Articles
Long-form writing on tech, culture, and the edges of the internet.
Twelve bytes walked out of the sandbox
CVE-2026-40369 reduced a browser sandbox escape to twelve bytes. Analysis of what failed, why it failed, and what must change at the architecture layer.
Workflows are code, not config
CI workflow modification executes under repository trust. The control surface is the file. The boundary is the weakest identity allowed to merge.
Your endpoint agent is the intrusion vector.
Two Microsoft Defender vulnerabilities are under active exploitation. One grants full SYSTEM. CISA deadline June 3. What to verify now.
The zero-day wasn't the failure.
Luxembourg's national telecoms network collapsed from one Huawei zero-day. The failure was architectural, not vendor-specific. Concentration was the control gap.
Your BitLocker bypass mitigation fixes nothing yet
Microsoft shipped a mitigation for CVE-2026-45585 YellowKey BitLocker bypass. What is confirmed, what is not, and what operators must verify.
Your privacy settings are decoration.
Privacy is no longer a default state. A former black hat defines what failed, why it failed, and what operators must now assume.
Bitsight found 6,000 unauthenticated fuel gauges online
6,000 Automatic Tank Gauges are exposed to the internet with no authentication. The protocol, the owners, and why the fix isn't technical.
CISA pushed passwords to a public repo
A top cyberdefense agency published credentials in a public GitHub repository. A control analysis of what failed and what must now be true.
Discord's E2EE doesn't make your calls private
Discord rolled out E2EE on voice and video calls. What the control covers, what it does not, and where attackers will redirect effort.
GitHub breached. Scope unknown.
GitHub disclosed an internal data breach with no mechanism stated. Operator analysis of confirmed facts, structural exposure, and required tenant action.
How GCC 4.3 deleted a NULL check in 2009
How undefined behavior in C lets compilers delete safety checks, why it drives most memory-safety CVEs, and what it means for AI-generated code.
March 2019 changed who reads binaries
Free disassemblers and decompilers changed who can audit binaries. The defender, attacker, and AI safety implications are now playing out in practice.