Today on Hacker News felt like a community cataloguing the gap between promise and reality — privacy tools that leak, security protections bypassed in a week, AI systems that hallucinate drug names into patient records, and the quiet fencing-off of frontier AI from most of the world. Amid the gloom, at least 2 engineers had the sense to do something magnificently impractical: one strapped an RTX 5090 to a MacBook Air via external GPU and got it gaming on Linux through a virtual machine, another hacked Xbox 360 exploit development by reverse-engineering hard drive firmware with AI assistance. On the best days, HN is a place where dread and delight arrive in the same breath.

Security researcher arkadiyt published a step-by-step guide to physically removing the modem and GPS from a 2024 Toyota RAV4 Hybrid — not as a stunt, but as a genuine privacy intervention. Modern cars collect location, speed, sudden accelerations, eye-monitoring data, and video footage by default, with data sold to brokers like LexisNexis and Verisk. The author extracted the Data Communication Module (DCM) and GPS antenna in a few hours. The car still works fine; only cloud-based services are lost. One critical gotcha: even with the modem physically gone, connecting a phone via Bluetooth causes the car to route telemetry through the phone's data connection back to Toyota. Wired USB CarPlay doesn't trigger this, so the author uses that exclusively.

If you thought a trusted VPN would pick up the slack, this week's Mullvad finding complicates that. Mullvad is one of the most privacy-focused VPN services, operating only 578 servers (versus Proton's 20,000), and assigns different exit IPs per user to avoid piling everyone onto one address. The problem: that assignment is deterministic, not random — your WireGuard public key (the cryptographic identity your VPN client uses) seeds a random number generator that always produces the same IP position within each server's address pool. A researcher tested 3,650 different public keys across 9 servers and found they all fell into just 284 combinations out of a theoretically astronomical number of possibilities. The result: your IP positions cluster within the same narrow percentile range across different Mullvad servers, making it statistically possible to correlate sessions across servers and identify you as the same user — even if you're connecting to different locations.

The RAV4 comments delivered the necessary counterintuition. nurple pointed out that CarPlay captures its own vehicle telemetry, making the swap from Toyota's surveillance to Apple's lateral at best. aframemodular noted the irony of running a multi-hour privacy surgery and still using an iPhone. The grimmer consensus belonged to Barbing: "Guaranteed" that future integration will make this kind of modem removal physically impossible. everdrive offered rare good news — the 2024 Ford Maverick reportedly has a single telematics fuse you can pull without triggering any errors.

On Mullvad, solenoid0937 had the line of the day: "This sounds like how I'd design a VPN if I were an intelligence agency." lorenzohess pushed back on the premise — VPNs aren't designed to anonymize you against the sites you visit, that's what Tor is for. arian_ captured the absurdist fatigue of modern privacy engineering: "We keep adding layers of encryption and the metadata keeps snitching on us anyway." commenter 47282847 noted the researcher appears not to have disclosed to Mullvad before publishing, which the thread found notable.

Two major security disclosures this week share a theme: defenses more brittle than advertised.

"NGINX Rift" (CVE-2026-42945) is a critical heap buffer overflow — a memory safety bug where a program writes past the end of a reserved memory region, overwriting adjacent data — in Nginx's URL rewriting module. The bug has been present since version 0.6.27, released in 2008. It lives in a two-pass script engine: the first pass calculates buffer size, the second copies data in. A flag signaling that a URL contains a `?` character gets set on the main engine but missed during the length calculation on a fresh sub-engine, causing the copy to overflow the buffer with attacker-controlled data. Exploitation uses "heap feng shui" (carefully shaping memory layout to control which data gets corrupted) to redirect execution to arbitrary code. A proof-of-concept is publicly available.

The second disclosure is more dramatic. Security firm Calif published what they describe as the first public macOS kernel memory corruption exploit on Apple Silicon M5 hardware — surviving MIE, Apple's flagship new hardware security feature. MIE (Memory Integrity Enforcement) is built on ARM's Memory Tagging Extension, which tags each memory allocation with a secret value and crashes the program if anything accesses memory with the wrong tag. Apple reportedly spent 5 years building MIE, specifically targeting the exploit classes behind the most sophisticated iOS compromises. The Calif team found the bugs April 25, had a working root shell by May 1. The attack is "data-only" — it starts from a normal unprivileged user account, uses only standard system calls, and needs no special access. Full technical details are being withheld until Apple patches.

On Nginx: danslo added important context — the vulnerability requires a specific config pattern (a rewrite directive with `?` in the replacement string, followed by a `set` referencing a capture group), so not all Nginx deployments are exposed. The proof-of-concept also disables ASLR (address space layout randomization, a defense that randomizes where code loads in memory). Some commenters took this as a reason to relax; RagingCactus pushed back hard — ASLR is a speed bump, not a wall, and the technical writeup claims a reliable bypass exists.

On the M5 exploit: vsgherzi reasoned that a "data-only" attack sidesteps MIE because MTE only fires when code accesses memory with a mismatched tag — data corruption that doesn't cross that boundary won't trigger it. commandersaki wrote that they bought an M5 specifically for MIE and now felt foolish. isodev raised a pointed question: why isn't Apple writing more kernel code in Swift, their own memory-safe language?

An audit by the Office of the Auditor General of Ontario evaluated 20 vendors in the province's AI Scribe program — AI tools that transcribe and summarize doctor-patient conversations for medical records. 9 of 20 systems fabricated information, including diagnoses and treatment suggestions never mentioned in the simulated recordings. 12 of 20 inserted incorrect drug information into patient notes. 17 of 20 missed key mental health details. Most damning was the procurement rubric: accuracy of medical notes counted for only 4% of a vendor's evaluation score, while having a physical presence in Ontario counted for 30%.

Simultaneously, arXiv — the preprint server (a free platform where researchers share papers before formal journal review) that has become the primary publication venue for CS and AI — announced a significant policy shift. The body of this story is a tweet, but commenters confirmed the substance: authors who submit papers with hallucinated references — citations to papers that don't exist, fabricated by AI — will face a 1-year ban from the platform, followed by a requirement that future submissions first be accepted at a peer-reviewed venue. The backdrop is a flood of AI-generated academic slop that has been quietly degrading the literature.

Anthropic also launched `claude-for-legal` this week, a reference agent kit covering in-house commercial, employment, litigation, and IP workflows. The repo comes with explicit guardrails — every output is a draft requiring attorney review — but the community quickly surfaced structural tension.

Groxx's account of the Ontario situation hit hardest: diagnosed with runner's knee, their AI-generated summary said they had osteoporosis, hip pain, and difficulty walking. None of it was ever said or implied. "CHECK YOUR TRANSCRIPTS. Always." ceejayoz offered dark comfort: "Having seen a lot of medical records, 60% sounds about normal." LAC-Tech asked the key structural question: are these tools faithfully transcribing and then summarizing (which introduces compounding error), or just transcribing? The answer appears to be the former — a design choice with obvious consequences in healthcare.

On arXiv: the community was largely supportive. rgmerk wrote: "If it's not worth your time to check the output of your LLM carefully, it's not worth my time to read it." ElenaDaibunny raised the practical problem — how do you detect hallucinated references at scale on a server processing thousands of daily submissions? On Claude for Legal: droidjj, a working lawyer, flagged 2 structural issues — non-lawyer AI conversations aren't protected by attorney-client privilege, and submitting confidential client information to a cloud AI may violate professional ethics rules. IceHegel called it "a shot across the bow" for large Claude API customers in the legaltech space.

Policy writer Anton Leicht published an essay arguing that the "AI tokens will soon be abundant for everyone" narrative is being overtaken by structural forces. 3 converging constraints are limiting access to frontier AI: security concerns (capable models can enable cyberattacks or bioweapons design), compute scarcity, and increasing U.S. government involvement. Anthropic's Mythos cybersecurity model was released only to a narrow list of U.S.-based partners. OpenAI's Daybreak initiative similarly restricted frontier cybersecurity AI. Leicht's core argument: everyone outside that inner circle needs to plan around constrained access.

The counterforce arrived in the same news cycle. Salvatore Sanfilippo — creator of Redis — published a post about DwarfStar4, an inference runtime he's building to run DeepSeek V4 on consumer hardware. The primary target is Apple Silicon MacBooks starting at 96GB of unified memory, with NVIDIA CUDA support. Users in the comments reported running it on M4 Max machines and finding quality that competes credibly with closed frontier models. Separately, Anthropic published a blog post on how Claude Code navigates large codebases, making the case that agentic file system search (traversing directories and running grep in real time) beats traditional RAG-based retrieval (embedding the codebase and searching an index) because indexes go stale, though the approach requires well-structured context files to work. OpenAI pushed Codex into the ChatGPT mobile app, bringing cloud coding agents to phones.

The UK government added a different data point: it replaced Palantir's Foundry platform — used to match Ukrainian refugees with host families — with an internally built system, saving millions of pounds annually and regaining control over code and data. The National Audit Office had flagged Palantir's practice of offering free 6-month pilots to gain commercial footholds, which the government's chief commercial officer called contrary to procurement principles. Two subsequent contracts were worth £4.5m and £5.5m.

terrib1e made the sharpest counterargument to Leicht's essay — open-weight models like Qwen, Llama, and DeepSeek are months behind frontier, not years, and that gap closes fast. If you're worried about being cut off from Anthropic's API in 2027, the real question is what the open-weight landscape looks like then. sho: "All the cats are out of all the bags." BrtByte reframed what "AI sovereignty" actually means: not training your own GPT-class model, but securing compute, energy, and contractual API access.

On DwarfStar4: zmmmmm asked the strategic question underneath everything — at what point does a local model become good enough for coding that users stop paying frontier prices? FuckButtons: "It's shocking how close this feels to Claude." 0xbadcafebee questioned the engineering bet — a model-specific runtime duplicates effort that could go into llama.cpp and becomes obsolete next cycle. On UK Palantir: Centigonal explained the collapse point — once a competent internal team can integrate the data themselves, Palantir's consulting-heavy value proposition evaporates. scoot's edit to the headline: "Millions of pounds wasted by using Palantir tech."

TL;DR - Cars and VPNs both betray privacy through unexpected technical vectors; meaningful opt-out increasingly requires a screwdriver - An 18-year-old Nginx heap overflow and a first-of-its-kind Apple M5 kernel exploit bypassing hardware-level memory protections demonstrate that "secure" infrastructure always carries an asterisk - Ontario's damning audit of medical AI (9 of 20 systems fabricating diagnoses) and arXiv's new hallucination ban signal that institutions are starting to impose real consequences for AI unreliability - Frontier AI is being tiered behind security and economic gates, but capable local models and internal government builds are mounting a credible counter-argument to vendor dependence