CVE-2026-31431 ("Copy Fail") Meets Iran's Digital Blackout: A Match Made in Hell

While the world scrambles to patch one of the cleanest local privilege escalation bugs in recent memory, a large chunk of Iran's critical infrastructure is sitting there beautifully vulnerable — thanks to the regime's own "protective" internet blackout.
The Technical Beauty of Copy Fail

CVE-2026-31431 is a high-severity (CVSS 7.8) logic flaw in the Linux kernel's cryptographic subsystem, specifically the algif_aead module and the authencesn template. It was introduced in 2017 with a performance optimization that accidentally allowed page cache pages (normally read-only for users) to end up in a writable destination scatterlist.

The primitive is terrifyingly simple:

An unprivileged local user opens an AF_ALG socket.
Binds it to authencesn(hmac(sha256),cbc(aes)).
Uses splice() in a clever way.
Achieves a controlled 4-byte write into the page cache of any readable file on the system.

Researchers dropped a 732-byte Python script that weaponizes this to overwrite a setuid binary like /usr/bin/su, injects shellcode, and spawns a root shell. No disk writes. No races. No KASLR bypass needed. Works reliably across Ubuntu, RHEL, Amazon Linux, SUSE — basically every major distribution built since 2017. It even crosses container boundaries because the page cache is shared at the host level.

It's not flashy memory corruption. It's elegant. It's reliable. It's the kind of bug that makes security researchers weep with joy and defenders cry.
Now Add Iran's Self-Imposed Digital Blackout

The regime proudly announces it's cutting internet access "due to cyber attacks." The real reason, of course, is fear of its own population. Connectivity gets throttled or severed, updates stop flowing, and systems remain frozen in their pre-disclosure state.

This creates the perfect storm:

Many Iranian government, military, and critical infrastructure servers are still running vulnerable kernels (4.14 through early 6.x series).
The "cyber attack" excuse conveniently prevents normal sysadmins from pulling the latest patches.
Anyone who already has a local shell whether a disgruntled insider, a compromised low-priv account, a previous breach, or a clever actor who got in before the blackout — now holds the keys to the kingdom with 732 bytes of Python.

A low-level IT guy (or an opposition sympathizer, or a foreign operator) who still has internal network access runs the PoC. Four bytes later, /usr/bin/su is politely modified in memory. execve() and suddenly he's root on servers the regime thought were "protected" by disconnecting them from the outside world.

No C2 callbacks needed. No noisy exfiltration during the blackout. Just quiet persistence and lateral movement inside the isolated network. The digital iron curtain doesn't stop internal threats it amplifies them.
The Ironic Masterpiece

The regime cuts the internet out of paranoia about its people, then leaves its infrastructure wide open to the exact kind of local escalation that paranoid regimes should fear most. It's like boarding up all the windows to stop outsiders from looking in, while leaving the front door unlocked and posting a sign that says "Free Root Access Inside."

In short: Copy Fail turns any local foothold into full root with almost zero effort. Iran's self-imposed isolation ensures that many systems won't see patches for days or weeks. The combination is comedy gold for anyone on the wrong side of the regime and a nightmare for those supposedly "securing" the infrastructure.

Stay patched, folks. And if you're running critical systems in a country currently experiencing a "cyber attack" blackout... good luck. You're going to need it more than most.

I have deployed a collection of independent smart contract protocols on Ethereum mainnet. Each one is finished infrastructure. No governance, no upgrade path, no owner. Ownership is renounced on all contracts. The contracts are deployed and the keys are gone.

This post is for the privacy angle. The full technical documentation is in the repo linked at the bottom.

Minimal data, by architecture

No protocol stores personally identifiable information. On-chain data is limited to cryptographic commitments, timestamps, addresses, and amounts. All sensitive data stays off-chain with the parties involved.

This is GDPR compliant by architecture, not by policy. There is no personal data to protect because the system is not designed to collect it. The deployer controls their own data. The user controls their own disclosure.

No operator, no capture

The contracts are deployed with renounced ownership. There is no entity that can be subpoenaed, pressured, or acquired. The privacy is structural, it holds regardless of what any individual, platform, or authority wants.

Most privacy tools rely on the trustworthiness of an operator. These protocols have no operator to make promises and no operator to break them.

Currency agnostic

Every protocol settles on Ethereum mainnet. What currency a user pays in is a platform decision. A platform can accept XMR, BTC, ETH, fiat, or any combination and convert to ETH at the platform layer before interacting with the protocol.

Combined with the atomic, hop-by-hop settlement structure, this means the payment trail fragments naturally across chains without any privacy feature being explicitly designed in. It is a structural consequence of currency agnosticism and independent atomic settlements.

Human rights and legal grounding

The right to private correspondence is not a crypto argument. It is a human rights argument.

Universal Declaration of Human Rights, Article 12 covers it. ECHR Article 8 covers it. GDPR covers it. A parcel dispatched between two parties with no central record of who sent what to whom is functionally identical to a sealed letter. The legal and moral precedent for protecting that is centuries old.

These protocols are built in that direction. Anyone arguing against this privacy model is arguing against the existing human rights framework.

Documentation, protocol repositories, template repositories, and orchestration examples:

github.com/pablo-chacon/the-su…

Hey everyone, Hope you all having a good day today, I apologize in advance for this long read but TLDR will be at the bottom.

There's this potential issue I'm facing right now and I need some opinions on how to go about this or maybe I'm overthinking this situation.

Context:
I'm Running a google pixel phone with grapheneOS for about a month now, without any sandboxed google play services, the experience has been amazing and so freeing, this switch was overdue since all of my services are open source / privacy respecting or self hosted solutions, this was the last step to finally be "free" and I just got up one day and decided to bite the bullet, buying the phone with cash.

BUT i made the rookie mistake of not checking banking app compatibility and as luck would have it, my banking apps outright blocked GOS users and no settings would work

Luckily with some patience and a bit of RE magic, I managed to come up with bypasses for 2 local banking apps in a little over 3 hours, it was laughably easy and any user could pull it off without changing any settings or installing anything.

issue:
Here's the potential problem.

Now we may all know the Privsec GOS banking app compatibility list
at first I was over the moon to make a useful contribution ESPECIALLY to a list like this.

And then it dawned on me, I'll be potentially shooting myself in the foot and here's how:

1-I live in a relatively small country that isn't mentioned anywhere in this list, I'll be the first one in my nation to make a contribution, while yes we do have wiggle room for internet freedom, the local government showed that it will not tolerate moves that will encourage the masses to take privacy routes, basically "if you're gonna do it, shut up about it or we're gonna come after you" it did happen before.

2-The population pool is small, to make matters worse, Google pixel phones aren't even a thing here, I had to REALLY dig around to find someone that sold these brand new, the second hand market is just as bad, no one is selling these phones so I imagine that people who actually have these phones here can be counted on my fingers.

3-The bank I'm using most probably already logged the phone type, It wouldn't be so hard for them to connect the dots if they got alerted about my bypass solutions, The privsec fill out forum needs me to include my phone model name and build number, potentially leading to a full OPSEC compromise.

Verdict / Thoughts:

I'm split on this issue, part of me things I'm over thinking the shit out of this situation and I'm over estimating their capabilities.

The other part is telling me that I'll be destroying my opsec and I should stop.

I'm thinking of falsifying Device name / model on the forum to avoid this but I don't know if this is even enough and I don't want to mislead other users.

TLDR: Local Banking apps blocked GOS, came up with a bypass but not enough people use Google pixel phones locally and this may lead to a full OPSEC compromise if I posted about it.

cross-posted from: hexbear.net/post/8356680

cross-posted from: news.abolish.capital/post/4540…

This story originally appeared in Common Dreams on April 27, 2026. It is shared here under a Creative Commons (CC BY-NC-ND 3.0) license.

An exchange of gunfire between an armed suspect and law enforcement outside the White House Correspondents’ Dinner on Saturday came days ahead of a deadline for extending far-reaching government surveillance powers, and President Donald Trump wasted no time in claiming that the attempted attack on the event proved that the FBI must be permitted to spy on Americans without obtaining warrants.

In an interview with Fox News Sunday, Trump repeated his previous remarks that he is “willing to give up [his] security” in favor of extending Section 702 of the Foreign Intelligence Surveillance Act (FISA), which is set to expire on Thursday—and suggested other Americans should do the same for “the safety of our nation.”

Section 702 allows US intelligence agencies to surveil the electronic communications of foreign nationals overseas without a warrant. Since some of the nearly 350,000 foreign nationals whose communications have been collected under the law are in touch with Americans, Section 702 allows for the collection of emails, text messages, and phone calls of US citizens.

Fox anchor Jacqui Heinrich emphasized that “we don’t know right now” whether the suspect in Saturday’s shooting, Cole Tomas Allen, “was radicalized” by a foreign individual or group, but asked whether the attack drove home “the importance of having these tools to protect our country from these kinds of threats.”

The president responded by complaining that former FBI Director James Comey used FISA to obtain warrants to surveil a former Trump aide as part of the agency’s investigation into the 2016 Trump presidential campaign’s communications with Russia, before saying FISA has been used in the US-Israeli war on Iran and in the US military’s invasion of Venezuela earlier this year.

“It’s really needed for national security,” said Trump. “Iran is decimated, and we got a lot of information by using FISA… I’m willing to give up my security for the military because ultimately that’s to me the highest cause is, you know, the safety of our nation.”

Pres. Trump, under prodding from Fox News, exploits White House Correspondents' Dinner shooting to push for Congress to approve FISA domestic spying program: "It's really needed for national security…"

He reiterates that he's willing to give up his liberties for safety. pic.twitter.com/tmcepp0Wgn

— Chris Menahan 🇺🇸 (@infolibnews) April 26, 2026

Jordan Liz, an associate professor of philosophy at San José State University, wrote last week in a column at Common Dreams that while Trump, Republican lawmakers, and US intelligence agencies “make sweeping claims about the terror attacks that Section 702 has prevented, there is little publicly available evidence to support this.”

“According to the Cato Institute, there is only one well-documented, independently corroborated case of Section 702 preventing a terrorist attack on American soil: the 2009 New York subway bombing plot,” wrote Liz. “In that case, Section 702 was used by the [National Security Agency] to track an exchange between an al-Qaeda courier and Najibullah Zazi, who was living in the US. The NSA passed this information to the FBI, which identified Zazi and disrupted the attack before it took place. Importantly, however, the NSA allegedly received the courier’s foreign email address from the government’s British intelligence partners. At best then, this success was a byproduct of productive intelligence sharing between allies. Rather than proving the necessity of Section 702, this incident underscores how Trump’s inane attacks against key US allies undermine our national security.”

The suspect in Saturday’s shooting is believed to have acted alone, and no evidence has been released that he was in communication with any foreign entities. A document he wrote alluded to his Christian beliefs and to reports of the administration’s abuse of immigrants in detention centers, its boat-bombing operations in the Caribbean Sea and eastern Pacific Ocean, and the bombing of an elementary school in Iran.

The president has been pushing in recent weeks for an extension of Section 702. The program was last reauthorized in 2024, and earlier this month two efforts to extend the program—one for 18 months and the other for five years—failed, with opponents objecting to a lack of privacy reforms and to a loophole allowing data brokers to sell private information about Americans to government agencies that have not obtained judicial approval to seize the data.

After those proposals failed, House Speaker Mike Johnson (R-La.) last week unveiled a new bill to extend Section 702 for three years and require the FBI to submit monthly reports on its reviews of Americans’ private data to an oversight official, as well as imposing penalties for abuse—provisions that were dismissed by privacy advocates.

The House Rules Committee was set to convene on Monday, a step toward advancing the new bill toward a vote in the House, and according to NPR, Rep. Jamie Raskin (D-Md.) circulated a memo late last week urging his colleagues to reject the Republicans’ latest proposal.

The bill, he wrote, “continues the disastrous policy of trusting the FBI to self-police and self-report its abuses of Section 702 and backdoor searches of Americans’ data… FBI agents can still collect, search, and review Americans’ communications without any review from a judge.”

Four Democrats in the House—Reps. Josh Gottheimer (D-NJ), Tom Suozzi (D-NJ), Marie Gluesencamp Perez (D-Wash.), and Jared Golden (D-Maine)—broke with the party and joined the GOP earlier this month in supporting a procedural vote to advance the reauthorization of Section 702, and privacy advocates are ramping up pressure on them to oppose the latest proposal for an extension.

“It all comes down to those four and where they are going to land,” Hajar Hammado, a senior policy adviser at Demand Progress, told The Intercept Monday, “and if they are going to continue to try to hand Trump and [White House homeland security adviser] Stephen Miller warrantless surveillance authorities without any sort of checks or reforms that make sure they’re not violating civil liberties.”

---

From The Real News Network via This RSS Feed.

Hi,

I have developed a foss program that ciphers data. Target audiences are groups of non-tech savvy activists, not able or not willing to use programs such as Kleopatra or Veracrypt, that need to protect highly sensitive data that needs to be accessed after an unknown amount of time (could be weeks or months, i.e. only in case of emergency). An example are antirepressive files in case of arrest, that provide the arrestee's colleagues with instructions on the arrestee's needs (medication, pets to take care of, lawyer to contact etc.). In this example, threat actors are primarily authoritarian governments.

The program consists of a serverless HTML file intended to be used in Tails in the Tor Browser, and it offers a symmetric and an asymmetric cipher mode, and an asymmetric cipher mode that includes Shamir's secret sharing for the decipher key.

It also has some extra features such as the option to export and import data from/to QR codes, and set default text fields (among other). The collective asymmetric cipher mode (the one with Shamir's secret sharing), as you can see in the docs, is made to target the threat vector of police infiltrators or collaborators.

I have detailed the cryptographic processes as diagrams and other info in the repo:

0xacab.org/gilare/cinf/-/blob/…

0xacab.org/gilare/cinf/-/blob/…

0xacab.org/gilare/cinf/-/blob/…

The program is meant to be used collectively: e.g. a group of activists manage their files through a single key pair.

It would be awesome if somebody could take a look at the cryptographic processes and provide feedback, last thing I want to do is provide insecure software to my friends and other activists, and I want to make sure I have not made a mistake somewhere. This is not the first review iteration, but I just want to be completely sure before I mark my software as production ready.

If you know somebody that has the needed knowledge to review this I would greatly appreciate it if you could ask them to take a look ❤

A demo: gilare.itcouldbewor.se/cinf/

cross-posted from: hexbear.net/post/8330182

cross-posted from: news.abolish.capital/post/4482…

military contractor Palantir is helping the IRS analyze dozens of different data sets on Americans to investigate a broad range of financial crimes, according to records shared with The Intercept.

Since 2018, the Internal Revenue Service’s Criminal Investigation division has used Palantir’s Lead and Case Analytics platform to aggregate and analyze a sprawling list of sensitive federal databases and data sets.

Public records detailing Palantir’s IRS contract, obtained by the nonprofit watchdog group American Oversight and shared exclusively with The Intercept, reveal the immense volume of data plugged into the military contractor’s software. The LCA uses both Palantir’s Gotham and Foundry applications to facilitate “analysis of massive-scale data to find the needle in the hay stack,” the contract paperwork says.

Documents indicate the IRS has paid Palantir over $130 million for these services to date.

Palantir’s LCA is ostensibly directed toward cracking down on fraud, money laundering, and other financial crimes. According to a 2024 agency privacy impact assessment, IRS “Special agents and investigative analysts … utilize the platform to find, analyze, and visualize connections between disparate sets of data to generate leads, identify schemes, uncover tax fraud, and conduct money laundering and forfeiture investigative activities.”

[

Related

Trump Wants to Put You in a Massive, Secret Government Database](theintercept.com/2026/03/17/go…)

The IRS use of the software, launched under Trump’s first term and expanded under Biden, is now in the hands of an IRS Criminal Investigations office that has drastically scaled back its pursuit of tax cheats and pivoted, under Trump’s direction, toward investigating “left-leaning groups,” the Wall Street Journal reported in October.

“The real concern is the consolidation of vast amounts of sensitive personal data into a single system with minimal transparency — especially one built and operated by a contractor like Palantir, whose business model is premised on integrating data and expanding surveillance capabilities,” American Oversight director Chioma Chukwu said in a statement to The Intercept. “Its platforms have been used in deeply troubling contexts, from immigration enforcement to predictive policing, with persistent concerns about overreach, bias, and weak oversight.”

Palantir did not respond to a request for comment, nor did the IRS.

“The real concern is the consolidation of vast amounts of sensitive personal data into a single system with minimal transparency — especially one built and operated by a contractor like Palantir.”

The contract documents reviewed by The Intercept reveal that these “disparate sets of data” are vast. Palantir’s LCA allows the IRS to quickly search and visualize “connections from millions of records with thousands of links” between databases maintained by the IRS and other federal agencies. According to the contract documents, this data includes individual tax form and tax returns as well as Affordable Care Act data, bank statements, and transactions, and “all available” data compiled by the Treasury Department’s Financial Crimes Enforcement Network.

Its view apparently extends to cryptocurrencies including bitcoin, Ethereum, Litecoin, and Ripple. “The application would sit on top of a singular repository of identified wallets from seized servers utilizing dark web data obtained from exchangers such as Coinbase,” the documents note.

The program places an emphasis on mapping social relationships between the targets of an investigation. That includes analyzing a “network of people and the relationships and communications between them,” such as “calls, texts, [and] emails events.” The use of “IP address analysis” within LCA allows the IRS to “Identify suspects more easily” and “Establish (new) relationships among actors.”

These investigative functions are continuously updated, the materials say, through ongoing close work between Palantir engineers and IRS personnel.

[

Related

Palantir Will No Longer Profit Off of New Yorkers’ Health Data](theintercept.com/2026/03/24/pa…)

The intermingling of sensitive data on millions of Americans comes at a time of increased global skepticism and opposition toward Palantir, which, despite its military-intelligence origins, has a thriving business with civilian agencies like the IRS. The use of Palantir software at the U.K.’s National Health Service, for example, has created an ongoing political controversy across Britain, while a similar contract with the New York City public hospital network was recently canceled following public protest.

The contract is also active at a time when IRS Criminal Investigations has been coopted to aid in the broader Trump administration’s aggressive agenda. In July, ProPublica reported that the agency was working with U.S. Immigration and Customs Enforcement to provide “on demand” data to accelerate deportations. Last year, the New York Times reported that Palantir, founded by Trump ally Peter Thiel, was central to an administration effort to increase data-sharing across federal agencies.

“The question isn’t just what it can do — it’s who it will be used against.”

The company’s right-wing politics and eagerness to facilitate U.S. and Israeli military aggression abroad, NSA global surveillance, and ICE deportations has also made many weary of its access to incredibly sensitive personal data. A recent post on the company’s Palantir’s X account summarizing a book by CEO Alex Karp triggered an immediate backlash from those unnerved by the manifesto’s fascistic bent. The bullet points extolled the virtue of arms manufacturing, argued the Axis powers were unfairly punished after World War II, called for a reinstatement of the draft, condemned cultural pluralism, and claimed that wealthy elites are unfairly persecuted.

“When the government can map relationships, track behavior, and generate investigative leads across data sets at this scale, the question isn’t just what it can do — it’s who it will be used against,” Chukwu said. “Entrusting that infrastructure to a company known for opaque, security-state deployments only heightens those risks.”

The post Palantir Is Helping Trump’s IRS Conduct “Massive-Scale” Data Mining appeared first on The Intercept.

---

From The Intercept via This RSS Feed.

We have just shared our Spring and Summer 2026 roadmaps, outlining our commitments for improvements and new features across the Proton ecosystem.

Here is a summary of planned updates:

Proton Mail

• Introduction of a category view to automatically sort emails by type
• Multi-inbox management, including sending and receiving Gmail messages within Proton Mail
• Improved mobile search with full email body indexing performed on-device

Proton Calendar

• Complete rewrite of the application
• Planned support for offline mode and a modernized user experience
• Proton as your default calendar on Android
• New foundation to support additional features

Proton VPN

• New WireGuard-based codebase to improve speed, stability, and anti-censorship capabilities
• Beta rollout planned for Windows and Android, followed by macOS, iOS, and Linux
• Updated Linux interface and support for Stealth protocol
• Connection preference exclusions planned for Windows

Proton Pass

• Introduction of folders for organizing passwords, notes, and aliases
• SSH agent support for simpler authentication in developer workflows
• Improved autofill with enhanced URL matching and iFrame support

Proton Drive

• Performance improvements have already been deployed for shared file downloads and uploads
• Additional speed improvements planned
• macOS document and folder synchronization
• SDK rollout across platforms
• Our Linux application will be worked on during this period too

Proton Docs and Sheets

• Ongoing usability and collaboration improvements
• Table of contents and other requested features for Docs
• Expanded functionality for Sheets
• Shared Drive for teams

Lumo AI

• Planned update with improved memory and customization options
• Desktop application in development, a central hub for Lumo
• Lumo API planned for organizational use

Read more: proton.me/blog/2026-spring-sum…

Everything we've released in the last year, including our new products and every new feature for our core services, has been possible because of your support.

As an independent, European alternative to Big Tech, we see building a private ecosystem of apps as a reclamation of our rights to privacy on the internet and a reminder that there's a better way to build tech: for people, not profit.

Your investment in our mission is what helps us make better products. Feedback is invaluable to our teams, so let us know on Discord, X, Bluesky, Facebook, LinkedIn, Threads, Telegram, Reddit, and UserVoice, or leave us a review in the App Store or Play Store.

Thank you for helping us build a more private internet, and we'll see you in the fall for our next roadmap updates.

Stay Safe,
Proton Team