RC RANDOM CHAOS

supply chain security

42 posts

The rubric graded an empty chair
Article

The rubric graded an empty chair

Brown's AI cheating scandal is not a student failure. It is an assessment system that resolves trust by reference and never revalidates the reality behind it.

A valid go.sum hash proves nothing
Article

A valid go.sum hash proves nothing

Argegy is not a CVE. It's a Go supply chain claim against go-ethereum - module trust, init() execution, T1195, and where telemetry goes blind.

Alibaba bans Claude Code across its engineering org
Article

Alibaba bans Claude Code across its engineering org

Alibaba's reported ban on Claude Code is a trust decision, not a CVE. Why an agentic coding tool's sanctioned egress is also its exfiltration path.

crustc ports rustc to C and voids every safety proof
Article

crustc ports rustc to C and voids every safety proof

Translating rustc to C strips Rust's compile-time memory-safety guarantees and reopens out-of-bounds writes, UAF, and type confusion in the toolchain.

Spain rips Palantir out of its data pipelines
Article

Spain rips Palantir out of its data pipelines

Spain's Palantir blacklist is a supply chain concentration risk - a privileged vendor data plane mapped to MITRE T1199, and why customer telemetry stays blind.

Log4Shell executed exactly as written
Article

Log4Shell executed exactly as written

Log4Shell, xz-utils, and Spring4Shell weren't isolated bugs. They were composition failures in systems too deep for anyone to fully read. The disease is complexity.

Your three memory vendors are one vendor
Article

Your three memory vendors are one vendor

A US lawsuit alleging memory price fixing by Samsung, SK Hynix, and Micron exposes an unverified control: supplier independence assumed, never validated.

Springer Nature unpinned two papers, no log
Article

Springer Nature unpinned two papers, no log

Springer Nature removed two Max Planck studies. The real exposure is a research supply chain with no integrity log - the same trust gap as CI/CD poisoning.

California registers 3D printers it can't instrument
Article

California registers 3D printers it can't instrument

California's 3D printer registry concentrates reconnaissance data on a fleet of uninstrumented endpoints. The real gap is telemetry and data governance.

No one hacked the NSA
Article

No one hacked the NSA

The NSA's Mythos access loss wasn't a breach - it was a control-plane revocation by a third party. A supply chain availability failure with no patch.

Compiling a Rust crate runs the author's code.
Article

Compiling a Rust crate runs the author's code.

crates.io federates all publish identity to GitHub, turning one account takeover into build-time code execution across every downstream Cargo project.

Your build trusts whatever it can find
Article

Your build trusts whatever it can find

A build system executed code because a name resolved, not because content was verified. How trust attaches to the reference and outlives the artifact.