A bi-weekly news show informing you on the latest in Bitcoin, privacy and open source tech hosted by Ungovernables, Max and Q. AOBAll aboard the vibe trainFTF with Max TQ got some holidays coming upKeonne appealNEWSBisq v1 trade protocol exploit: 11.59 BTC drained, fully reimbursed, hardening shipped in 1.10.0 (bisq.community PSA, Bisq on X, reimbursement plan on GitHub)Disclosed: 2026-05-01Bisq's v1 trade protocol had a missing validation check on taker-side input. Because maker and taker were supposed to use the same miner fee, a malicious taker could push a bad fee value through the transaction math and shrink the multisig output to 0.001 BTC while sweeping the rest into the taker's change. Attacker drained 11.59 BTC from 10 users, all on altcoin trades. Maintainer Henrik Jannsen filed a reimbursement plan on GitHub on May 3, payouts in BTC (with BSQ as optional), DAO vote scheduled around May 25. The hotfix landed as Bisq 1.10.0 on 2026-05-16 with broader hardening: trade protocol checks, network message validation, release verification, supply-chain hardening. The Bisq team explicitly flagged the incident as a likely AI-assisted exploit, though they did not detail how AI was used.Sterlingov Appeal: The Criminalization of Privacy (therage.co)Published: 2026-05-12The appellate court reviewing Roman Sterlingov's Bitcoin Fog conviction openly suggested that mixers remain "legal in theory but not practice" once criminals use them. Judges questioned whether running an internationally accessible service forces compliance with every jurisdiction's licensing regime.Pro-law-enforcement CLARITY Act advances out of Senate Banking (therage.co)Published: 2026-05-15The Digital Asset Market Clarity Act passed committee with expanded surveillance provisions: Bank Secrecy Act integration sixteen times over, new PATRIOT Act special measures. Privacy advocates flagged the breadth of data collection on Americans who haven't done anything.CVE-2024-52911 disclosed in Bitcoin Optech #405, fix has been in Bitcoin Core 29.0+ since release (https://bitcoinops.org/en/newsletters/2026/05/15/)Published: 2026-05-05Use-after-free in parallel script validation between Bitcoin Core 0.14.0 and 28.x. Required attacker-supplied proof-of-work, so practical attack window was narrow, but the bug sat unannounced across many versions.Bitcoin Knots 29.3 enables BIP-110, fork-off countdown started (release notes) + Lopp's countdownPublished: 2026-05-09 (release)Knots 29.3 ships RDTS soft-fork enforcement on by default. Nodes running Knots with this flag set will fork off the network in August unless they change behaviour. Lopp set up a countdown.Bybit exploit post-mortem (Blockstream): enterprise multisig + hardware wal