Articles

Long-form writing on tech, culture, and the edges of the internet.

nginxcve-2026-42945

NGINX ships emergency patch for HTTP/3 heap overflow

CVE-2026-42945 technical analysis: heap overflow in NGINX HTTP/3 HEADERS frame parsing, worker RCE primitive, telemetry gaps, and patch boundary.

May 18, 2026 6 min read

CVE-2026-42945NGINX

Patching nginx doesn't close this one

CVE-2026-42945 NGINX rewrite module heap buffer overflow: bug mechanism, exploit primitives, MITRE mapping, and EDR telemetry blind spots in worker exploitation.

May 18, 2026 6 min read

critical infrastructureboard governance

Russian hands on Polish water valves

A board-level read on Russian-linked activity against Polish water utilities and what it means for directors governing critical services.

May 18, 2026 8 min read

burp suiteopen source security tools

A new tool is not a replacement

An open-source Burp alternative was built. Capability, stability, and handling of intercepted material are not confirmed. Verify before adoption.

May 17, 2026 5 min read

2fa bypassai threats

AI just broke 2FA at scale

AI was used to develop a zero-day 2FA bypass deployed at mass scale. The control's economic assumption has been falsified in the wild.

May 17, 2026 7 min read

LLM engineeringAI validation

arXiv just raised the bar

arXiv's one-year ban on unchecked LLM errors signals a shift: validation pipelines, not better prompts, now define competent AI systems.

May 17, 2026 11 min read

2fa bypassidentity security

Attackers weaponized AI to bypass 2FA at scale

A reported AI-developed zero-day 2FA bypass in mass use removes the assumption that 2FA terminates the account takeover chain.

May 17, 2026 7 min read

LLM engineeringAI systems design

Complexity theory never said that

Complexity theory does not prove human-level ML is impossible. Here is what the theorems actually say and how to design AI systems around real constraints.

May 17, 2026 8 min read

exchange zero-dayvendor trust

Your patched Exchange is already compromised

Microsoft confirms an Exchange zero-day under active exploitation. What the warning establishes, what it does not, and the defender posture required now.

May 17, 2026 7 min read

connected vehicle securitymyAudi

Audi wired vehicles into a consumer auth flow

Audi Connected Vehicle security from an operator view: the boundary is no longer the key, it is the identity layer behind the myAudi app.

May 16, 2026 8 min read

face id bypassbiometric security

Face ID was never the control

A reported Face ID bypass via avatar collapses the liveness assumption. Every downstream control trusting the boolean inherits the failure.

May 16, 2026 7 min read

fragnesialinux privilege escalation

Fragnesia is already loose

Fragnesia Linux privilege escalation has a public PoC. The kernel trust boundary is conditional on patch state. What must now be true.

May 16, 2026 8 min read