Articles
Long-form writing on tech, culture, and the edges of the internet.
No one hacked the NSA
The NSA's Mythos access loss wasn't a breach - it was a control-plane revocation by a third party. A supply chain availability failure with no patch.
Saying you built it proves nothing
A contested 'vibe code' claim shows why self-reported origin accepted without verification is an unenforced control, not a trust boundary.
The collector frees live objects
Garbage collection bugs are use-after-free in the runtime. How tricolour invariants, write barriers, and moving collectors break, and why EDR misses it.
Two thousand keys against one lock
A coordinated brute-force of 2,000 attempts against one AI assistant's credential path shows weak identity validation is a systemic boundary failure.
Cloudflare's self-managed OAuth secures nothing by default
Cloudflare's self-managed OAuth moves the enforcement point from provider to user. An unconfigured access control is an open path, not a safe default.
CVE-2009-1897 is back, now under every @bitCast
How Zig's @bitCast lowering and LLVM's optimizer can synthesize exploitable use-after-free bugs that no source review or EDR will ever see.
Every model behind an API is already leaking
Anthropic's Alibaba extraction claim isn't a model failure, it's architecture. The API boundary was never a security guarantee, and designing it is your job.
Governments collect populations, not threats
Mass surveillance is default-on collection plus retention. The unwatched baseline is gone. Operate as already collected and limit what the record resolves.
LuaJIT proposal exposes a guard-elision primitive
LuaJIT's proposed relaxed type checking elides JIT trace guards, creating a type-confusion primitive reachable wherever embedded Lua handles untrusted input.
Telemetry is the breach
Meta paused an employee-tracking telemetry program after a data leak. The real finding is embedded in-process instrumentation as a structural attack surface.
The device is the inventory
Smart TV apps embed residential proxy SDKs that turn devices into exit nodes. The trust failure lives in the build pipeline, not the hardware.
They walked out with the blueprints, not answers
Anthropic alleges Alibaba extracted Claude capabilities. The confirmed issue is structural: authenticated access governs entry, not what a party accumulates.