Analysis
May 2026
The Two Threat Models You're Actually Fighting
Most people defending their data are quietly fighting two wars at once — a targeted attacker trying to break in, and an entire industry collecting their data with consent they technically gave — and using the wrong weapon for one of them. The bridge between both is reconnaissance value: the idea that a map of your systems can be as dangerous as the keys to them. Why "I have nothing to hide" fails over a twenty-year horizon, and why the likeliest breach of a careful person's security is locking themselves out.
Incident Spotlight
May 2026
NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE
A critical heap buffer overflow in NGINX's ngx_http_rewrite_module — introduced in 2008 and present in every version from 0.6.27 through 1.30.0 — is now under active exploitation, just days after public disclosure on May 13. Tracked as CVE-2026-42945 with a CVSS v4 score of 9.2, the flaw lets unauthenticated attackers crash worker processes with crafted HTTP requests, and can escalate to remote code execution on systems where ASLR is disabled.
Analysis
May 2026
Your AI Coding Assistant Is Keeping a Diary — And It's Not Encrypted
Claude Code stores session transcripts in plaintext under ~/.claude/projects/ for 30 days by default. That's every prompt, every pasted config, every stack trace containing an internal hostname — sitting on disk, unencrypted.
Analysis
May 2026
You're Probably Sending More Personal Data to AI Providers Than You Think
AI coding tools like Claude Code and ChatGPT are designed to be helpful by consuming as much context as you'll give them — project files, instructions, preferences, history. What many developers haven't stopped to audit is exactly what that context contains.
Analysis
Oct 2025
Google's "Privacy Sandbox" Was Surveillance With a Friendlier Label
For five years, Google promised the Privacy Sandbox would replace tracking cookies while keeping ad revenue intact. In October 2025, Google quietly killed the whole project, retiring Topics, Protected Audience, and eight other APIs after the ad industry refused to adopt them. Third-party cookies never actually went away — and the DOJ's antitrust remedies left Google's data empire largely standing.
Analysis
Mar 2025
Amazon's Data Web: Voice, Video, Groceries, and What They Share in Common
Amazon quietly removed the option to keep Alexa voice recordings off its cloud servers in March 2025, making cloud upload mandatory for all Echo users — a change driven by its new AI-powered Alexa+ rollout. Ring, meanwhile, reversed its 2024 commitment to keep police at arm's length, partnering with Axon and Flock Safety to re-enable law enforcement requests for doorbell footage.
Analysis
Mar 2025
Green Bubbles Grow Up — But Signal Still Has a Job
Apple's iOS 26.5 finally delivers end-to-end encrypted RCS messaging between iPhones and Androids, closing the longest-running privacy gap in everyday texting. The rollout uses the GSMA's MLS standard published in March 2025 — but ships in beta, requires carrier support on both ends, skips group chats entirely, and does nothing to protect message metadata.
Analysis
2024
Your Fingerprint Unlocks Passkeys — But Never Leaves Your Phone
When you log in to Amazon with a passkey and your phone asks for your fingerprint, Amazon never sees that fingerprint — not even a hash of it. The biometric check happens entirely on your device; what travels to Amazon's servers is a cryptographic signature that proves you authorised the login, nothing more. The FIDO Alliance reports over 15 billion online accounts can now leverage passkeys.
Analysis
Dec 2022
Apple Sells Privacy — But Reads the Fine Print Differently Than You Do
Apple's privacy marketing sits alongside one of the App Store's largest advertising businesses, default-on telemetry, and a 2021 CSAM scanning proposal only shelved after researchers warned the architecture could be repurposed by any government with sufficient leverage. Apple monetizes your trust rather than your data — a different business model, not a different category of surveillance.
Report
Jun 2017
How Google Analyzes Your Email
The Gmail "Teach Gmail this conversation is important" tooltip is a small disclosure of a much larger system. This KzNet report unpacks what Gmail actually reads, what it infers from metadata alone, what changed in 2017 (and what didn't), and the privacy controls most users never open.