Flock claims it can't honor deletion requests from its surveillance network, US renewables surpass natural gas for the first time, and OpenSSL ships 4.0.0 with sweeping breaking changes

Hacker News

Fiverr Exposed Sensitive Customer Files via Public Cloudinary URLs for Months

Fiverr has been storing worker-to-client file transfers using publicly accessible Cloudinary URLs rather than signed, expiring links — meaning sensitive documents including 1040 tax forms with Social Security Numbers, financial records, API tokens, and confidential business materials have been searchable via Google. The researcher who discovered the issue found hundreds of real documents in Google search results using simple queries like site:fiverr-res.cloudinary.com form 1040. Fiverr is also alleged to be buying Google Ads for tax filing keywords while failing to secure the resulting work product, potentially causing tax preparers to violate the GLBA/FTC Safeguards Rule. The disclosure was made public after 40 days of no response from [email protected], highlighting both the architectural failure (public URLs where signed ones should be mandatory) and a broken incident response process.

Yale Environment 360

For the First Time in the U.S., Renewables Generate More Power Than Natural Gas

In March 2026, renewable energy sources — solar, wind, hydropower, and bioenergy — generated more electricity in the United States than natural gas for the first time on record, with renewables plus nuclear together supplying more than half of all US power. The milestone was driven by rapid solar and wind capacity expansion combined with favorable seasonal conditions: mild weather reduced demand while renewable output peaked. Fossil fuels generated less electricity in March than any March in at least 25 years of records, while solar, wind, and battery storage are projected to account for 93% of new grid capacity additions this year. The achievement is tempered by growing headwinds: rising electricity demand from data center buildouts is extending the life of aging coal plants and driving new natural gas generation, potentially slowing the pace of the overall energy transition.

OpenSSL

OpenSSL 4.0.0

OpenSSL 4.0.0 ships as the library's first major version bump in years, bringing significant modernization alongside sweeping breaking changes that will require migration work across the vast software ecosystem built on top of it. Key removals include complete elimination of SSLv3 support (deprecated since 2015), the legacy engine system, and several deprecated APIs, while ASN1_STRING and other structures become opaque — meaning any code that directly accessed their internals must be rewritten. New capabilities include Encrypted Client Hello (ECH) support, SM2 cryptographic algorithm support, improved FIPS self-testing, and stricter certificate verification defaults. Given OpenSSL's presence in nearly every TLS stack, web server, and cryptographic tool in use, this release will trigger a significant wave of dependency updates and porting work across the ecosystem.

Krebs on Security

Patch Tuesday, April 2026 Edition

Microsoft pushed 167 security patches in April 2026 — the second-largest Patch Tuesday on record — including a SharePoint Server zero-day (CVE-2026-32201) already being actively exploited to spoof trusted content for phishing and social engineering, and Windows Defender privilege escalation BlueHammer (CVE-2026-33825) whose public exploit code was disclosed after the researcher grew frustrated with Microsoft's response. Also patched: Google Chrome's fourth zero-day of 2026, and an Adobe Reader flaw (CVE-2026-34621) with active exploitation traced back to November 2025. Security researchers attribute the surge in discovered vulnerabilities to advancing AI capabilities in bug finding, with Rapid7 noting the spike in browser vulnerabilities is largely AI-assisted research rather than any single project, warning that vulnerability discovery volume should be expected to keep climbing.

404 Media

Google, Microsoft, Meta All Tracking You Even When You Opt Out, According to an Independent Audit

An independent webXray audit of over 7,000 popular websites found that Google, Microsoft, and Meta routinely ignore Global Privacy Control (GPC) opt-out signals, with Google failing to honor opt-outs 87% of the time, Meta 69%, and Microsoft 50%. Critically, Meta's tracking code contains no checks for opt-out signals at all, while Google-certified consent management platforms failed compliance at rates of 77–91% — a direct conflict of interest given Google profits from the tracking those platforms nominally regulate. The findings suggest major tech companies are treating privacy violations as an acceptable cost of business, with California's enforcement regime insufficiently deterrent. For developers integrating third-party analytics and advertising SDKs, the audit is a reminder that contractual compliance assurances from these vendors are not equivalent to actual technical compliance.

Zig

Zig 0.16.0 Release Notes

Zig 0.16.0, released after eight months of work from 244 contributors, introduces three architectural shifts for the language. The headline feature "Juicy Main" adds dependency injection to the main() function via a process.Init parameter that grants access to a pre-initialized arena allocator, general-purpose allocator, default I/O, environment variables, and CLI arguments — dramatically reducing boilerplate. The I/O system is redesigned as an interface-based abstraction supporting multiple implementations (Threaded, Evented) and laying groundwork for async/cancelable operations. The release also removes the @Type builtin in favor of explicit functions like @Int and @Struct, ships a new ELF linker, expands target support, and upgrades to LLVM 21. For existing Zig codebases the migration path is well-documented, and the new I/O interfaces represent a significant step toward Zig's long-deferred async story.

Cloudflare Blog

Securing Non-Human Identities: Automated Revocation, OAuth, and Scoped Permissions

Cloudflare announced three developer security features aimed at the exploding surface area of non-human identities — API tokens, OAuth integrations, and agent credentials — in agentic AI systems. New scannable API token formats (with recognizable prefixes and checksums) enable credential scanners and Cloudflare's GitHub partnership to auto-detect and revoke leaked tokens the moment they appear in public repositories. A new Connected Applications UI surfaces all OAuth-connected third-party tools per account with revocation controls, and resource-scoped RBAC now extends least-privilege permissions down to individual Access Applications, Policies, and Service Tokens rather than just account-wide roles. With GitGuardian reporting 28 million secrets leaked to GitHub annually — a rate 5x faster with AI-assisted development — these controls address a critical gap as organizations deploy autonomous agents that need scoped, auditable access to production infrastructure.

GitHub Blog

Hack the AI Agent: Build Agentic AI Security Skills with the GitHub Secure Code Game

GitHub launched Season 4 of the Secure Code Game, a free hands-on security training game now focused entirely on agentic AI vulnerabilities catalogued in the OWASP Top 10 for Agentic Applications 2026: prompt injection, tool misuse, goal hijacking, identity abuse, and memory poisoning. Players attack ProdBot, a deliberately vulnerable AI assistant that progressively gains bash execution, web browsing, MCP server connections, persistent memory, and multi-agent orchestration across five levels — with each capability upgrade introducing a new attack surface to discover through natural language prompts alone. The timing is pointed: a Dark Reading poll found 48% of cybersecurity professionals expect agentic AI to be the top attack vector by end of 2026, yet only 29% of organizations deploying these systems feel security-ready. The game runs in GitHub Codespaces with no setup and no prior AI experience required.

aphyr

The Future of Everything Is Lies, I Guess: Work

In the latest installment of his ongoing series, Kyle Kingsbury examines how LLM-driven development is poised to reshape software engineering — and not cleanly. His core argument: corporations are adopting LLMs as cut-rate developers while ignoring that unlike compilers, LLMs produce unpredictable, security-vulnerable output with no reliable verification model, and that the normalization of unreliable AI-generated code is a structural risk to system quality that compounds over time. Drawing on automation research showing deskilling effects — doctors who rely on AI polyp detection perform measurably worse at spotting adenomas — Kingsbury warns that the industry faces either entrenched technical debt from normalized AI unreliability or mass labor displacement that concentrates wealth in the hands of a small number of tech monopolies. The piece is a rigorous, empirically grounded counterweight to straightforward AI productivity optimism.