Augusto Bortoluzzi

⚠️ FreeBSD DHCP Client Vulnerability Enables Remote Code Execution as Root Source: cybersecuritynews.com/freebsd-dhcp-c… The FreeBSD Project has released a critical security advisory addressing a severe flaw in its default IPv4 DHCP client. Tracked as CVE-2026-42511, this vulnerability allows a local network attacker to execute arbitrary code as root, granting them complete control over the compromised machine. The core issue resides in how dhclient(8) processes network configuration parameters from DHCP servers. When a device joins a network, it requests IP configuration data. The DHCP client takes the provided BOOTP file field and writes it to a local DHCP lease file. #cybersecuritynews

POV: claude traveled 6 months into the future and told you exactly how your next move failed. it's called a premortem. daniel kahneman (nobel prize-winning psychologist behind "thinking fast and slow") called it his single most valuable decision-making technique. google, goldman sachs, and procter & gamble all use it before major launches. here's the problem it solves. when you ask claude "is this a good plan?" it finds all the reasons to say yes. that's what it was trained to do. so you walk away feeling confident. you execute, and spend weeks / months building on top of that plan. then it blows up. and you realize the problem was obvious in hindsight, you just never stress-tested it because claude told you it was solid. a premortem fixes this by flipping the frame. instead of asking "what could go wrong?" you tell claude "it's 6 months from now and this is already dead. tell me how it died." that shift turns off claude's optimism because there's nothing to be optimistic about. the premise already says it failed. so claude stops looking for reasons your plan will work and starts explaining how it fell apart. claude comes back with every way your plan could die, each one with a full failure story and the early warning signs to watch for. then a synthesis pulls it all together: > which failure is most likely > which failure is most dangerous > the single biggest hidden assumption you're making (often the most valuable part) > a revised version of your plan with the gaps closed you say "premortem this" and give it your plan. the skill handles the rest.

‼️🚨 NEW RESEARCH: Fiber-optic cables can be turned into a hidden microphone and used for eavesdropping. Researchers from Hong Kong's PolyU and CUHK just proved it works in real conditions. The paper was presented at NDSS 2026, one of the top cybersecurity conferences in the world. When someone talks in a room, the sound waves cause tiny vibrations in everything around them, including the thin glass fiber that runs into your apartment from your internet provider. Those vibrations slightly disturb the laser light traveling through the cable. If an attacker plugs the other end of that cable into a special device called a Distributed Acoustic Sensing system, they can read those tiny disturbances and turn them back into recognizable speech. The problem for the attacker: a normal fiber lying along your baseboard is not sensitive enough on its own. Sound fades too fast in the air, and the fiber is too thin to pick it up. So the researchers built a small device they call a "Sensory Receptor." It is basically a 65mm plastic cylinder with about 15 meters of fiber wound around it. The cylinder catches and amplifies sound waves enough for the fiber to register them. Crucially, it is small enough to hide inside the same little plastic junction box your internet installer leaves on the wall to manage extra cable. What the attack can actually pick up: 🔴 Daily activities (typing, walking, snoring, washing dishes): 83% recognition accuracy 🔴 Where in the room a sound is coming from: accurate to within about one meter 🔴 Spoken words at meters from the receptor 🔴 In a real office test, with the receptor hidden in a fiber box and the attacker 50+ meters away in another room, around 80% of the conversation was recoverable Why this attack is different from a hidden microphone: 🔴 No electricity, no batteries, no radio signals 🔴 Cannot be found by professional bug sweeps that look for hidden mics or cameras 🔴 Cannot be jammed by ultrasonic jammers (the kind some boardrooms use against phone microphones) 🔴 Looks identical to a normal fiber cable The researchers tested a commercial ultrasonic jammer right next to their device and it had zero effect. The defenses meant to protect sensitive meetings simply do not see this attack coming. What you can do: 🔴 If you run a sensitive office or meeting room, ask your IT team about polished fiber connectors and optical isolators. Both make this attack much harder. 🔴 Do not let your internet installer leave excess fiber coiled up inside the room. Have them coil it inside the wall or in a sealed box outside the room. 🔴 Keep fiber cable runs away from desks and walls that resonate with conversation. 🔴 In high-security spaces, soundproof the walls and ceilings where fiber runs.

Mind blown 🤯 Some smartphones sold in mainland China (like certain OPPO models) can read MIFARE Classic cards, crack the keys in seconds, store them, and then fully emulate the card directly on the phone. No extra hardware. Just the phone. Access control, transit cards, hotel keys… game over. Huge thanks to Ian for showing me this in person. Really eye-opening how far NFC capabilities have gone in some regions. Who else has seen this in the wild? #NFC #MIFARE #TechSecurity​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​ #oppo

#OpenBSD on #Firecracker. 1.4 MB kernel, ~30 ms cold boot, no BIOS, no PCI, virtio-mmio only. Experimental port. Wrote up how to build the kernel, prep an FFS2 disk with vnd(4), and boot the thing from Linux. ijanc.org/posts/openbsd-… Commit: git.sr.ht/~ijanc/openbsd…

@schiebde @WDRaktuell x.com/signalapp/stat…

"#Signal gehackt", heisst es derzeit oft. Doch in Wahrheit sind Politikerinnen und Politiker der Bundesregierung auf simple #Phishing Tricks reingefallen. Jetzt stellt der Bundestag auf #Wire um. Was wir alle wissen und beachten sollten... 👇👇 @WDRaktuell www1.wdr.de/wirtschaft/rat…

Time to talk about this one. CopyFail (CVE-2026-31431) — a 732-byte Python script that roots every Linux distro shipped since 2017. 🧵

🚨 BREAKING: Wiz Research discovered Remote Code Execution on GitHub.com with a single git push The flaw in @github allowed unauthorized access to millions of repositories belonging to other users and organizations 🤯

🚨 New Windows 0-Click Vulnerability Exploited to Bypass Defender SmartScreen Source: cybersecuritynews.com/windows-shell-… A critical zero-click authentication coercion vulnerability, tracked as CVE-2026-32202, stemming from an incomplete patch for a Windows Shell security feature bypass actively weaponized by the Russian APT28 threat group. Microsoft confirmed active exploitation of the flaw and released a fix as part of its April 2026 Patch Tuesday update. The attack's primary mechanism abuses the Windows Shell namespace parsing pipeline. APT28 embedded a malicious LinkTargetIDList structure inside the LNK file, a binary IDList that Windows Explorer parses and renders, similar to how Control Panel items are displayed. #cybersecuritynews #vulnerability #microsoft

Brave has added native Containers support in its Nightly build, bringing Firefox-style tab isolation to a Chromium-based browser for the first time. This feature lets you create fully separate spaces inside the same window, where each container runs with its own cookies, local storage, and login sessions. You can now open multiple accounts from the same site side by side, like personal Gmail and work Gmail, without mix-ups, forced logouts, or switching browser profiles. The privacy benefits are significant: trackers and cookies in one container cannot reach or follow activity in another, which stops cross-site tracking across your work, shopping, banking, or social tabs. On the security side, stronger tab sandboxing limits any damage if a compromised site appears in just one container. Unlike basic browser profiles or third-party extensions, this is built-in and lightweight, complete with a simple interface and ready-made categories such as Personal, Work, and Social. For privacy-focused users or anyone juggling separate online identities, it removes one of the last good reasons to stick with Firefox. Brave now delivers Chromium speed and compatibility alongside powerful native isolation, this is enabled by default in Nightly, with further improvements expected soon.

A newly disclosed vulnerability in Firefox (CVE-2026-6770) allowed websites to track users across different sites that lasted for the lifetime of the browser process. This vulnerability let any website quietly build a stable tracking identifier that lasted for the whole lifetime of your Firefox process. It didn’t steal data or abuse storage, it simply read the predictable order in which the IndexedDB API returned database metadata and that order never changed as long as the browser stayed open, so sites could link your activity across tabs, windows, and even after you cleared data or hit the Tor reset button. After the issue was reported Mozilla rolled out the fix in Firefox 150 and ESR 140.10 on April 21 (Tor Browser got the same update). The patch randomizes that metadata order so the trick no longer works.

A response to recent reporting in Germany, in service of clarity and accountability: First, it’s important to be precise when it comes to critical infrastructure like Signal. Signal was not “hacked” — in that our encryption, infrastructure, and the integrity of the app’s code was not compromised. However, sophisticated attackers have engaged in a harmful phishing campaign, posing as “Signal Support” by changing their profile display name and using social engineering to trick people into handing over their credentials — information that allowed these attackers to take over some targeted Signal accounts. This is something that plagues any mainstream messaging app once it reaches the scale of Signal, but we know how high the stakes are given the trust people place in us. In the coming weeks, you’ll see us rolling out a number of changes to help hinder these kinds of attacks. Because we don’t collect user data, what we know about these attacks comes from the victims of phishing. And from what victims have told us, the attacks followed a broad pattern: after tricking people into revealing their Signal credentials, attackers then used those credentials to take over their account and also frequently changed the associated phone number. Because such a change results in de-registering your Signal accounts, attackers prepared people for this by telling them that being de-registered was intended behavior, and that all they would need to do is “re-register,” or, create a new account. When they moved to create a new Signal account — one that was now decoupled from their hijacked account — the victims thought they were logging back in to their primary account. As a result, many didn't notice the takeover. The compromised accounts were then weaponized to target the victims' contact lists by posing as the owners of the account. We understand the trust that people put in Signal, and how devastating this kind of social engineering can be. While it’s true that all messaging platforms are susceptible to scammers and phishing that betrays people’s trust and convinces them to “unlock the front door” where no backdoor exists, we are looking to do everything we can to help people avoid and detect such scams. For the time being, please stay vigilant against phishing and account takeover attempts. Remember that no one from Signal Support will ever send you a message request or ask for your registration verification code or Signal PIN. For an added layer of protection, you can enable Registration Lock in your Signal Settings (Account -> Registration Lock).

QSB-111: xfce4-screensaver login bypass qubes-os.org/news/2026/04/1…

After an embargo of 256 days, I'm happy to reveal our newest work: we present TREVEX, a black-box CPU fuzzer that detects transient execution vulnerabilities in an automated manner. Running TREVEX on AMD, Intel, and Zhaoxin CPUs discovered multiple new CPU vulnerabilities!

A 15-year-old OpenSSH flaw (CVE-2026-35414) mishandles commas in certificate principals, granting full root shell access by bypassing log detection. Fixed in OpenSSH 10.3. #OpenSSHFlaw #RootAccess #USA ift.tt/5SKnOpV

i went to clickup.com. opened the page source. found a hardcoded API key in the javascript. copied it. sent one GET request. got back 959 email addresses and 3,165 internal feature flags. employees from Home Depot. Fortinet. Autodesk. Tenable. Rakuten. Mayo Clinic. Permira. Akin Gump. government workers from Wyoming, Arkansas, North Carolina, Montana, Queensland Australia, and New Zealand. a Microsoft contractor. 71 clickup employees. fortinet sells enterprise firewalls. tenable makes Nessus, the vulnerability scanner half the industry runs. their employees emails are exposed because clickup hardcoded a third party API key in a javascript file that loads before you even log in. this was first reported to clickup through hackerone on January 17, 2025. its now April 2026. the key has not been rotated. i just pulled the response five minutes ago. every email is still there. clickup raised $535 million at a $4 billion valuation. claims 85% of the Fortune 500 use their platform. looks like the proof is in the page source.

🚨 BREAKING: Toronto Police just seized “SMS Blasters” fake cell towers never seen before in Canada. These portable devices hijack thousands of phones at once, blast fake bank/Canada Post texts, and knock out real service (even 911 calls). Tens of thousands of phones hit. Over 13 MILLION disruptions. Three men charged 🇨🇳 • Dafeng Lin, 27, of Hamilton • Junmin Shi, 25, of Markham • Weitong Hu, 21, of Markham This is next-level cyber crime on our streets. Stay alert. Never click surprise links. #Toronto #CyberCrime #ScamAlert

41 kidnappings of crypto holders in France in 3.5 months of 2026. Why? 🥖 French tax officials selling crypto owners' data to criminals (Ghalia C.) + massive tax database leaks. Now the state also wants IDs and private messages of social media users. More data = More victims.

Chinese LLMs can hack better than state-sponsored hackers with properly evolved harness - Kimi K2.5 managed to find and exploit 6 vulnerabilities in browsers: a single page view or an extension install by victims equal full system hijack. Check arxiv.org/abs/2604.20801

North Korean Lazarus Group has weaponized this exact class of Microsoft-signed kernel driver. It is sitting on MILLIONS of Windows PCs right now. It gives any local process full control from the deepest level of Windows. 5 lines of code. Zero validation. Your antivirus can’t stop what runs below the OS.