Glenn Sorrentino

San Francisco is about to watch another wave of private paper wealth become public money. SpaceX is preparing for a historic listing, Anthropic and OpenAI have reportedly moved toward IPOs, and the Bay Area housing market is already reacting as if the checks have cleared. The Guardian reported today that AI wealth is helping push San Francisco home prices higher, with OpenAI and Anthropic employees in the city and SpaceX wealth in the broader California orbit all part of the same speculative weather system. Axios reported this week that OpenAI had confidentially filed draft IPO paperwork, following Anthropic's reported filing and just ahead of SpaceX's expected public debut.

This is not a neutral event. It is a civic test.

The short answer is stark: 0% of the contact-form implementations we could assess demonstrated every control in our observable security standard.

The practical answer is more specific: most forms were not failing one exotic cryptography test. They were failing ordinary intake hygiene that a non-expert can understand.

• 19 of 20 forms gave other-domain JavaScript access to the form frame. This does not prove those scripts collected the message, but it means they had the technical position to read what a person typed.
• 9 of 20 forms failed the full submission-route check. Every form page used HTTPS, but only 11 also submitted to an HTTPS destination with POST.
• 1 of 20 forms sent typed data before submit. MediaTek’s form sent the synthetic email address to HubSpot’s forms.hsforms.com/emailcheck/v1/json-ext endpoint before we clicked send. We did not observe the synthetic message body, name, or phone number sent cross-site before submit.
• 17 of 20 forms avoided required high-risk identity fields. Three required fields such as phone number or detailed business identity before a user could complete the form.
• 0 of 20 forms published specific evidence of browser-side or end-to-end message encryption. HTTPS is useful, but it does not prove ciphertext storage or recipient-only access.
• 3 of 20 forms surfaced retention or deletion language on the assessed page.

When people in tech talk about whistleblowing security, the conversation usually starts with modern encryption tools and so-called best practices. Redbull worried whether having the wrong app on his phone could place him in physical danger.

WIRED reporter Andy Greenberg told the story of Redbull’s escape from a scam compound in Laos. After reading that, I talked to Redbull to get his take on the tech: what he used, how he found it, what fell apart when things got bad, and what “usable security” actually means when people are always watching.

TL;DR​

• Redbull never heard of Signal before he reached out and only learned about after a journalist replied to him.
• For him, just installing an app or having to use a real phone number could put him in danger.
• His baseline toolkit was Proton Mail/VPN, Tor Browser, and Brave.
• He said coworkers were questioned over VPN use: “He was using a VPN on his personal device, and when the bosses asked him, he gave them an excuse.”
• He didn’t try legal channels.
• Hush Line’s browser-first model (no app install required, optional Onion access) matched his need for low-friction, low-exposure messaging.

Qubes OS is widely regarded as one of the most secure operating systems available. Its strength comes from virtualization: instead of one system running everything, Qubes divides your tasks into isolated virtual machines.

I've talked to many, many whistleblowers over the years, and the story typically goes like this: see something, say something, become the problem, lose your job, face legal and financial issues, struggle to find another job. It's the paradox of whistleblowing; we valorize doing the right thing, and then attack the people who speak up. So here's another way to blow the whistle without risking everything.

Whistleblowing software adoption is on the rise. Legislation requiring companies to have internal and external methods of confidential reporting is active in the EU, and states in the US, including California, require companies to publicize the State's Attorney General's Office hotline phone number. At the same time, federal whistleblower protections are eroding at breakneck speed.

[This article is a draft and subject to update.] It's tough out there. Grants seem harder and harder to come by, and the cost of maintaining software services is ongoing. We were honored to receive a grant from the Data Empowerment Fund for $100k; it enabled us to reach a stable, robust, production-ready state, enabling our first paying customers and many more free users. But another grant we were crossing our fingers for fell through, and it's a reminder that this cannot be our primary funding source for stable, long-term infrastructure.

Hush Line is a general-purpose anonymous reporting tool that can be used across a range of industries. In this article, we'll explore how journalists and newsrooms can quickly get started with a Hush Line account that'll enable anyone with an internet connection to reach you without downloading a new app or creating an account.

One of Hush Line's strengths is offering free Verified badges to tip line owners who want to prevent phishing attacks by adding an additional measure of authenticity to their accounts...

I love Signal. I was almost their first full-time designer when the team was only four people with a physical office back in the Mission in San Francisco. I turned the offer down because I was too junior in my career to feel like I could be as effective as I knew I could be with more time at the Big Tech company I worked for...