Gergely HANDO

New: Picus + @devo_Inc SIEM integration. Simulate attacks. See which Devo rules fired. Get SIGMA rules to close the gaps. Learn more: hubs.li/Q04dt_R30

⚠️ A Python sandbox for untrusted code has a 9.3 flaw (CVE-2026-5752). A Pyodide bug enables sandbox escape and root command execution. The project is unmaintained, so the issue remains UNPATCHED. 🔗 Learn more → thehackernews.com/2026/04/cohere…

Today we announced Thunderbolt, an AI client built on the same principles that have guided Mozilla for decades: user control, open standards, and individual empowerment online. As AI becomes central to enterprise operations, organizations face a critical choice: depend on proprietary services that create strategic risk, or build on open infrastructure they control. Learn more: thunderbolt.io/announcing-thu…

Hacking the #EU #AgeVerification app in under 2 minutes. During setup, the app asks you to create a PIN. After entry, the app *encrypts* it and saves it in the shared_prefs directory. 1. It shouldn't be encrypted at all - that's a really poor design. 2. It's not cryptographically tied to the vault which contains the identity data. So, an attacker can simply remove the PinEnc/PinIV values from the shared_prefs file and restart the app. After choosing a different PIN, the app presents credentials created under the old profile and let's the attacker present them as valid. Other issues: 1. Rate limiting is an incrementing number in the same config file. Just reset it to 0 and keep trying. 2. "UseBiometricAuth" is a boolean, also in the same file. Set it to false and it just skips that step. Seriously @vonderleyen - this product will be the catalyst for an enormous breach at some point. It's just a matter of time.

Your phone isn’t yours. It never was. Hakeem Anwar @abovephone on surveillance, privacy-first devices, and how to opt out. Full talk in comments👇

New fresh stack just dropped! This time by @Polymutex × @Walletbeat Trying to move away from Big Tech and explore privacy-first tools? Check out this stack: deWindows / macOS → Arch Linux deChrome → @LibreWolf_Brows deGoogle → @DuckDuckGo deWhatsApp → @signalapp deGmail → @ProtonMail Storage → @fileverse + ZFS P2P → @qBittorrent Self-hosted LLM → Ollama Graphics → Krita Productivity → @n8n_io Meetings → Jitsi Passwords → @KeePassXC PDF → Danger Zone Sync → @syncthing Build your own privacy stack, bit by bit, tool by tool. For more inspiration check out all the stacks at stacks.web3privacy.info

Happy Monday aka Web3Privacy Newsletter day! Chance is, with the beggining of spring-time and weather getting warmer, you might have missed some key news. Don't worry, we got you covered! From Iran accepting Bitcoin for payments, FBI retrieving deleted Signal messages from iPhones all the way to EFF leaving Twitter. You can find it all here. Althought, some people might not be able to due to censorship - and that is why we want to highlight the Freedom Browser by @heckerhut , website created to help people suffering from the stirct censorship of websites & games. Other news feature @Zcash updates from @zodl_app x @jswihart, @EFF leaving Twitter/x.com, FBI retrieving Signal messages through notification legacy in iPhone or @joelthorst article Web means Freedom Software, among others. For inspiration check out @privacy_guides podcast with Cindy Cohn x @EFF or interview with @lunar_mining x @DarkFiSquad and mark your calendars for @EthPrague, Neocypherpunk Summit in Berlin or @ParisBlockWeek. For more news, podcasts and events, check the whole newsletter at news.web3privacy.info/2026-15/ Curated by @xgotchmax

#RSAC2026 may be over, but the final day takeaways are still resonating! 🚀 Day 4 was the ultimate synthesis of AI, identity and resilience – marking the shift from protection to prediction. Check out the finale sizzle reel featuring insights from @IBM, @BedrockDataAI, Geordie AI, and @ServiceNow. Watch the highlights: 📺 thecube.net/events/rsa/rsa… #Cybersecurity #AI #theCUBE #RSAC #Infosec #EnterpriseSecurity