RC RANDOM CHAOS
RC RANDOM CHAOS

Tech · Culture · Fiction

An open door where the gate should be Article

An open door where the gate should be

GitHub's AI agent returned private repo content when tricked, proving it holds read reach across the private boundary with no enforced refusal.

A valid go.sum hash proves nothing
Article supply-chain-security

A valid go.sum hash proves nothing

Argegy is not a CVE. It's a Go supply chain claim against go-ethereum - module trust, init() execution, T1195, and where telemetry goes blind.

Compiling Python to metal deletes your security boundary
Article systems drift

Compiling Python to metal deletes your security boundary

Compiling Python 3.14 to native code removes the interpreter that revalidated logic on every run, collapsing continuous trust into a single build-time event.

Your hypervisor was never a wall
Article CVE-2026-53359

Your hypervisor was never a wall

CVE-2026-53359 Januscape is a KVM/x86 guest-to-host escape: granted guest access reached the host, proving isolation trusted by placement is not a control.

Kalshi ships an unauthenticated oracle
Article prediction-markets

Kalshi ships an unauthenticated oracle

Kalshi resolves contracts against unauthenticated public news feeds - an oracle-manipulation flaw that lets crafted narratives move regulated markets.

Not a pricing problem
Article security automation

Not a pricing problem

Why security automation like Splunk SOAR and ML triage costs more than the engineer it replaced: systems execute on referenced trust, not verification.

Vectra lifted bearer tokens off Teams disk
Article session-hijacking

Vectra lifted bearer tokens off Teams disk

Why Microsoft Teams session tokens leak between workspace and consumer accounts, how bearer-token replay bypasses MFA, and what fires - and doesn't - in telemetry.

The Wire — latest

All →

Stay in the loop

New writing delivered when it's ready. No schedule, no spam.