Complete static archive of GigaTap articles about VPN, privacy, OPSEC, and security.
- Microsoft’s accountability signal for cloud and AI vendors - EFF points to Microsoft’s Israel controversy as a sign that human rights commitments need consequences, not just review paperwork.
- Musk Lost Against OpenAI. The Governance Fight Did Not End - Musk’s lawsuit over OpenAI’s nonprofit founding commitments failed, but the result should be read narrowly unless the court record says more.
- Musk lost to OpenAI. The governance question did not - MIT Technology Review says Musk lost his suit over OpenAI’s nonprofit status. The ruling narrows one legal fight, but the trust model around AI labs remain
- Open Source Security Needs More Than Code - An OpenSSF podcast episode shows why public learning, documentation, and community work are real supply chain security contributions.
- Policy as code works best before cloud changes ship - AWS’s guidance on pattern-based policy as code shows how teams can catch routine cloud governance failures before deployment, without pretending pre-deploy
- Privacy Should Not Be Set in a Product Meeting - EFF’s latest note is a reminder that privacy risk is often decided before users see the product. The issue is bigger than one Meta feature.
- Tor tests crypto funding for internet freedom tools - Tor and Funding the Commons launched a crypto-native matching campaign for privacy, anti-censorship, and public-interest infrastructure projects.
- AI agents need architecture, not bigger prompts - Google’s Agent Bake-Off lessons point to a practical pattern: split agents into scoped parts, design for replacement, use protocols, and keep deterministic
- AI coding agents need boundaries, not just prompts - Docker’s warning is vendor-framed, but the core issue is real: coding agents often inherit developer privileges and can act faster than teams can review.
- Arti 2.3.0 pushes Tor’s Rust rewrite deeper - The Tor Project’s Arti 2.3.0 release adds logging and RPC work, raises macOS support requirements, and continues development toward relay and directory aut
- Azure Local CVSS 10: check disconnected deployments - NVD lists CVE-2026-42822 as a maximum-severity improper authentication flaw in Azure Local Disconnected Operations. The public detail is thin, but the expo
- Canada’s Bill C-22 tests the line on encrypted messages - Bill C-22 is moving through Canada’s Parliament with lawful-access powers that CDT says could threaten end-to-end encryption through secret compelled acces
- Censorship needs evidence before it can be challenged - Tor Project’s OONI work shows why public internet measurements matter when blocks, throttling, and shutdowns are made to look like ordinary failure.
- Chrome 148 for iOS lands: update, but don’t overread it - Google released Chrome Stable 148 for iOS with stability and performance improvements. The note does not name a CVE or active exploit.
- Civic space pressure in Kenya and Rwanda reaches ACHPR - ARTICLE 19 used the African Commission sessions to warn about protest policing, surveillance, cybercrime laws, and media pressure in Kenya and Rwanda.
- Copilot can now propose fixes for failed Actions - GitHub added a one-click Copilot cloud agent flow for failed Actions jobs. Useful for CI triage, but teams should keep review boundaries clear.
- CRA readiness is becoming an open source supply-chain test - OpenSSF’s CRA warning points to a practical gap: teams need inventory, vulnerability handling, and clear responsibility for OSS in products.
- Critical lwIP SNMP bug: check embedded exposure - CVE-2026-8836 affects lwIP up to 2.2.1 in SNMPv3 USM parsing. The key question is whether vulnerable SNMP code is present and reachable.
- Security Changed. Neglected Basics Still Break It - A Dark Reading retrospective shows how cyber models evolved while many breaches still exploit old hygiene gaps.
- Surveillance Pricing Moves Into New Jersey’s Policy Lane - EPIC backed a New Jersey bill targeting surveillance pricing. The key issue is not only data collection, but how hidden profiling can shape the price a con
- TeamPCP Hits the Build Chain Again - SANS ISC reports a confirmed Checkmarx Jenkins plugin compromise and a new self-spreading Mini Shai-Hulud worm across npm and PyPI.
- YellowKey Shows the Risk in Default BitLocker - A reported BitLocker zero-day requires physical access, but that is exactly the scenario full-disk encryption is supposed to handle. The key issue is TPM-o
- AI-Assisted Exploits Move From Theory to Operations - GTIG says it identified a zero-day believed to be AI-developed, pointing to a more mature phase of AI use in adversary workflows.
- AI code review meets live infrastructure - Cloudflare tested Mythos and other security LLMs on live infrastructure code. The useful lesson is not autonomy, but where model-assisted review needs cont