Random Chaos | Random Chaos

Tech · Culture · Fiction

Cloudflare's self-managed OAuth secures nothing by default

Cloudflare's self-managed OAuth moves the enforcement point from provider to user. An unconfigured access control is an open path, not a safe default.

Jun 25, 2026

Article

CVE-2009-1897 is back, now under every @bitCast

Jun 25, 2026

Article

Every model behind an API is already leaking

Jun 25, 2026

Article mass surveillance

Governments collect populations, not threats

Mass surveillance is default-on collection plus retention. The unwatched baseline is gone. Operate as already collected and limit what the record resolves.

Jun 25, 2026

Article luajit

LuaJIT proposal exposes a guard-elision primitive

LuaJIT's proposed relaxed type checking elides JIT trace guards, creating a type-confusion primitive reachable wherever embedded Lua handles untrusted input.

Jun 25, 2026

Article telemetry security

Telemetry is the breach

Meta paused an employee-tracking telemetry program after a data leak. The real finding is embedded in-process instrumentation as a structural attack surface.

Jun 25, 2026

Article residential proxies

The device is the inventory

Smart TV apps embed residential proxy SDKs that turn devices into exit nodes. The trust failure lives in the build pipeline, not the hardware.

Jun 25, 2026

Article trust boundaries

They walked out with the blueprints, not answers

Anthropic alleges Alibaba extracted Claude capabilities. The confirmed issue is structural: authenticated access governs entry, not what a party accumulates.

Jun 25, 2026

Article session-fixation

Victim types the password, attacker keeps the token

CVE-2023-4714 session fixation (CWE-384) explained: how attackers plant a session ID, bypass MFA, what fires in telemetry, and why rotation alone is not enough.

Jun 25, 2026

All articles → All stories →

The Wire — latest

All →

Stay in the loop

New writing delivered when it's ready. No schedule, no spam.