Uber burns its entire AI budget on Claude Code, Flock surveils children's gymnastics class, and NHS England hides its code

404 Media

City Learns Flock Safety Accessed Cameras in Children's Gymnastics Room as a Sales Demo — Then Renews the Contract

A Dunwoody, Georgia resident obtained public records showing that Flock Safety employees remotely accessed surveillance cameras inside a children's gymnastics room at a community center to use as a live demonstration for other police departments. The disclosure sparked community outcry over the privacy implications of granting a vendor unrestricted access to sensitive feeds. Flock committed to restricting future demos to public spaces and implementing new training, but the city renewed its contract with the company regardless — underscoring a recurring pattern in surveillance procurement where disclosed misconduct does not terminate vendor relationships.

Keep Things Open

Open Letter: NHS England Is Making All Its Code Private, Contradicting Government Policy

An open letter signed by 281 people — developers, security researchers, and public health technologists — calls on NHS England to reverse its decision to make all source code repositories private. The letter argues the move contradicts the UK government's policy that publicly-funded software should be publicly available, violates NHS Service Standard Principle 12, and trades genuine security (public scrutiny, reproducible builds) for security through obscurity. Signatories are asking NHS England to withdraw the SDLC-8 red line that mandated the closure.

metin.nextc.org

Credit Cards Are Vulnerable to Brute Force Attacks — PCI DSS Leaves a 6-Digit Gap

A researcher details a structural vulnerability in how credit card numbers are protected: PCI DSS compliance allows merchants to display the first 6 and last 4 digits of a card number, leaving only 6 unknown digits — just 999,999 possible values. Combined with public expiration dates and payment gateway APIs that return distinct error messages for different validation failures (wrong number, expired card, wrong CVV), an attacker can systematically brute-force a full card number. Merchants exempt from 3D Secure requirements and gateways that accept incomplete card data make the attack vector practical at scale.

GitHub

Microsoft Open-Sources lib0xc: A Safer C Standard Library with Bounds Checking

Microsoft has open-sourced lib0xc, a C library providing drop-in replacement APIs for common operations with bounds checking and static safety guarantees — targeting systems programming use cases without requiring a language change. The library covers safe string functions, buffer utilities, integer conversions, and systems tools, and integrates with Clang's `-fbounds-safety` extensions and strict compiler warning modes. It continues Microsoft's ongoing push toward memory-safe systems code, complementing earlier investments in Rust adoption and the Safe C++ proposals being standardized in WG21.

mrbruh.com

Finding a Remote Code Execution Vulnerability in a TP-Link Home Router

A security researcher reverse-engineered firmware from a TP-Link TL-MR6400 router obtained from an open S3 bucket and discovered a remote code execution vulnerability in an undocumented telnet command, `mdlog prepare`, that failed to sanitize a workdir parameter — allowing shell command injection and root access. The vulnerability (CVE-2026-3841) was reported in December 2025, patched in March 2026, and publicly disclosed in April. The write-up is a practical walkthrough of embedded firmware analysis: extracting binaries, using Ghidra to identify dangerous function calls, and confirming exploitability.

Tangled Blog

Tangled Introduces a Web-of-Trust Vouching System to Combat LLM Spam in Open Source

Tangled, a git forge built on the AT Protocol, has launched a vouching system that lets contributors publicly vouch for or denounce other users, surfacing these signals as visual trust indicators to their immediate network during code review and contribution interactions. The mechanism is designed as a social layer against the growing wave of LLM-generated spam PRs and issues flooding open source projects — an approach where trust is earned within a community rather than enforced by a central authority. The system is intentionally lightweight: vouches are optional, include a reason field, and are scoped to one's own social graph rather than creating a global reputation score.

Texas Instruments

TI Launches the TI-84 Evo: USB-C, 3x Faster, and Python Support

Texas Instruments has launched the TI-84 Evo, the first major redesign of its flagship classroom graphing calculator in years. Key upgrades include a 156 MHz processor (3× faster than predecessors), a backlit display with 50% more graphing area, USB-C charging, and built-in Python programming support. The calculator retains its test-approved status for the SAT, ACT, AP, and IB exams, and introduces a simplified icon-based home screen alongside a new Points of Interest Trace tool for analyzing critical function points. The TI-84 line has been the de facto standard for American high school and college math for decades.

マリウス.com

Bitwarden's 2026 CLI Compromise and Years of Drift: A Case Against the Default Recommendation

A long-form critique argues that Bitwarden has drifted significantly from its open-source roots since taking venture capital, accumulating technical debt in its backend, leaving core features absent after a decade, and suffering a supply chain compromise of its CLI package via CI/CD in 2026. The author stops short of naming a single alternative, instead recommending credential compartmentalization across specialized tools based on use case — arguing that a single password manager as the keystone of all authentication is itself a structural risk regardless of vendor. The piece reflects broader anxieties about VC-backed open source tools that start community-first and gradually reorient toward enterprise revenue.

California Water Blog

AI Data Centers Use a Fraction of the Water Alarmist Headlines Suggest

A quantitative analysis by UC Davis water policy researcher Jay Lund pushes back on alarming narratives about AI data centers depleting water supplies, finding that AI-related water consumption represents between 0.055% and 0.7% of total human water use — dwarfed by agriculture's 30 million acre-feet annually in California alone. The piece does not dismiss localized concerns (particularly in water-stressed regions like Imperial County where a large data center has been proposed), but argues that policy decisions should be grounded in proportionate evidence rather than headlines that lack quantitative context. The broader lesson: AI's environmental footprint deserves honest accounting, not amplification.