Michele Spagnuolo is 36, Italian, lives in Switzerland, and works on Google's security team. That is, as someone noted online, an excellent dating profile. It is also, as it turns out, the beginning of a federal rap sheet. In late 2024, Spagnuolo allegedly logged into an internal Google tool — one available to all 180,000 employees — that tracked what people all over the world were searching for in real time. He wanted to know who would top Google's annual Year in Search rank

For years, GrapheneOS lived in a specific corner of the internet. Security researchers ran it. Journalists protecting sources ran it. Privacy advocates who knew what "attack surface reduction" meant ran it. The average person had never heard of it, and the average smartphone manufacturer had no reason to care. That just changed. Motorola announced a long-term partnership with the GrapheneOS Foundation at Mobile World Congress in March, committing to bring GrapheneOS compatibi

I'm writing this to be read a year from now. Six predictions, grounded in what's actually happening today. The device. The agents. Physical AI. Quantum. Governance. And the one nobody sees coming. Hold me to it.

This is not a data breach story. I want to be clear about that upfront, because the way this is being covered — GitHub investigating unauthorized access, no evidence of customer impact, monitoring for follow-on activity — makes it sound like a routine security incident. A blip. Something the comms team handles while the engineers clean it up. That is not what happened here. What happened here is a case study in the future of cyberwar. And the future looks like a poisoned VS C

Coding was the opening act. Everyone saw it happening in real time — the benchmarks shifted, the startups multiplied, the tools proliferated, and within about 18 months the entire software engineering profession had to reckon with a permanent change to its operating model. The people who paid attention early got leverage. The people who ignored it got disrupted. The same playbook just started running again. Same labs. Same signals. Different industry. The target is finance. H

There's a version of this story where Meta made a mistake. Where some mid-level policy analyst wrote something they shouldn't have, and it slipped through the cracks of a 200-page document, and nobody at the top really knew, and when it came to light, the company fixed it immediately and everyone moved on. That is not this story. This is the story of a document that was reviewed and approved by hundreds of people at Meta — including the company's own chief AI ethicist — befor

President Trump landed in Beijing today for the first visit by a sitting US president to China in nearly a decade. Walking down the steps of Air Force One beside him: Elon Musk. Jensen Huang. Tim Cook. Larry Fink. And twelve more CEOs representing the full weight of American industry — semiconductors, finance, defense, agriculture, energy, and consumer tech — all in one place, at one moment, for one conversation. A brass band played on the tarmac. Flag wavers lined the runway

I'm going to be honest — I wasn't planning to talk about VaporVault this week. But then the 16 billion credential story dropped, and a few people reached out asking if I'd seen it. And I kept thinking about this little device sitting on my desk that I built about six months ago, mostly out of frustration, mostly at 3am. And I figured — yeah, this is probably worth bringing back up. Not because VaporVault solves the breach. It doesn't. Nothing does. But it does solve the speci

Let me be direct with you: this one is real, and it's not a drill. In June 2025, cybersecurity researchers at Cybernews uncovered 30 separate databases sitting on unsecured cloud servers — a total of 16 billion exposed login credentials. We're talking usernames, emails, and plaintext passwords, organized by website URL and ready for immediate use. Apple. Google. Facebook. VPNs. Developer portals. Government services. The footprint is so wide that the researchers couldn't name

On Sunday, May 10th — Mother's Day, of all days — the Debian project quietly dropped an announcement that should be making headlines across every security operations center, every forensic lab, and every threat intelligence team paying attention. They made it official: Debian is going 100% reproducible. As in, every single package in the main repository. Not aspirationally. Not as a roadmap item. As policy, effective immediately. The exact quote from the release team is worth

Right now, as peace talks hang by a thread over the Strait of Hormuz, the most important military technology story of the decade is playing out in real time — and almost nobody is framing it correctly. This isn't a story about missiles and drones. It's a story about networks. Iran built its entire offensive doctrine around a 2024 playbook. Blind the Patriot radar. Launch the drone curtain. Saturate with cruise missiles. Exploit the cost asymmetry — $50,000 Shaheds against $45

In December I wrote about the moment before the quantum acceleration — the glide phase, the pre-click hum, the sense that all the pieces were seating themselves. The tone was optimistic. New Legos on the table. The universe as a construction set. Five months later, the click isn't just closer. It has a specific, uncomfortable target: the encryption protecting everything you do online. and the timeline just collapsed. Three Papers in Three Months In December, "Q-Day" — the the

Last week, the Pentagon unveiled a budget request with a number buried inside it that deserves more attention than it's getting. Fifty-four billion dollars. For drones, autonomous weapons systems, and AI-driven battlefield technology. In a single year. That's more than the entire military budget of most nations on earth. It's more than Ukraine's full defense spend. And it's not the ceiling — it's the opening bid. If you want to understand where AI is actually going, don't wat

There's a story going around right now that the Trump administration is reversing course on AI — that after spending a year tearing down Biden-era oversight, the White House is quietly rebuilding it. The framing is irresistible: political hypocrisy, a made-for-TV U-turn, the deregulators becoming the regulators. But that framing misses the more important story. What's actually happening isn't a flip-flop. It's a collision — between the speed at which AI is developing and the

There's a 732-byte Python script floating around the internet right now that can give any unprivileged user full root access on virtually every Linux machine that's been updated since 2017. No race conditions. No kernel-specific offsets. No compiled payloads. Just run it, get root. This is CVE-2026-31431 — nicknamed CopyFail — and it's already on CISA's Known Exploited Vulnerabilities list and confirmed active in the wild by CrowdStrike. The story of how it was found might be

275 million users. 9,000 schools. One breach. That's the scale of what just happened to Canvas — the learning management platform built by Instructure. Student records, messages, user data — potentially exposed across nearly every major university and K-12 district in the country. And here's the part nobody wants to say out loud: this was predictable. We've spent the last three years racing to connect every platform, every tool, every AI feature to centralized identity system

Sam Altman posted two sentences this morning and 650,000 people read them. "Feels like a good time to seriously rethink how operating systems and user interfaces are designed. Also the internet — there should be a protocol that is equally usable by people and agents." Two sentences. Enormous implications and I don't think most of the people who liked it understood what he was actually saying. I replied with two words: Polymorphic OS. Let me explain what I meant. The Assumptio

The Maine legislation got a lot of reaction this week — and most of it missed the point. The ban isn't really about power. It isn't really about water. It's about the fact that legislators have no way to verify what a 20MW facility is actually doing. So they default to prohibition. That's what happens when infrastructure operates as a black box. A colleague (LinkedIn) in the industrial IoT space framed it well in the comments: policy-driven bans thrive in the "analog gap" —

Last week Google quietly updated the post-quantum cryptography clock in a way that most security leaders haven't fully processed yet. Their announcement wasn't framed as a warning. It wasn't a white paper with a scary title. It was a technical update — the kind of thing that lands in an engineering blog and gets picked up by specialist press before it reaches the boardroom. But the business implication is straightforward: the timeline for quantum-capable computers to threaten

Meta just did something most Fortune 500 companies haven't done yet: they published exactly how they migrated their infrastructure to post-quantum cryptography — in detail, with real engineering lessons, for everyone to read. The document is dense. It's written for engineers. But the implications aren't technical. They're strategic. And if you run a company that handles sensitive data, stores long-lived records, or operates in a regulated industry, this playbook is a gift you