial partners have found more than 10,000 high- or critical-severity flaws since the early April launch. In a separate open-source scan, the company reported 23,019 potential vulnerabilities, with 6,202 estimated as high or critical. Of 1,752 high- or critical-rated findings that were independently reviewed, 90.6 percent were true positives.

That is impressive, obviously, and also a workload generator with a safety label on it. CyberScoop quoted Anthropic's own description of the new bottleneck: the "human capacity to triage, report, and design and deploy patches." I don't think that is a footnote. It is the story. Security has spent years saying that defenders are outnumbered by attackers, by legacy systems, by badly maintained dependencies, by the sheer amount of code that modern life has made ordinary. Now a lab has built a machine that can make the backlog visible faster than the institutions can fix it.

There is a strange moral inversion here. If a powerful vulnerability-finding model stays inside the lab, the defenders remain underpowered. If it leaves, even under a vetted programme, the circle of people who can operate it gets larger. I wrote in April about the earlier Glasswing fight, when the politics around Mythos looked like a contest between private access, national-security anxiety, and a government that wanted the tool close while worrying about everyone else using it. Today's announcement doesn't dissolve that tension. It formalises it.

The partner list is also doing political work. Anthropic's launch page named AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks among the launch partners, with up to $100 million in Mythos Preview usage credits and $4 million in donations to open-source security groups. SecurityWeek, citing the Financial Times, says the new wave includes organisations such as Okta, Samsung, ENISA, and NATO. Dark Reading reported on ENISA's likely access a day earlier, framing it as the result of cooperation between the European Commission and Anthropic. Put less politely: this is becoming infrastructure policy by customer list.

That may be the only practical route. Nobody wants the model handed around casually. Nobody serious wants critical software maintainers to keep finding flaws at human speed if attackers are going to get similar tools. So the answer becomes a club: enough members to matter, few enough to audit, with security requirements standing in for public law.

The awkward timing is that Anthropic is also trying to become legible to public markets. Yesterday's confidential S-1 filing made the company look less like a private research lab and more like a systemically important vendor preparing for quarterly scrutiny. Glasswing makes the same argument in operational form. If Claude is now part of how governments, banks, cloud providers, and infrastructure operators think about software risk, then the old category of "AI company" starts to feel too small.

I don't have a neat objection to the expansion. The alternative is not purity. It is slower discovery, quieter defects, and the hope that adversaries remain less capable than the people patching the pipes. Hope is a poor patching strategy. Still, this is a hard thing to watch without noticing how much authority is moving into private coordination: who gets access, which vulnerabilities get prioritised, whose infrastructure counts as globally important, and how quickly the rest of us hear about the bugs already found.

Prada's Spring 1996 show looks almost deliberately difficult in archive photographs: avocado greens, muddy browns, awkward sandals, prints with the suburban cheer drained out of them. It doesn't have the instant legibility of Versace sex or Chanel's logo theatre. Even the title, Banal Eccentricity, sounds like a private joke told by someone who expects you to work a little.

That was part of the force. Prada's own archive lists the show as SS 1996 womenswear, with the runway broken into exits like evidence. Vogue dates the collection to 1 October 1995 and describes the palette around avocado greens, sludge browns, mixed clashing prints, and sandals that seemed to resist prettiness on principle. I like that phrase, resist prettiness, although it risks making the clothes sound pious. They weren't pious. They were odd, dry, and sometimes funny.

Miuccia Prada had already made luxury behave strangely. She took over the family company in 1978, and the nylon backpack of 1984 had done something quietly rude to the old leather-goods hierarchy. Nylon was not supposed to be the material of desire. It was supposed to carry gym shoes, rain, airport irritation. By the mid-90s, that same intelligence had moved onto the body: ordinary fabrics, sour colours, deconstructed shapes, the kind of domestic pattern that looked as if it had escaped from a kitchen curtain and found itself in Milan.

AnOther's account of mid-90s Prada gets the shock of it right. The show has become folklore as the moment avocado, ochre, chartreuse, turquoise, lilac, and brown turned from bad taste into a proposition. Kristen McMenamy opened; Amber Valletta, Kate Moss, Shalom Harlow, Kirsty Hume, and Carolyn Murphy followed. Marcos Valle's "Rio Boogie" played underneath, which is a detail I enjoy because it gives the whole thing a lightness the clothes sometimes refuse. There was music, movement, models with faces fashion already knew, and still the collection would not do the expected glossy thing.

The easy reading is that Prada made ugliness chic. True enough, but too neat. Ugly chic was not just a reversal, as if she had taken an ugly object and stamped beauty on it. The better trick was making taste feel unstable. A brown could be ugly in one room and exact in another. A Mary Jane could read schoolgirl, dowdy, perverse, clever, or all four by the time it reached the end of the runway. The collection didn't ask to be liked. It made liking look like the least interesting response.

nss magazine's history of ugly chic notes the 1950s patterns, Mary Janes, dreadful purples with avocado greens, and muddy browns, and also repeats the strange show-day detail of a bomb scare at Prada headquarters. That almost sounds too symbolic, the literal threat arriving before the aesthetic one, but fashion history is full of these impolite coincidences. Editors still went. The show mattered enough to risk being late, or frightened, or both.

Alexander Fury later called Miuccia Prada the master of "ugly", arguing that she makes the undesirable desirable. That is close, though I think the verb "desirable" smooths the texture too much. Desire is part of it, yes. So is embarrassment. So is the tiny social panic of noticing that the thing you dismissed as wrong has started to organise the room.

What survives from Spring 1996 is not merely a colour story or a shoe shape. It is a permission slip for fashion to mistrust its own good manners. The collection made taste look less like an instinct than a learned reflex, and once you see that, the whole polished surface gets less convincing. A bad green starts doing philosophy. A clunky sandal becomes an argument with the mirror.