🚨 Google Project Zero just published a Pixel 10 zero-click to root exploit chain.
Two vulnerabilities and less than a day of work to weaponize the second one.
Chain:
- Stage 1: same Dolby UDC zero-click (CVE-2025-54957) used against the Pixel 9. Patched in January 2026. Only minor offset updates and a tweak around RET PAC needed to port to Pixel 10
- Stage 2: a brand new local privilege escalation in the VPU driver for the Chips&Media Wave677DV on the Tensor G5
Result: arbitrary kernel read/write in 5 lines of code. Full exploit written in under a day.
The NSA called this operating system “catastrophic." ☠️
It fits on an 8GB USB stick.
It's called Tails OS.
> Released in 2009 by a nonprofit team backed by the Tor Project.
> Built for one thing: leaving no trace behind.
> Runs entirely from a USB stick.
> Plug it into almost any computer and boot instantly.
> Tails loads fully into RAM.
> Never touches the computer’s hard drive.
> Shut it down and everything disappears.
> Files gone.
> Passwords gone.
> Browsing history gone.
> Like the session never happened.
> Every internet connection routes through Tor automatically.
> Your traffic bounces across 3 encrypted relays worldwide.
> No single server sees the full picture.
> In 2013, journalists working with Edward Snowden used Tails.
> Leaked NSA documents later called it a “major threat.”
> Combined with other privacy tools, they called it “catastrophic.”
> Free and fully open source.
> Fits on a tiny USB drive.
> Still one of the most powerful privacy tools ever made.
Most operating systems are designed to remember everything.
Tails OS was designed to forget you ever existed. 🕶️
In April, a website that has been sued, blocked, deplatformed, and chased across thirty-seven domains over fifteen years quietly launched its own AI.
Sci-Hub is the largest unauthorized library of scientific papers in human history. Ninety-five million academic papers. Tens of millions of books. Built and maintained by a single Kazakhstani neuroscientist named Alexandra Elbakyan since 2011, funded by donations, hosted on whatever country's registrar will tolerate it that year, mirrored across torrents and IPFS and Telegram bots.
Elsevier sued. Sci-Hub stayed up. The American Chemical Society sued. Sci-Hub stayed up. India sued. Sci-Hub stayed up. Swedish registrar Njalla cut the .se domain in January. Sci-Hub stayed up at .al, .ru, .ee, .box, and a half-dozen .onion addresses the registrars cannot reach.
Now the library has built its own intelligence.
Sci-Bot launched in alpha in April. You ask it a research question. It answers, and it cites real papers from inside the corpus, with links that actually open the actual papers.
The bot does not hallucinate citations. It cannot, because it only draws from papers it actually holds. The same property that the venture-funded labs have spent four years and forty billion dollars trying to engineer back into their products is a free side effect of training the model on a library that contains the books.
Anthropic, OpenAI, Google, and Meta have all been sued in the past eighteen months for training their models on the same shadow libraries that Sci-Hub assembled. Meanwhile the corpus those scripts were pointed at, the corpus those models were trained on, the corpus the entire generative AI industry is built on, sat right there the whole time, free, with a search box on top.
The pirates beat them to it.
Sci-Bot was built on a corpus that was already free, by a team that asked no permission, charging no one, with the explicit position that the right to read scientific research is older than the cartel that decided to charge for it.
The same arithmetic the medieval guilds used to keep the printing trade in approved hands. The same arithmetic Pope Paul IV used in 1559 to publish the Index Librorum Prohibitorum. The same arithmetic the Stationers' Company used in seventeenth-century London.
Knowledge has always had a fence around it. The fence has always been guarded by men who did not write the books.
The library answers. We never asked permission. We never had to.
Apple and Google are gradually expanding their use of hardware-based attestation. They're convincing a growing number of services to adopt it. Google's Play Integrity API and Apple's App Attest API are very similar. Apple brought it to the web via Privacy Pass, which Google intends on doing too.
Google's Play Integrity API requires hardware attestation for the strong integrity level and is gradually phasing in requiring it for the more commonly used device integrity level. Apple already has it as a requirement. Over the long term, this will increasingly lock out hardware and OS competition.
The purpose of these systems is disallowing people from using hardware and software not approved by Apple or Google. This is wrongly presented as being a security feature. Banks and government services are the main ones adopting it but Apple and Google are encouraging every service to use it.
Apple's Privacy Pass brought hardware attestation to the web to help with passing captchas on their own hardware. Many people saw that as harmless since few sites would be willing to lock out non-Apple-hardware users. Apple and Google are both likely to bring broader hardware attestation to the web.
Google's reCAPTCHA is planning an approach where they use Privacy Pass on Apple hardware, their own approach on Google Mobile Services Android devices and a QR code scanning system to require an iOS or Google certified Android device for Windows and other systems:
https://t.co/7rQnioRa8A
Banking and government services increasingly require using a mobile app where they can use attestation to force using an Apple or Google approved device and OS. Apple's privacy pass, Google's 'cancelled' Web Environment Integrity and now reCAPTCHA Mobile Verification are bringing this to the web.
Current media coverage for reCAPTCHA Mobile Verification misunderstands it and the impact of it. They're bringing a hardware attestation requirement to Windows, desktop Linux, OpenBSD, etc. by requiring a QR scan from a certified smartphone to pass reCAPTCHA in some cases. They could expand it more.
Control over reCAPTCHA puts Google in a position where they can require having either iOS or a certified Android device to use an enormous amount of the web. Google defines certification requirements for Android which includes forcing bundling Google Chrome, etc. It's enormously anti-competitive.
Google's Play Integrity API bans using GrapheneOS despite it being far more secure than anything they permit. It also bans using any other alternative. This isn't somehow specific to an AOSP-based OS. You can't avoid this by using a mobile OS based on FreeBSD instead. You'll just be more locked out.
Google's Play Integrity API permits devices with no security patches for 10 years. The device integrity level can be bypassed via spoofing but they can detect it quite well and block it once it starts being done at scale. The strong integrity level requires leaked keys from TEEs/SEs to bypass it.
It doesn't provide a useful security feature, but it does lock out competition very well. Services requiring Apple App Attest or Google Play Integrity are primarily helping to lock in Apple and Google having a duopoly for mobile devices. Play Integrity is more relevant due to AOSP being open source.
Governments are increasingly mandating using Apple's App Attest and Google's Play Integrity for not only their own services but also commercial services. The EU is leading the charge of making these requirements for digital payments, ID, age verification, etc. Many EU government apps require them.
Instead of governments stopping Apple and Google from engaging in egregiously anti-competitive behavior, they're directly participating in locking out competition via their own services. Requiring people to have an Apple device or Google-certified Android device is anti-competition, not security.
reCAPTCHA Mobile Verification will currently work with sandboxed Google Play on GrapheneOS but it clearly exists to provide a way for them to start using hardware attestation on systems without it. People without an iOS or Android device will be locked out when this is required even without that.
This isn't about security or any missing functionality. GrapheneOS can be verified via hardware attestation. Google bans using GrapheneOS for Play Integrity because we don't license Google Mobile Services and conform to anti-competitive rules already found to be illegal in South Korea and elsewhere.
Services shouldn't ban people from using arbitrary hardware and operating systems in the first place. Google's security excuse is clearly bogus when they permit devices with no patches for 10 years but not a much more secure OS. It's for enforcing their monopolies via GMS licensing, that's all.
Internet Archive Launches New Foundation in Switzerland, based in St. Gallen.
This new nonprofit group operates independently under Swiss law while joining similar groups in Canada and Europe.
• Initial priorities:
> Endangered Archives initiative: Rescue and preserve vulnerable cultural heritage and historical records threatened by conflict, disaster, institutional collapse, or suppression.
>Gen AI Archive project: In partnership with the University of St. Gallen’s School of Computer Science, aims to collect and preserve generative AI models and related systems
‼️🚨 ALARMING: Google now treats privacy as suspicious behavior by default. Users of GrapheneOS, CalyxOS, /e/OS, and other deGoogled Android phones are being locked out of millions of websites unless they install the exact Google Play Services software they deliberately removed.
GrapheneOS is recommended by the EFF and used by journalists, lawyers, and activists in high-risk environments. The audience most likely to read Google's data practices and refuse its terms is now flagged as fraudulent for that exact decision.
What happened?:
▪️ Google announced "Cloud Fraud Defense" at Cloud Next on April 22-23, 2026, branding it "the next evolution of reCAPTCHA." Existing reCAPTCHA customers were auto-migrated.
▪️ When the system flags traffic as suspicious, the old click-the-bus puzzle is gone. Users get a QR code instead.
▪️ Scanning the QR code requires Google Play Services running on the device. Internet Archive snapshots show this requirement has been live since at least October 2025, silently rolled out for 7 months before anyone noticed.
▪️ No Play Services = no QR scan = locked out.
The bigger picture:
▪️ Google already tried this in 2023. It was called Web Environment Integrity (WEI), and it would have let Google decide which devices were "real enough" to access the web. Standards bodies and the public pushed back hard, and Google killed it. Three years later, the same idea is back, just hidden behind a QR code instead of a browser feature.
▪️ reCAPTCHA runs on millions of websites. Every developer who keeps using it is now, by default, telling deGoogled Android users they're not welcome...
🚨GOOGLE JUST SILENTLY DOWNLOADED A 4GB AI MODEL TO YOUR COMPUTER WITHOUT ASKING.. WITHOUT TELLING YOU.. AND WITHOUT ANY WAY TO STOP IT..
If you use Chrome.. There's a good chance a 4 gigabyte file is sitting on your hard drive right now that you never agreed to download..
It's called Gemini Nano.. Google's on-device AI model.. A security researcher just proved it installs itself with zero clicks.. Zero prompts.. Zero notifications..
Alexander Hanff set up a completely fresh Chrome profile.. Didn't click anything.. Didn't scroll.. Didn't type a single keystroke.. Just opened the browser and watched..
14 minutes and 28 seconds later.. Chrome had silently scanned his hardware.. Read his GPU, RAM, and storage.. Then wrote a 4GB file to his hard drive.. No permission dialog.. Nothing..
Chrome's own logs show the download begins BEFORE the settings page where you could opt out is even loaded.. The file starts installing before the refusal button exists..
As of Chrome 148.. Any website you visit can trigger this download.. One line of JavaScript.. You click a link to read a blog post.. That click counts as "user activation".. And Chrome silently pulls 4GB in the background..
No install prompt.. No consent dialog.. Google's own docs admit this..
Your laptop overheats.. Storage disappears.. Battery drains.. And you have no idea why..
The model doesn't even work well.. Cloud requests take 1.3 seconds.. The local model at worst case takes over 9 minutes for a single response..
Google is using your storage, electricity, and bandwidth to run an AI that's 40 times slower than their own servers..
And the "AI Mode" button in Chrome's address bar.. Doesn't even use the local model.. It sends everything to Google's cloud anyway..
You pay the storage penalty.. The heat penalty.. The bandwidth penalty.. And the visible AI feature ignores the local file entirely..
Because Chrome fails to clean up old versions.. Users are finding 12GB or more of duplicate AI files stacked on their drives..
Palo Alto Networks found a vulnerability where a browser extension could hijack the local AI model's permissions.. Accessing your webcam.. Microphone.. Local files.. Through an AI you never installed..
Here's how to check if it's on your machine..
Windows.. C:\Users\[YourName]\AppData\Local\Google\Chrome\User Data\Default\OptGuideOnDeviceModel\
Mac.. ~/Library/Application Support/Google/Chrome/Default/OptGuideOnDeviceModel/
If there's a file called weights.bin.. Google downloaded their AI to your computer without asking..
To stop it.. Type chrome://flags.. Search "optimization-guide-on-device-model" and disable it.. Search "prompt-api-for-gemini-nano" and disable that too.. Restart Chrome.. Then manually delete the folder..
If you don't disable the flags first.. Chrome redownloads the 4GB file on next launch..
Firefox requires explicit opt-in for AI.. Apple Intelligence requires explicit consent.. Chrome just takes your hard drive..
Google didn't ask to use your storage.. Your electricity.. Your bandwidth..
They just took it.
BREAKING Im Rahmen eines Verfahrens gegen die Organisierte Kriminalität ist heute eine Person festgenommen worden, die beim Bundesamt für Polizei @fedpolCH im #Bundessicherheitsdienst tätig ist.
Sie wird verdächtigt, vertrauliche Informationen verkauft zu haben. (1/4)
When Andres Freund, Linux kernel contributor & Microsoft engineer was debugging slow SSH logins on his Debian machine in March 2024, he noticed something weird:
liblzma (part of XZ Utils) was using way too much CPU power, so he kept digging, and what he uncovered was a multi-year supply-chain attack!
An attacker using the name “Jia Tan” had spent two years slowly infiltrating the tiny XZ Utils project, a compression library used by virtually every major Linux distribution.
The backdoor wasn’t in the source code. It was hidden deep inside the build scripts. It would have given the attacker remote root access on millions of servers the moment a specially crafted SSH key was used.
Freund caught it days before it would have shipped in Debian, Fedora, Ubuntu and more.
One man, one anomaly, one routine debug session saved the internet from a potential catastrophe.
Respect!
‼️ Google, Meta, Microsoft and Snap are pushing the EU to quickly revive 'Chat Control 1.0' — a now-expired exemption allowing indiscriminate mass scanning of user data for 'abuse material'.
Digital rights experts claim tech firms are deliberately spreading fear to protect their profits and data access — and that mass surveillance won't save a single child.
The exemption lapsed last week. The companies call this "irresponsible."
‼️🇺🇸 Lockheed Martin has allegedly been breached and 375TB of data is being offered for sale on what appears to be a Russian 'Threat Market'.
They've priced the highly confidential data at $598 million...
BREAKING: JACK DORSEY'S $50 BILLION SQUARE WILL TURN ON #BITCOIN LIGHTNING PAYMENTS FOR 4 MILLION MERCHANTS TODAY
BTC IS NOW ACCEPTED EVERYWHERE
MAINSTREAM ADOPTION IS HERE 🔥
I will say this again..
THERE IS NO REQUIREMENT IN THE UK ONLINE SAFETY ACT FOR OPERATING SYSTEMS LIKE iOS and LINUX TO ADD AGE VERIFICATION.
IT IS NOT A LAW.
THEY ARE LYING.
BREAKING: 🇺🇸 COINBASE JUST ANNOUNCED IT WILL LAUNCH CRYPTO-BACKED MORTGAGES FOR OVER 100,000,000 AMERICANS.
BUY AND OWN A HOUSE WITHOUT SELLING YOUR CRYPTO.
THIS IS MASSIVE 🤯
JUST IN: Start9 announced an open source router.
Open source hardware. Open source firmware. Open source OS.
No tracking. No data collection. No hidden code.
This is absolutely astounding!
A printer that prints circuit board traces.
I am going all in on this.
We will have a 100x increase in production and testing!
You did it! 🥳
European Parliament just decided that Chat Control 1.0 must stop.
This means on April 6, 2026, Gmail, LinkedIn, Microsoft and other Big Techs must stop scanning your private messages in the EU. #PrivacyWins 💪