Supply chain attack on Ledger that taps display via SPI using MCU, looks at character glyphs known beforehand, uses cellular modem with tiny built-in antenna.
https://grandideastudio.com/portfolio/security/ledger-hardware-implant/
(Note that with this implant the STM<->secure element is compromised here)
The coreutils Rust rewrite story is pretty funny.
Coreutils are tools like rm, mv, mkdir, etc. Unlike binutils, this isn't a fertile ground for memory safety bugs. But, the rewrite was completed, and in the spirit of progress, Canonical decided to switch.
But do you know what coreutils are a fertile ground for? Race conditions around file creation, deletion, permission setting, and so on. The original code accounted for decades of hard-learned lessons in that space. The Rust rewrite did not:
https://seclists.org/oss-sec/2026/q2/332
PS. I'm not dunking on Rust. It's just that... starting over from scratch has its hidden costs.
ZKPs /zkSNARKs over VMs are insane enough to understand, not to mention over quantum circuit that really I couldn't get my cryptographer professional friends to actually explain how you are supposed to verrify THAT.
Once we got ECDSA right after many many years, we are pushed onto LWE and other lattice schemes, and lots of really untested math because of "post quantum". Again withou anyone specialized I can trust in this really knowing - whether the Google's proof is just pipe dream of theoretical something, great mask via the ZKP on the the "solution"
Groth16 is still the gold standard for succinct SNARKs: 128-byte proofs, constant-size verification, and a decade of real-world deployment. But despite its ubiquity, almost nobody explains *why* it works the way it does. In this post, we build Groth16 from the ground up, starting from R1CS and QAPs, then layer in pairings, trusted setup parameters, and the separator tricks (α, β, γ, δ) that make the scheme sound. By the end, you should have an intuitive grasp of every term in the final verifier equation.
Anonymous credentials - that which should be according to specification in the "age verification wallets" with zero-knowledge proof, but isn't (it's demo with disclaimer "DO NOT USE, DEMO ONLY", but EK doesn't care, Europol needs data)
To illustrate how anonymous credentials work, here are two nice writeups:
https://blog.cryptographyengineering.com/2026/03/02/anonymous-credentials-an-illustrated-primer/
Anthropic's Claude Desktop silently installs a Native Messaging bridge into seven Chromium browsers, including browsers Anthropic's own documentation says it does not support, and browsers the user has not even installed.
I may regret this at some point, but I felt the need to put down in writing how I feel about this moment in the tech industry.
It is not kind. You may well be insulted by it. If you are... then you really should question yourself.
lcamtuf 
🌹 𝐫𝐮𝐳𝐚 ✅
(eng🇬🇧)
Larry Garfield
q3k 