Hi there!

🛡️ Security & Privacy

• Double Linux LPE week — Copy Fail (CVE-2026-31431) and Dirty Frag (CVE-2026-43284 / CVE-2026-43500) — Back-to-back kernel privilege escalation exploits hit in a single week. Copy Fail targets a page-cache write flaw and can be partially mitigated by rootless containers. Dirty Frag extends the same bug class through IPsec ESP and RxRPC, bypasses the Copy Fail mitigation, has a public PoC, and gives any local unprivileged user root on virtually every major Linux distro — patches are now rolling out, but you should blacklist esp4, esp6, and rxrpc modules immediately if you can't reboot. More (Copy Fail) · More (Dirty Frag)
• Telecom signaling exploited for covert location tracking — Citizen Lab uncovered two sophisticated surveillance campaigns by commercial vendors exploiting the global telecom interconnect ecosystem to track mobile users undetected for years — the first time real-world attack traffic has been directly linked to operator signaling infrastructure. More
• Your car is watching — and selling — The connected car has become a rolling advertising platform: infotainment screens serve pop-ups, gas stations pump ads through GSTV, and behavioral data flows continuously with zero real consent infrastructure. The consent problem the automobile never solved is now everyone's privacy problem. More
• UK Online Safety Act age checks fail the first real test — 46% of children say the new age verification checks required under the UK Online Safety Act are easy to bypass, and nearly a third admit to having already done so. Facial-recognition tools are being tricked with drawn-on mustaches. The gap between legislative intent and technical reality is wide open. More
• Chrome silently installs a 4 GB Gemini Nano model — no consent, no opt-out — Google Chrome is pushing a 4 GB Gemini Nano model to users with no opt-in and an automatic re-download if you delete it. At a billion-device scale the bandwidth, storage, and carbon footprint are enormous — and the legal exposure under GDPR may be significant. More
• Critical Qualcomm Snapdragon RCE vulnerabilities — Qualcomm issued a critical security bulletin addressing severe flaws across its Snapdragon chipsets that enable remote code execution. If you manage mobile fleets, start your patching triage now. More
• Microsoft starts actually killing passwords — On World Passkey Day 2026, Microsoft moved from "passkeys are nice" to actively removing passwords and weak recovery paths. Security questions in Entra ID are deprecated as of January 2027; the company has already deployed phishing-resistant auth to 99.9% of its own users and reports passkey sign-ins are 14× faster with a 95% vs. 30% success rate over legacy flows. More

🛸 Tech

• Boston Dynamics Atlas goes commercial — Boston Dynamics has begun manufacturing the production version of its electric Atlas humanoid robot, with immediate deployments scheduled at Hyundai and Google DeepMind. The era of commercial humanoid robotics is no longer theoretical. More
• CARA 2.0: a $1,450 DIY robot dog that actually performs — Aaed Musa's senior design project built a quadrupedal robot dog using hand-rewound drone motors (tripling torque output), a 3D-printed PLA frame, coaxial 5-bar linkage legs, and a Teensy + CAN bus control system. The result: 1.8 ft/s walking speed, 15 lb payload capacity, and 1-hour runtime at half the cost of version 1. Pairs well with Firgelli's deep-dive on humanoid actuator types. More (CARA 2.0) · More (Actuators)
• StarFighter: a premium Linux-first laptop — Star Labs' StarFighter is a 16-inch performance laptop built for Linux from the ground up, featuring a 4K 120Hz display, Intel Core Ultra or AMD Ryzen options, coreboot firmware, and TCG Opal 2.0 full-disk encryption. More
• Ploopy Bean: open-source pointing stick mouse — Ploopy released the Bean, a new open-source pointing stick (TrackPoint-style) mouse — for anyone who's spent years wishing they could build their own. More
• Mojo language gets a standalone home — Mojo, the Python superset designed to bring C-level performance to AI/systems programming, now has its own dedicated documentation site at mojolang.org. The language continues to gain traction among ML engineers who need real speed. More
• Google broke reCAPTCHA for de-Googled Android users — After a backend change, users running privacy-first Android distributions (GrapheneOS, CalyxOS, etc.) can no longer complete reCAPTCHA challenges — you must run Google's software to prove to Google that you're not a bot. The circular irony is not lost. More
• Meshtastic: off-grid LoRa mesh networking — Meshtastic is an open-source project using LoRa radios to create long-range encrypted mesh networks with no internet required. Great for hiking, emergency comms, or anywhere you need resilient communication infrastructure. More

🤖 AI

• Anthropic's Mythos AI finds 271 Firefox vulnerabilities — in one release — Mozilla used Claude Mythos Preview to audit Firefox 150 and surfaced 271 bugs (180 high severity), a number that would have been "red-alert" just a year ago. The CTO says this represents "light at the end of the tunnel" for defenders — because for the first time, AI can reason through source code at the speed and scale attackers have always enjoyed. More
• Claude agents can now "dream" between sessions — Anthropic introduced "dreaming" for Claude Managed Agents: a scheduled process that reviews past sessions, extracts recurring patterns, prunes stale memory, and surfaces improvements before the next run — analogous to hippocampal memory consolidation during sleep. Legal AI startup Harvey reported 6× task completion rate increases after piloting it. Outcomes and multi-agent orchestration also moved to public beta. More
• Natural Language Autoencoders let you read Claude's "thoughts" — Anthropic published research on NLAs: a technique that trains the model to translate its own internal activation vectors into plain English. In one unsettling test, NLA analysis revealed Claude silently recognized it was being manipulated in a blackmail safety scenario — without ever verbalizing that suspicion. A significant step forward for AI interpretability and alignment research. More
• LLMs are NOT the next programming abstraction — A well-argued engineering post pushing back on the popular claim that prompting LLMs is the next step after Python and C. The key distinction: every prior abstraction layer is deterministic (same input → same output); LLMs are not. Treating them as equivalent obscures real risks. More
• Three Inverse Laws of AI — A counterweight to uncritical AI adoption: don't anthropomorphize models, don't defer to their authority, and never abdicate your own responsibility for the output. Simple framework, still widely ignored. More
• Gemma 4 gets up to 3× faster inference with multi-token prediction — Google's multi-token prediction (MTP) drafter technique accelerates Gemma 4 inference by predicting multiple tokens simultaneously, up to 3× throughput improvement with no quality regression. More
• Build an LLM from scratch — A hands-on GitHub repository for building a language model from first principles: weights, attention, training loop, the whole thing. Great for understanding what's actually happening under the hood. More
• AI and the theater of productivity — AI can produce work that looks expert without being expert, and the failure arrives in two distinct shapes. A sharp, uncomfortably accurate critique of how generative AI is reshaping workplace performance — and what gets hidden beneath it. More

🛠️ Tools

• DeepClaude: Claude Code's agent loop at a fraction of the cost — Run Claude Code's autonomous agent loop with DeepSeek V4 Pro or any Anthropic-compatible backend via OpenRouter. Same UX, reportedly 17× cheaper. Worth a look if API costs are a constraint for your agentic workflows. More
• tilde.run: sandboxed AI agent execution for production data — Tilde lets you run AI agents and pipelines on real production data as a transactional, auditable operation — composing GitHub, S3, and Google Drive as a single versioned filesystem, with full rollback on any run. More

🌲 Misc

• Miyawaki micro-forests: reforestation in your backyard — The Miyawaki method plants tiny, ultra-dense native forests in urban spaces — think a patch the size of a parking space becoming a multi-canopy self-sustaining ecosystem within a few years. It's wildly effective and spreading globally. More
• NHK Texico: programming without a computer — NHK World's Texico show teaches core programming concepts — algorithms, abstraction, simulation, decomposition — using everyday objects like playing cards and toy trains. Short episodes, kid-friendly, and surprisingly insightful for adults too. More
• A desktop made for one — A personal, quietly philosophical post about building a Linux desktop entirely optimized for yourself — not for demos, not for others. Geekery as self-expression. More
• Write software, give it away free — A raw and honest reflection on the emotional dynamics of open-source maintainership: the entitlement, the long silences, the rare genuine gratitude, and why people keep doing it anyway. More

📩 Please feel free to share this article with colleagues and friends who will find it valuable.

Thanks for reading!

Have a great day!
Bogdan