jsr

Chasing digital badness at the citizen lab. All words here are my own.

Public Key

npub1vz03sm9qy0t93s87qx2hq3e0t9t9ezlpmstrk92pltyajz4yazhshfttwj

NIP-05 Address

Profile Code

nprofile1qqsxp8ccdjsz84jccrlqr9tsguh4j4ju30sac93mz4ql4jwep2jw3tcpz3mhxue69uhhyetvv9ujuerpd46hxtnfduqs6amnwvaz7tmwdaejumr0dsrm7gxt

Publishing to

relay.damus.io

nos.lol

Author Public Key

npub1vz03sm9qy0t93s87qx2hq3e0t9t9ezlpmstrk92pltyajz4yazhshfttwj

Show more details

Last Notes

2026-02-09 22:08:11 CET

They showed us cute missing dogs & we consented to opt into a mass human tracking system.
I think Ring's wants to be Flock. On steroids.
Because instead of just sketchy cameras in parking lots, Search Party will cover your own backyards & homes.
https://blossom.primal.net/e4d0c92c8190d6d808b4f1d54e06031e1358d317344aa71d1809f7403f253c04.mp4
And if you & your neighbors want to challenge the loss of privacy? Well, how exactly would you do that effectively?
Because, instead of going to the city council, looking at the contracts, and calling out your mayor for speeding your city to dystopia, it's massive and distributed.
Will you even know which of your neighbors is now helping to feed the system?
If we had half competent privacy regulators & laws in the US this kind of thing would be a big, hard fight for Ring.
Instead? It's a Super Bowl commercial.
Oh, and yeah Ring has already partnered with Flock Safety to incorporate tools letting the government directly request footage

2026-02-04 16:15:54 CET

I TRUST YOU BUT YOUR AI AGENT IS A SNITCH: Why We Need a New Social Contract
We’re chatting on Signal, enjoying encryption, right? But your DIY productivity agent is piping the whole thing back to Anthropic.
Friend, you’ve just created a permanent subpoena-able record of my private thoughts held by a corporation that owes me zero privacy protections.
https://blossom.primal.net/220613c4d3889e2403ef4c836490cefbb81822b190b270076e289d2a2e057a85.png
Even when folks use open-source agents like #openclaw in decentralized setups, the default /easy configuration is to plug in an API resulting in data getting backhauled to Anthropic, OpenAI, etc.
And so those providers get all the good stuff: intimate confessions, legal strategies, work gripes. Worse? Even if you’ve made peace with this, your friends absolutely haven’t consented to their secrets piped to a datacenter. Do they even know?
Governments are spending a lot of time trying to kill end-to-end encryption, but if we’re not careful, we’ll do the job for them.
The problem is big & growing:
Threat 1: proprietary AI agents. Helpers inside apps or system-wide stuff. Think: desktop productivity tools by a big company. Hello, Copilot. These companies already have tons of incentive to soak up your private stuff & are very unlikely to respect developer intent & privacy without big fights (Those fights need to keep happening)
Threat 2: DIY agents that are privacy leaky as hell, not through evil intent or misaligned ethics, but just because folks are excited and moving quickly. Or carelessly. And are using someone’s API.
I sincerely hope is that the DIY/ OpenSource ecosystem that is spinning up around AI agents has some privacy heroes in it. Because it should be possible to do some building & standards that use permission and privacy as the first principle.
Maybe we can show what’s possible for respecting privacy so that we can demand it from big companies?
Respecting your friends means respecting when they use encrypted messaging. It means keeping privacy-leaking agents out of private spaces without all-party consent.
Ideas to mull (there are probably better ones, but I want to be constructive):
Human only mode/ X-No-Agents flags
How about converging on some standards & app signals that AI agents must respect, absolutely. Like signals that an app/chat can emit & be opted out of exposure to an AI agent.
Agent Exclusion Zones
For example, starting with the premise that the correct way to respect developer (& user intent) with end to end encrypted apps is that they not be included, perhaps with the exception [risky tho!] of whitelisting specific chats etc. This is important right now since so many folks are getting excited about connecting their agents to encrypted messengers as a control channel, which is going to mean lots more integrations soon.
#NoSecretAgents Dev Pledge
Something like a developer pledge that agents will declare themselves in chat and not share data to a backend without all-party consent.
None of these ideas are remotely perfect, but unless we start experimenting with them now, we're not building our best future.
Next challenge? Local Only / Private Processing: local-First as a default.
Unless we move very quickly towards a world where the processing that agents do is truly private (e.g. not accessible to a third party) and/or local by default, even if agents are not shipping signal chats, they are creating an unbelievably detailed view into your personal world, held by others. And fundamentally breaking your own mental model of what on your device is & isn't under your control / private.

2026-01-23 12:49:22 CET

NEW: Microsoft turned over Bitlocker keys to FBI.
https://blossom.primal.net/d53ad480f6b41bdac3078baa310c1c1f813fba8c981079b8afb23e0f250a06f4.png
When you key escrow your disk encryption with someone, they can be targeted with a warrant.
This case is a really good illustration that if you nudge users with a default to save their keys with you... they will do so & may not fully understand the implications.
https://blossom.primal.net/6fd6c36cc07d44c8bd380439cb8fe0b3d2c23acc92f615ba804dcb1fdb0489cc.png
Of course, once the requests start working... they are likely to accelerate.
Story: https://www.forbes.com/sites/thomasbrewster/2026/01/22/microsoft-gave-fbi-keys-to-unlock-bitlocker-encrypted-data/

2025-11-25 10:05:18 CET

Hotel toilet privacy is disappearing.
Glass doors.
Or no door.
Or a big window into the room.
Who is asking for this?

2025-11-15 13:20:00 CET

Suddenly hearing about zcash everywhere.
Feels inorganic.
What's up?

2025-11-07 22:14:11 CET

YIKES: NSO floats Pegasus spyware use in a "time of domestic crisis" in 🇺🇸America.
I believe they won't stop lobbying until they get Pegasus into USA.
To hack Americans. https://blossom.primal.net/ede4092ee60114cd3466cf082d7633a9954be5ba91db50c289a4fb2b9ccf8ee1.png

2025-10-21 11:54:04 CEST

POV: you can't sleep because your bed can't talk to AWS.
https://blossom.primal.net/f40fdc9b25221afe46b052d2bcc18bac615d331f0dc7410af485942b8717a350.png
Design thinking that inserts brittle dependence into our lives while extracting fees for life.
Don't be these guys.

2025-10-20 11:53:45 CEST

GOOD MORNING.
Today's massive outages nicely illustrate which of your favorite internet things are secretly Amazon-dependent.
Specifically on US-EAST-1 Region, which woke up with Main Character Syndrome.
Result? Massive outages.
Sure, Amazon has regions.
https://blossom.primal.net/aed56335234470f2190b1dab671bc3f2381aeb1947f60d282eedcc7d3eff1141.png
But US-EAST-1 is the legacy/default for a pile of services...and other Global Amazon services also depended on it.
So when there was trouble...it was quickly everywhere.
Hyperscalers rule *almost* everything around us. And this is absolutely bad news for all sorts of resiliency.
https://blossom.primal.net/8c682d82f772411b5beec356ae30c14b97d8c3cd700456265ce046fa17459478.png
Amazon sez: root cause = DNS resolution with DynamoDB... which a ton depends on.
They say they are mostly mitigated & have a pile of backlog to clear.
https://blossom.primal.net/22ec4642c3406c5e5d2266279370e338e07f91709b5e15e13f5208898899eb14.png
But this is a great moment to think about just how many eggs that matter are in one basket...
https://health.aws.amazon.com/health/status

2025-10-17 12:15:59 CEST

NEW: 🇰🇵DPRK hackers have begun hiding malware on blockchain.
Result, decentralized, immutable malware from a government crypto theft operation.
https://blossom.primal.net/a107de401a522d0914a28dec26d00b96e8444e3d25259e14cfaa04a023b098b4.png
It only cost $1.37 USD in gas fees per malware change (e.g. to update the command & control server)
https://blossom.primal.net/4ba1cadacaac86882f3363c59e5320db53dd97c6a53fe5a689e49387e81eaa36.png
Blockchains as malware dead drops are a fascinating, predictable evolution for nation state attackers.
https://blossom.primal.net/29d96437b500d63006608b3bba6fdf5ae776c29ff697dfb7485b7aafbbbe38e7.png
And Blockchain explorers are a natural target.
https://blossom.primal.net/4a0cb4b61499359f7d3048d03000f6cce432c7211615a8029f1f7515c379de35.png
Nearly impossible to remove.
https://blossom.primal.net/816dce991b4bd694b9def92d508ae5c35f77df7fd13627ebeb5c8f223e538407.png
Experimentation with putting malware on blockchains is in infancy.
Ultimately there will be some efforts to try and implement social engineering protection around this, but combined with things like agentic AI & vibe coding by low-information people...whew boy this gold seam is going to be productive for a long time.
Still, where here they used social engineering, I expect attackers to also experiment with directly loading zero click exploits onto blockchains targeting things like blockchain explorers & other systems that process blockchains... especially if they are sometimes hosted on the same systems & networks that handle transactions / have wallets.
REPORT: https://cloud.google.com/blog/topics/threat-intelligence/dprk-adopts-etherhiding

2025-10-09 19:26:26 CEST

NEW: Cost to 'poison' an LLM and insert backdoors is relatively constant. Even as models grow.
Implication: scaling security is orders-of-magnitude harder than scaling LLMs.
https://blossom.primal.net/1bdbe13fe20b39f757d6d440b416a74a2099c63cb50bc344cc1d2e96f7c4646b.png
Prior work had suggested that as model sizes grew, it would make them cost-prohibitive to poison.
https://blossom.primal.net/d44c301ef8c297ee3eb30c7e8a161b5dcecc8618dee83607d1532d9d9ad63b02.png
So, in LLM training-set-land, dilution isn't the solution to pollution.
Just about the same size of poisoned training data that works on a 1B model could also work on a 1T model.
https://blossom.primal.net/2c635801a74e4ddc0628adb7d1f1942cb4431550474696a7a7e36702ecb042b7.png
I feel like this is something that cybersecurity folks will find intuitive: lots of attacks scale. Most defenses don't
PAPER: POISONING ATTACKS ON LLMS REQUIRE A NEAR-CONSTANT NUMBER OF POISON SAMPLES https://arxiv.org/pdf/2510.07192

2025-10-05 19:05:09 CEST

NEW: breach of Discord age verification data.
For some users this means their passports & drivers licenses.
Discord has only run age verification for 6 months.
Age verification is a badly implemented data grab wrapped in a moral panic.
https://blossom.primal.net/41c3acf48c2d6d9095223d518594566dd9a6362fd09c6bd7a4c2bbb5f5649efd.png
Proponents say age verification = showing your ID at the door to a bar.
But the analogy is often wrong.
It's more like: bouncer photocopies some IDs, & keeps them in a shed around back.
There will be more breaches.
But it should bother you that the technology promised to make us all safer, is quickly making us less so.
STORIES:
https://www.forbes.com/sites/daveywinder/2025/10/05/discord-confirms-users-hacked---photos-and-messages-accessed/
https://www.theverge.com/news/792032/discord-customer-service-data-breach-hack

2025-10-01 16:05:54 CEST

PAY ATTENTION: The UK again asked Apple to backdoor iCloud encryption.
Backdoors create a massive target for hackers & criminal groups.
https://blossom.primal.net/39751af1c5bba2b2166341f8135068f8c6e54bdfa6911c5313e1bfce4dffb9c9.png
Dictators will inevitably demand that Apple build the same access structure for them.
They insert vulnerable bad things right at the place where we need the strongest protections.
https://blossom.primal.net/cb31d7e5e9ee2da9699e80cda202b1e2ff77feafbfb9eaded77b93f8a2d672ee.png
This latest attempt to demand access is *yet another* unreasonable, secret demand on Apple (a TCN) from the Home Office....
https://www.ft.com/content/d101fd62-14f9-4f51-beff-ea41e8794265

2025-09-12 14:45:32 CEST

Friend,
If scrolling leaves you feeling hollowed...
If anger is frictionless and thinking feels like fighting the current,
You're not swimming, you're being swept in an algorithmic rip tide.
And your mental clarity is the target.
So, take a beat and step out
Put the thing down.
Connect with your own thoughts.
It's what the designers of these algorithms fear most.

2025-09-10 12:33:30 CEST

- reply

The internet needs YOU to stand up against surveillance abuses & mercenary spyware.
Thank you for your attention to this matter.
#nevent1q…wdyg

2025-09-02 12:07:45 CEST

NEW: foreign mercenary spyware is coming to the US.
ICE just quietly unsuspended contract with spyware maker #Paragon.
They got caught this year being used to hack journalists.
Friend, let me me bring you up to speed on why this is bad on multiple fronts.
https://blossom.primal.net/9149c1061b8c41d34f95e36d74f9197bffaaeca0d854081bf16ad63cbde6e22f.png
YOUR BACKGROUND BRIEF:
#Paragon was co-founded in Israel in 2019 by ex head of Israel's NSA equivalent (Unit 8200) w/ major backing from former Israeli PM Ehud Barak.
Pitched themselves as stealthy & abuse-proof alternative to NSO Group's Pegasus.
https://blossom.primal.net/20174dc33c0dfd6b2e621b62621d0ed0d672acde5a2db5ac5e74a93eda49714a.png
The company has been trying to get into the US market for years.
For a long time all we knew about Paragon was their performance as a 'virtuous' spyware company with values.
https://blossom.primal.net/5255146af326cbbd9240db89a6ec67a8b298bae0f91d897ec1161573e19363a7.png
All that came to a crashing halt in 2025 when they got very caught, helping customers hack targets across #WhatsApp.
WhatsApp did the right thing & notified users.
https://blossom.primal.net/eac330ca904f2815e0a813106efe494fd28fd512728b6e561b3c92a4ea309393.png
Almost immediately after the WhatsApp notifications, we started learning about the targets.
They weren't the supposed serious criminals... They were Journalists... human rights defenders...groups working on sea rescues.. etc
In other words, a very NSO-like scandal.
https://blossom.primal.net/a530f88b24d07ffae346e2ed762a391f0e3908142a1aa2032a87bcfe0fb649b0.png
Ultimately Paragon & its Italian customer had a massive spyware scandal on their hands.
WhatsApp wasn't the only player tracking paragon & doing user notifications. Apple got in on the game.
Ultimately, we at the Citizen Lab had forensically analyzed cases from each notification round.
https://blossom.primal.net/312ea0ccc0a650ab5d77c84cd714687bb6e0f18f47159ae91562a2b7f98270ec.png
We testified to Italy's parliamentary intelligence oversight committee about our findings.
https://blossom.primal.net/e6cfcf41d686d7fd1c64f12caf1fc2e5e93b9912536fd63abb51259c4a6633b9.png
https://blossom.primal.net/79cb9ecdfe9c86ba9a4e051f93b8f74d9329f7b14a68e4b1ad7cf382c227d8e0.png
The conclusion? Deeply unsatisfactory.
Italy admitted hacking some targets, but denied hacking journalists.
Tons of loose ends with Paragon. And they haven't been honest about who used their tech to hack journalists in Europe.
BIG PICTURE:
After 14 years investigating countless spyware companies, I tell you with confidence:
Mercenary spyware is a power abuse machine incompatible with American constitutional rights and freedoms.
Our legal system isn't designed for it, oversight mechanisms are woefully inadequate to protect our rights...
Here's the thing. You probably know that mercenary spyware like #Pegasus gets sold to dictators.
Who, predictably, abuse it.
But We have a growing pile of cases where spyware is sold to democracies... and then gets abused.
HISTORY LESSONS
History shows: secret surveillance usually winds up abused.
The history of the US is littered with surveillance abuses.
Thing is, our phones offer an unprecedented window into our lives.
Making zero-click mercenary spyware an especially grave risk to all our freedoms.
If the government has wants access to your accounts for law enforcement...they have to prepare a judicially authorized request and send it to the company, which reviews it.
Mercenary spyware bypasses any external review.
And the whole industry behind it seeks maximum obscurity.
COUNTERINTELLIGENCE THREATS? YEAH THAT TOO
I'm concerned about the impact on our rights an dour privacy.
But there's something else that should worry everybody about the choice to work with the company: Paragon poses a potentially grave counterintelligence threat to the US. Let me explain.
When you use an integrated spyware package to conduct sensitive law enforcement / intelligence business, you have to place a lot of trust in them...
If the developers originate from a foreign intelligence service that aggressively collects against the US government, that should be a huge red flag.
America (or any country) should be maximally wary about using foreign-developed surveillance tech for the same reason that America shouldn't operate a Chinese-made stealth fighter.
So, have Paragon's spyware, people & ops been aggressively vetted for technical and human counterintelligence risks?
MERCENARY SPYWARE = FATE SHARING
Paragon's #Graphite mercenary spyware shares the same downsides as other products in their class:
❌They keep getting caught
We researchers aren't the only ones that have found techniques for tracking and identifying Paragon spyware... I'm sure hostile govs have too.
https://blossom.primal.net/0e709adfa8b5b3dd375c80180988f8e322c36d1803e4c25ec1bde250716c8302.png
❌Customers fate share.
Since all customers roll the same tech, when one gets caught it impacts & potentially exposes everyones' activities.
Now, that fate sharing will include US law enforcement activity.
WHAT CAN YOU DO?
What can you do? Take 5 minutes and call your member of Congress.
Ask them to request a briefing on Paragon.
They should ask whether the company was properly vetted & reviewed.
What is the oversight mechanism for this maximally invasive technology?
What are the guardrails? How would abuses be handled? Etc.
PERSONAL SECURITY?
Paragon & this category of spyware is fiendishly hard to track & defend against.
And on a personal level? Apple's Lockdown Mode & Android Advanced Protection both offer some serious security benefits but neither is a silver bullet..
Unfortunately, as of right now I am pretty confident that no publicly available / commercially developed third party tool can reliably detect Paragon spyware either in realtime. Or retrospectively.
Beware a false sense of security.
If you got this far & found this post useful, let me know! Drop a comment.
SELECTED READING LIST
Exclusive: ICE reactivated its $2 million contract with Israeli spyware firm Paragon, following its acquisition by U.S. capital
https://jackpoulson.substack.com/p/exclusive-ice-has-reactivated-its
Virtue or Vice? A First Look at Paragon’s Proliferating Spyware Operations
https://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/
Graphite Caught
First Forensic Confirmation of Paragon’s iOS Mercenary Spyware Finds Journalists Targeted
https://citizenlab.ca/2025/06/first-forensic-confirmation-of-paragons-ios-mercenary-spyware-finds-journalists-targeted/

2025-08-30 08:07:59 CEST

GOOD MORNING: WhatsApp caught & fixed a sophisticated zero click attack...
They just published an advisory about it.
Say attackers combined the exploit with an Apple vulnerability to hack a specific group of targets (i.e. this wasn't pointed at everybody)
https://blossom.primal.net/b39ccf0552138996a4f86c4ff97fd60d7610ce71fc30f309cc8040b7aab8cfff.png
That's a CROSS-APP exploit chain. Which is fancy. We'll discuss in a second.
But wait, you say, haven't I heard of WhatsApp zero-click exploits not so long ago?
You have.
A big user base makes a platform big target for exploit development.
Attacker's perspective = an exploit against a popular messenger gives you potential access to a lot of devices.
The regular tempo of large platforms catching sophisticated exploits is a good sign.
They're paying attention & devoting resources to a growing category: highly targeted, sophisticated attacks.
But it's also a reminder of the magnitude of the threat.
https://blossom.primal.net/bd2bae1825b7e29da59df2eaf0ac9bd5b3bec75ae8260e135dcdec3de45f8b11.png
Here's the Apple CVE.
Somewhere, earlier this summer, some people in a room probably had a bad day when this clever cross-app chain stopped working.
The cross- app chain = probably also a sign of the increasing tech lift required to get to device compromise. Consequence of various mitigations.
The cost-to-compromise is only going up. Which is arguably a sign that the increasing scrutiny + efforts by platforms & OS developers is having an impact.
That said, the threat of this stuff is going nowhere because there's an infinite governmental appetite for compromise.
Still, I'd argue that increasing costs of zero-clicks has the effect of pricing out a bunch of potential actors which slows the proliferation of this tech to *some* bad actors.
WhatsApp Advisory: https://www.whatsapp.com/security/advisories/2025/
Apple Advisory: https://support.apple.com/en-us/124925

2025-08-25 01:35:39 CEST

Did the University of Chicago blow their endowment on shitcoins?
Nobody is exactly sure how much they gambled and lost on 'crypto.'
But they are now freezing research amidst federal funding cuts.
https://blossom.primal.net/80f8ea9b854920942d5ae0ea946c28e5763ac291ea148e09ea65c3605bddf749.png
If only they'd put that money into BTC those labs where I slaved away as an undergrad would be humming.
Source: https://stanfordreview.org/uchicago-lost-money-on-crypto-then-froze-research-when-federal-funding-was-cut/

2025-08-24 00:29:52 CEST

Government‑mandated KYC to read is coming fast.
And the walls of castle freedom are cracking.
https://blossom.primal.net/0adf7bd998849dbe165fb9fd64a56ce4b23353d0b8e8ff04c47f678d490eeaac.png

2025-08-23 18:09:40 CEST

Why haven't mosquitoes evolved silent flight?

2025-08-21 16:41:38 CEST

"everybody who's out there thinking of using VPNs, let me just say to you directly, verifying your age keeps a child safe...So let's just not try and find a way around. Just prove your age."
- UK government.
https://blossom.primal.net/603be98e6ef0e56611d5583c63c9ec0b2461541b81785456cd0441048b2db5d3.mp4

2025-08-20 21:26:04 CEST

WHOA: Could Germany Ban Ad Blockers?
German megapublisher Axel Springer is asking a German court to ban an ad-blocker.
They claim HTML/ CSS of their sites are protected computer programs.
And influencing they are displayed (e.g by removing ads) violates copyright.
https://blossom.primal.net/f1aac1c7cba207b4d4e91d2b267422fa792447a5cdcdc9d3b27edc3deb899a7a.png
I'm in puzzled wonderment at this claim.
Preventing ad-blocking would be a huge blow to German cybersecurity and privacy.
https://blossom.primal.net/a92542ec974ecc602b7befd2400ae837980bd04b2f7ebf0dfe9744ae8807b2bd.png
There are critical security & privacy reasons to influence how a websites code gets displayed.
Like stripping out dangerous code & malvertising.
Hacking risks from the online advertising are documented.
https://blossom.primal.net/f3ed60773ca3408465acd4dbfdbb649bb9b209ea5d976dcb3b8a15e7b3e15e93.png
Any attempt to force Germans to run all of the code on a website without consideration for their privacy and security rights and needs will end very, very poorly.
Defining HTML/CSS as a protected computer program will quickly lead to absurdities touching every corner of the internet.
Just think of the potential infringements:
-Screen readers for the blind
-'Dark mode' bowser extensions
-Displaying snippets of code in a university class
-Inspecting & modifying code in your own browser
-Website translators
Or blocking unwanted trackers.
This is why most governments do it on their systems.
https://blossom.primal.net/b1d66083392034b2062aebd1cb6059fcca669520b50d065e54dc4dce4bde8c69.png
I'm not a lawyer, but if Axel Springer wins the consequences are just nuts:
Basic stuff like bookmarking & saving a local copy of a website might be legally risky.
The Wayback Machine & internet archives and libraries might be violators.
This might even extend to search engines displaying excerpts of sites.
Code sharing sites like GitHub could become a liability minefield...
The list goes on and on.
Finally, only one country has banned ad-blockers. China.
This is not good company for Germany.
READ MORE: From Mozilla https://blog.mozilla.org/netpolicy/2025/08/14/is-germany-on-the-brink-of-banning-ad-blockers-user-freedom-privacy-and-security-is-at-risk/
Bleeping Computer: https://www.bleepingcomputer.com/news/legal/mozilla-warns-germany-could-soon-declare-ad-blockers-illegal/

2025-08-20 17:11:21 CEST

NEW: UK reportedly drops secret demand for Apple encryption backdoor.
Good.
https://blossom.primal.net/38dc0f66a1f407c85c64a7ea0db90a8f3bb5e7d335249f4036c91589b551842e.png
While there was strong activist pressure here the key push came from the US government.
https://blossom.primal.net/5575a11ab7e5879e296f79d5ef9719175c0b6582643c0493cd8719a2b8030a50.png
But there is zero rest for the weary as the UK has been leaning much harder into Age Verification.
Which is another mechanism for gaining deep visibility into peoples online activity.
Story: https://www.theverge.com/news/761240/uk-apple-us-encryption-back-door-demands-dropped

2025-08-13 20:50:08 CEST

- reply

Yeah! Humans do OSINT. Some do it super well.
So what is different about an automated house locator as a service that uses dwelling interior pics?
Turns out we counted on friction to protect us.
Not rules. Not norms.
There just weren't millions of Trevor Rainbolts that could act instantly OSINT anything that invasive.
https://blossom.primal.net/169aae69feb40bf254177ebfa8c1216f3fca6d771fd556ea6ec8430bebfdb8c7.png
It was a cost thing.
Meanwhile the datasets were getting collected. Zillow. AirBnB.. etc etc.
When the right invasive automation came along... the privacy / rights intrusion became automated & scaled. Unstoppable.
And we were left unprotected.
Like with so many privacy & power things.
#nevent1q…yr9a

2025-08-12 19:58:41 CEST

Location tracking based on interior pictures.
It will be abused to target people.
Post the inside your place at your peril. https://blossom.primal.net/37c8d6d2f6c2c9ce1d8d3332fbbfd044b20ec93e0af249f1013d527e55532178.png

2025-08-12 19:35:29 CEST

Earliest days of vibecoding-as-a-target.
Without a radical increase in security, vibecoders will get wiped out & lose their savings.
https://blossom.primal.net/c462c603484af25db18c1ac377645528de47bb89f48612b656267f31383441b8.png
And their companies will get hit with fat breaches.
https://blossom.primal.net/ca0c5f4be51943cf17235bfa2bbb3aaa4f245ab73676de62df359e56192a3694.png
Me? I'm waiting for attackers to figure out how to reliably slip backdoors into vibecoded outputs at scale.

2025-08-08 22:56:05 CEST

Neuroticism? Ripping.
Conscientiousness & agreeableness? Dipping.
https://blossom.primal.net/c12eb7010fba26e5ad3391a0d55e47d3a9bf61fccd2b5aacd584aa86e528da2b.png
Via FT: https://www.ft.com/content/5cd77ef0-b546-4105-8946-36db3f84dc43

2025-08-08 21:15:21 CEST

NEW: 🇩🇪Germany's top court says spyware severely violates fundamental rights.
Bans spyware in cases with <3year sentences.
Enforces tough proportionality tests on all surveillance.
https://blossom.primal.net/c1cb0062fe7c265c22c8d71453b0ba4ac6686c1aedb23f72b02e4b4e2801fb86.png
Restricts spyware to serious cases.
Interesting development.
https://blossom.primal.net/a2ba5661ae80e0ddc56672a4186b5e6dabac8d8c18691a9b4ff7fe0232e6c6bc.png
Court says: capturing data at the source (i.e. on someone's phone) is maximally invasive.
Especially given how much of our lives happens online.
They also surface the security risks to systems from this kind of surveillance.
https://blossom.primal.net/30448a7dfdb898087a6e684cba842c1a01d101c4746863db380187171a70fa5d.png
Watching Germany's highest court grapple with spyware's invasiveness & rights violations is instructive.
States wielding spyware without robust legal limitations and tight judicial oversight... are almost guaranteed to be violating their citizens' basic rights.
In so many jurisdictions, state secrecy & lack of effective legal challenges means spyware harms happening daily
Huge credit to German digital freedoms organization #digitalcourage
for bringing this case.
Court statement:
https://www.bundesverfassungsgericht.de/SharedDocs/Pressemitteilungen/EN/2025/bvg25-069.html

2025-08-08 19:35:23 CEST

Internet-connected microphones in school bathrooms.
What could go wrong?
https://blossom.primal.net/cde78c4f30f6dcc440598f49641fa6c7a29a7a6816f048dce13128be8df7749e.png
Mandated microphones in private spaces are a bad idea.
Throwing invasive sensors into private spaces rarely fixes socially scary problems.
But is almost guaranteed to have risky downsides. https://blossom.primal.net/7da39cdd62cbd37ae4b6ceedc0bfbf8ce729b74809e18f41f697cf54a9b605ea.png
Story: https://www.wired.com/story/school-bathroom-vape-detector-audio-bug/

2025-08-07 23:25:59 CEST

Regular people know that age verification mandates won't work.
But they are worried about their children's safety, and they aren't being offered non-dystopian alternatives.
https://blossom.primal.net/83ced0c9030964182d85a09e59c52538fd077070dfcace62e06725a5169a0220.png

2025-08-07 18:08:11 CEST

LLM chat exposures keep on coming.
Why? My theory is that these platforms don't do a very good job explaining to users what their public/share features mean.
Result: users may think that while something is public that doesn't necessarily mean that anyone is indexing or caching.
https://blossom.primal.net/47540c3cb93e3feaed3c145f56d63c4b91dd852cec321aa8255b0bb81112ec0e.png
Story:
https://www.404media.co/more-than-130-000-claude-grok-chatgpt-and-other-llm-chats-readable-on-archive-org/

2025-08-07 16:49:20 CEST

What took them so long?
Maybe they had to dust off exploits from the 2000s?
Or maybe the better question is: how many unnoticed breaches have happened here.
It is an open secret (ask any lawyer) that these court filing systems are incredibly out of date.
https://blossom.primal.net/9929be055201d173e4091b4a5567af3956e099be1e2a581bf50449498dd1fc22.png
https://www.politico.com/news/2025/08/06/federal-court-filing-system-pacer-hack-00496916

2025-08-04 17:29:05 CEST

Age verification laws are coming fast.
And, from my perspective, opponents are struggling to find impactful messaging to explain to the general public the damage they are about to do to freedom.
Or to propose alternate futures that address the underlying anxieties.
Sure, most folks that are here on #Nostr intuitively understand the dangers... And nod along when we gesture at the dangers of surveillance overreach.
But I worry that the common language for talking about these initiatives typically relies on some priors that are not universally shared outside people that live and breathe concerns about tech.
Saying that something is a surveillance dystopia works on me. But not the neighbors.
I'm guilty of being inside this language bubble too, and it's hard to escape.
Yet, when faced with politicians talking about protecting kids from bad things that parents feel they see right now... I worry that the communities doing pushback are struggling to:
1 -find framing that makes *enough sense* to the vast majority of people that they say 'ok this is net bad' and push back
2- find their own ways to productively connect with the anxieties that politicians are drawing on. E.g. worried parents.
3- offer things that are honest, well meaning alternative paths for the underlying problems
Anyone have thoughts on this? #AskNostr

2025-08-02 23:45:52 CEST

It seems to me like a strong anti-AI view is becoming left / progressive coded.
I'd love to understand this better.
Anyone have thoughts?

2025-08-01 22:33:46 CEST

Rhisotope https://blossom.primal.net/6d81f88a3bae0b73c45a24e111476ce09e9ab40a27e748c71f6bb86c4265209e.png
Sauce: https://www.bbc.com/news/articles/cyvn3264q01o

2025-08-01 22:22:22 CEST

Google bad ux.
And you'll get your results in Comic Sans.
Try it
https://blossom.primal.net/fafa11b0f30a66107f1d6d9d3ed88fe5377706cf652e5cca9c981c58168e7965.png

2025-08-01 17:20:54 CEST

It is a lot easier to celebrate a turn towards dictatorship when you are untethered to historical knowledge.
No amount of centralized power delivers a society with true personal freedom in the long run.
History shows that even when dictatorships perform 'well' on some factors, especially in the short term, they send people into a freedom-robbing labyrinth.
Do you care about personal liberty?
Because in the long run with dictatorships you will lose on having a society that supports freedom, personal rights and liberties and decentralization of knowledge and innovation.
Because dictatorships concentrate power without balance.
Over time as inequalities & unfairness become severe... the rule gets more brittle.
And dictators have to give more favors to the people that help them stay in power. Like economic favors.
People with ambition then need to play into the system and help prop up the dictator if they want to keep their resources.
Even then they are vulnerable to having everything taken.
And for anyone that dares point out increasingly obvious flaws?
Well, most dictatorships invariably slide into repression.
People with new, better ideas that also happen to challenge the dictators entrenched interests? Or those of the dictators necessary economic allies? Family members? Point out corruption?
Co-opted or cut down.
Fueled by massive surveillance.
And the threat of violence.
Because self-censorship scales better than physical coercion on each person.
People see opportunity for personal advantage. Some become informers.
Some delight in the cruelty of seeing people they dislike arbitrarily punished.
And when the strong leader dies? The society can be incredibly unstable as it carries the weight of so many injustices, so many lies.
And for the system to persist? More repression needed.

2025-07-31 21:41:20 CEST

Vibecoding is super interesting. And powerful.
Coding syntax is getting better. But secure coding isn't keeping pace.
https://blossom.primal.net/9a78f8fc77ff207e7b616b7b9cf1e8632dcc090d1ca3929a2571096cc37999f9.png
In a test of 100 coding models, 45% of them introduced a serious vulnerability.
For example, in 86% of tests, code wasn't secured against Cross-Site Scripting.
NOW-TERM IMPLICATIONS
This has big implications. Sure, there are the YOLOcoders that ship whole vibecoded apps without thinking about security. Or code review.
Some percentage of their users will get rekt.
If those projects get near high risk users, they are sprinkling knives in the weeds with potential for harm.
BUT BIGGER MODELS = BETTER?
Interestingly, even big fat models aren't massively better with security.
https://blossom.primal.net/331ac94efdd38beeac1a586c2781d49c4c7add3cef01acbbef3fa32b11c82fda.png
S'EVERYWHERE
My other worry? Vibecoding without security check steps is happening in existing projects / platforms etc.
Even when people say they are coding. Sometimes they be vibecoding.
This sort of thing has already come to tools you use, including to handle your funds & privacy.
Sure secure code writing & review has never been anything near universal, but the scale and speed of new code creation that #vibecoding enables is new.
VULNERABILITY DISCOVERY...ALSO ACCELERATING
ICYMI, vulnerability DISCOVERY is also accelerating a lot faster than secure code creation...
Whole industries are spinning up, including lots of offensive projects.
ME? I #VIBECODE
I love the change in how I create with code. But I think we are in for some really rough times, and the least informed parties are gonna be users. As ever.
https://blossom.primal.net/ef770b918129ade63e4ee5fd0d59870ef8ee5f03d3f88aa5acfe8bd13c2085f4.png
In the longer run this problem space also seems to offer paths for AI-driven improvement in secure code creation. But since not everything is accelerating at the same pace, the deltas = harm.
Sauce: https://www.veracode.com/blog/genai-code-security-report/

2025-07-28 20:52:41 CEST

The EU's Digital Identity Wallet project has a lot of big icks.
Looking at the GitHub for the android Age Verification application feels like chewing rocks.
https://blossom.primal.net/bdf09dad278f101fecfe66177c4b38e8f209581fac0a3b1ab0d54ea9ed77f18f.png
Like the proprietary attestation baked into a must-use form of identification is absolutely the wrong path...
https://blossom.primal.net/e6f73e0cb71e378b675adddbd84df59beca65bc034c82b1388e15a4f7d7b3762.png
And while we're at it, recall the rule of thumb: Age Verification either by deliberate or convenient naïveté is almost always a surveillance trojan horse.
Source:
https://github.com/eu-digital-identity-wallet/av-app-android-wallet-ui

2025-07-26 17:03:31 CEST

Proton #VPN signups spike1,400% as the UK Online Safety Act rolls out.
Proton says spike is sustained & higher than when France blocked adult content.
https://blossom.primal.net/e0b525ae4751aaaeda34b09f81cea469f36238bd809373b2022a0fe5d8f39e2c.png
Source: https://archive.ph/i2d9W

2025-07-26 16:56:13 CEST

Tea enforced ID & selfie collection. And doxxed their own users.
https://blossom.primal.net/cb0f2966b486824fac5732238564bc141b938e86007871eabca721bc54373f42.png
In other news, the UK Online Safety Act is forcing websites to begin collecting IDs.
This will end, predictably in fresh breaches.
https://blossom.primal.net/16f7c9531291322cdc435e7c81e2b24e804e3925f0b0d15f3cc00706af9d0a1e.png
And more harm to users.

2025-07-24 19:52:24 CEST

Your honor, in my defense I was being extremely productive at the time of the crash.
https://blossom.primal.net/3a439dceb61d0fc43f0ead802678afb34067cfed2873206caea8626ad50d7fe1.png

2025-07-01 14:05:48 CEST

You read dystopian sci-fi as a warning.
These companies found business plans..
https://blossom.primal.net/8f7de3a999f76a648e8d3e5a26e7ce06bf3f940a8aefe5e58aa28f3f9250cfc0.png
Just as there are war hawks that delight in hard talk about military action, there are surveillance-yearners...
https://blossom.primal.net/448aedc9350e2acd8165dceb37af2792dc8a5615d72da5c8f5c605d3d7d72afc.png
For reasons I'll never fully understand the UK politicians aren't just surveillance-permissive.
They delight in the idea.
Pre-crime preventative detention coming soon...
https://blossom.primal.net/9f2638a7681b4cbff6e3d1e2dd3d5f607a028c88ae1a730fb4f29d7ca62344a2.png
https://www.theguardian.com/society/2025/jul/01/tech-firms-suggested-placing-trackers-under-offenders-skin-at-meeting-with-justice-secretary

2025-06-29 12:41:36 CEST

Mass biometric surveillance is a one-way ticket away from democracy.

2025-06-23 15:18:24 CEST

How it began: "our service helps consumers quickly do X..."
How it's going: "we help business understand consumer behavior..."
Soon: "we're launching a surveillance subsidiary for government customers..."

2025-06-21 19:24:06 CEST

- reply

You bet. This attack was ... proper clever

2025-06-21 13:18:34 CEST

- reply

The funny bit of this is that the whole thing was actually structured around the deception of setting up a ...secure video meeting

2025-06-20 21:14:32 CEST

You can patch software, but you can't patch people.
This is why social engineering will always work.
The human brain is loaded with forever-day vulnerabilities...and attackers are constantly probing.
Sometimes I think that they've developed a more applicable & empirically tested theory of human motivation and cognition than psychologists...
Sometimes tens of thousands of A/B tests a day...

2025-06-20 21:12:58 CEST

- reply

Totally. You can patch software, but not the human brain.
In this case I'd say there was no greed, he was just doing his job. Which often involves having this kind of meeting.
I think part of what worked here is that the attackers were *so slow* and really did things pitch-perfectly to what he'd expect.

2025-06-20 15:40:33 CEST

🚨NEW REPORT from us: exposing a new social engineering/hacking tactic.
🇷🇺Russian state-backed hackers successfully compromised a prominent (& professionally paranoid) expert on Russian military operations.
Shocking, right? But the attack is solidly clever & worth understanding. I expect more like it.
https://blossom.primal.net/151037fad612bb0112412f07189b1ec3479e3ebd709221dd99af94e1b4123507.png
ATTACK FLOW
Keir Giles gets a message purporting to be from
U.S. State Dept asking for a consultation.
The attackers send the message from a gmail, but CC'd a bunch of email addresses state.gov email addresses. Including one from with same name as the purported sender.
https://blossom.primal.net/e9b747098271f185e66adda014e5d050f570a0120000d74724fd0f376eaa56ba.png
Strong credibility signal to have a bunch of gov ppl on the CC line right?
Well, what the attackers were counting on is that the State Dept mailserver just accepts all email addresses without emitting a bounce.
So they seem to have just created some fake State Dept staff names and addresses.
INTRODUCING THE DECEPTION
The attackers wait for the 2nd interaction to introduce the pivotal deception: getting him to 'connect to a secure platform.'
https://blossom.primal.net/da077358623aab8cc204741a4db027cf41d461254422fadec7872c2d0a94ed4f.png
In the next days they patiently walk him through what they want him to do, even sending a very official looking (but fake) State Dept. document.
https://blossom.primal.net/e4dcc76e9e00377d285dfd3392171aeb604f8be0dac94746db4e11459cee65b8.png
The attack works like this: the attackers try to deceive the target into creating and sharing an App-Specific Password (ASP) with them.
They do this by reframing ASPs as something that will let him access a secure resource (spoiler: not how this works)
REMINDER: WHAT IS AN ASP?
What's an ASP? Well, not every app that users want to use supports Multi-Factor Authentication.
Some older email clients for example don't. So providers like #Google let users create a special password just for those apps.
https://blossom.primal.net/ecc8d336f426eaa27ae4744e7f4cb4c2cac3edd0ec17d6da83bc77b4673aeac8.png
There were so many clever bits to this attack, it's easy to imagine a lot of people falling for it.
https://blossom.primal.net/8d0ed38e7478f802ad67adabc91a6e7f8d4e8453b1dd7c2328732864b5aa0815.png
Everything was clean. Doc looked real. The language was right. Email addresses at the State Dept. seemed to be CC'd.. I could go on.
They even had Keir enter "ms.state. gov" into the ASP name...
SLOW FOOD SOCIAL ENGINEERING
This attack was like slow food. 10 email exchanges over several weeks! Very much not your run-of-the-mill phishing.
It's like they know what we all expect from them...and then did the opposite.
Ultimately, he realized something was wrong and got in touch with us at #citizenlab ... but not before the attackers got access.
He's said that he expects some sort of 'leak' constructed out of a mixture of his real messages & carefully added falsehoods. I tend to agree, this is a pretty common tactic.
Here's what that looks like, btw, from a report we did back in 2017 where we compared what was released after a hack by Russian hackers vs the original:
https://blossom.primal.net/d78c6546306d909b92b1f2df20371c9eeff07b1bfe9081cff27cadf7dc14e1ab.png
Coda: Hilariously (to me at least) the attackers called the fake platform it *MS DoS*
https://blossom.primal.net/ccba459e840ce297664a2bda301d1438b3b8e51b585d169addcf8d21964c7fff.png
WHO DID IT?
Enter the Google Threat Intelligence Group w/analysis & attribution.
GTIG had been working on their own parallel investigation. Our friendly social engineers are: 🇷🇺 #UNC6293, a #Russian state-sponsored threat actor.
https://blossom.primal.net/515d82cd455084e58ae7dff4d35bd5d435912eb37851c400975a236e0ee498b0.png
Google adds bonus additional low confidence association to #APT29 (that would be Russia's #SVR).
Nice people.
TAKEAWAYS?
Takeaway: some gov-backed groups are feeling pressure & experimenting.
Moving from smash & grab phishing... to subtler, slower & perhaps less detectable.
Targeting App-Specific Passwords is novel.
But it's just part of a trend of state-backed attackers innovating & moving beyond simple phishing that targets credentials (maybe multi-factor codes) towards other mechanisms of account access.
https://blossom.primal.net/336640b188c251fa283158375999307dcca111d77eae861bd0a35f74543eed45.png
A lot of more sophisticated attackers are also spreading attacks across platforms.. for example starting the attack on Signal/Telegram, then later pivoting to email, etc. The folks at Volexity (above pic showing a similarly complex operation) have some good reporting on that (link below)
GET SAFER
Do you think you face increased risk because of who you are & what you do?
✅Use Google's free Advanced Protection Program.
Set it up now: https://landing.google.com/intl/en_in/advancedprotection/
https://blossom.primal.net/e5cf606d56a80fd5beff0b27169d03de332bb6653b95bcff6fe4335ec5630dac.png
✅Exercise extra skepticism when unsolicited interactions slide into suggesting you change account settings!
https://blossom.primal.net/56bd9a26f59aa26cfccb5d6aa4570a7b9cb0ad34b25f36fe692098baa3d80e19.png
✅Talk to your IT/ Security team about ASPs. Share the report, we've made some suggestions for them..
READ THE REPORTS
Ours at Citizen Lab: https://citizenlab.ca/2025/06/russian-government-linked-social-engineering-targets-app-specific-passwords/
Google's Post: https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-academics-critics-of-russia
Other citations:
Our Tainted Leaks report where we walk through how materials got manipulated & leaked after a Russian gov hack: https://citizenlab.ca/2017/05/tainted-leaks-disinformation-phish/
Volexity's recent report:
https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/

2025-06-19 17:57:09 CEST

Searching #Youtube, I ignore content less than 12 months old.
To get past the #GenAI sloplayer.
https://blossom.primal.net/99a06fdb07f8738feb873f27d84692e7cd8deead8c5fd9051e202e2f3f82291b.png
Like a volcanic explosion.
Except instead of blanketing the world with ash, it's a smothering burden of low value, low-enjoyment, derivative, error-filled content.

2025-06-18 18:35:05 CEST

“The Arab writer can be easily killed by their government under the pretext of ‘national security’"
-Turki al-Jasser in 2014, unwittingly predicting how he'd die in 2025.
He was just executed by Saudi Arabia, probably by beheading.
For his posts critical of the government.
https://blossom.primal.net/f0e519d22a3b0f37db56b234a0d80d685e6e58578c7bf400e7247257d4308002.png
He was reportedly tortured while in prison.
Story: https://www.theguardian.com/world/2025/jun/18/saudi-arabia-turki-al-jasser-executed

2025-06-16 21:21:36 CEST

New: WhatsApp announces that they are adding advertising.
Ugh.
https://blossom.primal.net/76573b7d579cdd2595cd6d8ea5c47da8fe7c3a4ddaca0c6547805ffe978251f3.png
As a researcher working on targeted / 0click attacks (including a few that have been done over WhatsApp..) it's hard to see how this works without opening up a fat new attack surface to be probed.
https://blossom.primal.net/433f053e064ffb25187f1fd2e61eba7f82ada119765f79f75a1dbbe438658da7.png
I'm also worried about the ways that these advertising signals get used for tracking people in new parts of their digital lives.
And it bugs me that it's going to be really hard if not impossible to use WhatsApp in a privacy-first way.
What are your thoughts?
Writeup: https://techcrunch.com/2025/06/16/whatsapp-is-adding-ads-to-the-status-screen/

2025-06-16 17:32:07 CEST

- reply

Dihydrogen Monoxide is an oxidizing agent and can quickly lead to corrosion of many metals. These dangerous properties are enhanced when salt is added.
It can also carry many other impurities, even bacteria, amoeba and viruses.
Ingest with caution.
I have a bottle with me right now and I am taking extreme care.

2025-06-13 22:52:42 CEST

Headline that I saw...
https://blossom.primal.net/0dba01b8ddf305d71f78918a555bd1bd6d2715e087b8f6a5ce6fdaf6a7cf39cf.png
This is not something I was tracking.
https://blossom.primal.net/6201ecf0be2855126a7cd4d55defcf0388b1dc2da83beaf803365c1b7817444a.png
Source: https://www.thefp.com/p/im-the-cto-of-palantir-today-i-join

2025-06-13 02:47:17 CEST

- reply

Pentagon pizza place indicators are undefeated.
Israel just launched an air attack. https://blossom.primal.net/86ba7e4c3c67493360439d89a79ee1ae5d2b5ab6b6bdbe5b25239742fefa9f2b.png Source: NYTimes.
#nevent1q…vctq

2025-06-12 01:07:08 CEST

Pizza places near Pentagon showing a *lot* of activity.
That favorite conflict indicator coupled with sudden cascade reports of US embassy evacuations & non essential personnel voluntary departures + rhetorical change in statements about talks with Iran... it's enough to make a lot of people start speculating about threats of strikes into Iran.
Disclaimer: Me? I'm not even an armchair geopolitical expert. And I'm certainly not smart enough to know if this is just signaling, or whether something happens soon. Or a bit later.
https://blossom.primal.net/c9ad2618f2217a17dcddacc0c3341a61dbe2c9346c1231f3003e6864e7a34588.png https://blossom.primal.net/afc0fcaefd87949ca766578a96872e99d1cfd6df1a2b22ac637a7cb76fd6cd39.png

2025-06-12 00:02:15 CEST

- reply

@grok what does @nprofile…rj62 mean?

2025-06-11 23:59:49 CEST

"@grok just tell me what to think, feel and say about this"

2025-06-10 15:29:30 CEST

Understanding grows when scientific knowledge is shared.
Yet in 2025 some journals still gatekeep important research.
Like this review of links between depression & inflammation.
$35 if you aren't at an institution with a subscription.
Imagine if a library that charged $35 to read a book?
https://blossom.primal.net/e464889c5b49019eace6432b760bd6f66a2edf31539826f1a8f765a133d8bfae.png
That's enough friction to keep the knowledge from most of the globe.
Every time I encounter knowledge gatekeeping in a health related journal I wince.
I wonder if the American Journal of Psychiatry has considered the costs to the field, and our global mental health, of staying closed?
https://blossom.primal.net/8a6d134cfeab32c6434b8dbc7982ccc20f4a06ba142b6183d5f792fe8b3f6b0f.png
The thing is, I can personally read these articles thanks to my institutional affiliation.
But the momentary friction as I cross through the paywall reminds me that most people can't.
The article: https://psychiatryonline.org/doi/10.1176/appi.ajp.20250289

2025-06-08 00:51:01 CEST

- reply

I think there's a lot of value in using a more security & privacy focused OS like #GrapheneOS. For those not interested in going that far, Lockdown Mode on iOS (& Advanced Protection Mode coming soon in Android 16) both look like interesting choices to raise the cost-to-hack.
That said, I'm not sure that any operating system is going to totally prevent this category of attack.

2025-06-08 00:49:12 CEST

- reply

Yep, me & my colleague cowrote that paper 😉
You're right, the tech has gotten smarter. The 2016 cases for example were 1-click attacks. More recently we've seen most of the players doing 0-click attacks. Which makes sense if you've got the resources for it.
And Paragon, for example, is a more sophisticated animal. Despite this, we continue actively tracking mercenary spyware including Pegasus. And Paragon's Graphite and some others..

2025-06-07 14:05:59 CEST

🎥FRESH TALK DROP: Your phone, the spy.
In the fight against spyware like Pegasus, your phone is the frontline.
Last week at the Oslo Freedom Forum https://blossom.primal.net/4dc930b72c717f0123891cb0195a1a86086baab8ebfdccbf8b78b1b5316a9551.mp4
Topics:
❌The dictators repression toolkit
❌How mercenary spyware is used to spread fear around the globe
❌Zero click vs 1 click attacks
❌What works in the fight to pump the brakes on spyware proliferation
BONUS:
✅What you can do right now to make yourself harder to hack
Full talk:
https://youtu.be/qknOIafYODs?t=63

2025-06-06 22:29:41 CEST

- reply

Time will reveal this to be a hugely important inflection period.
Inspiring to see @nprofile…xncl lean in.
#nevent1q…7k0d

2025-06-05 21:49:39 CEST

- reply

This kind of thoughtful answer is why I decided to #asknostr first. Thank you @nprofile…zy8w

2025-06-05 21:29:31 CEST

I keep getting asked for recommendations from journalists & dissidents for the "most private #AI"
Their concerns about privacy aren't wrong. And are probably prescient. Prudent to avoid the big name platforms.
But that doesn't mean they shouldn't be wielding powerful tools as they do their important work.
The usual recommendation for someone with a bit of skill and a good machine is to get cooking on a locally run model.
But not everyone is that person...
So I've been looking for recommendations that don't require the above skills/bandwidth/machine & I keep hearing interesting things about Open Secret / Maple AI.
Anyone have experience? Know the specs & models? Are there other similar offerings around?
https://blossom.primal.net/c74159e93a169eeedd5f1015d8ab39e6dbe356013ec7fc3fef92a86aa7881d8e.png
Their website: https://trymaple.ai/

2025-06-04 23:01:29 CEST

NEW: accused mastermind of French crypto kidnappings arrested in Morocco.
24-yo Badiss Mohamed Amide Bajjou allegedly orchestrated the kidnappings & assaults from abroad.
https://blossom.primal.net/b8eb69823492b37acbb7a86fe1268760540246ea425ea069e81752b78fd3d34c.png
Including severing Ledger founder David Balland's finger.
Authorities are probing possible links to additional cases.
https://blossom.primal.net/4655a25fc242c70c4ba936b223bdd5e7fe0f2dcd7f5fc4126dfc01bb611cec1c.png
This dynamic of remotely-masterminded attacks is terrifying. Nothing about these attacks requires super special skills, and the sheer ease of moving the assets once the wrench attack has happened is likely to attract more criminal groups.
https://blossom.primal.net/c6bc85410271025c79260328f797c0925c4f6281e773f148bbb0ef0eb181f9a6.png
I still think we're in the earliest days of these. Plenty of #OPSEC lessons and complexities to start thinking about here.
Also, almost certainly the case that post- #Coinbase breach we will see more of these attacks.
Read the news story: https://www.lemonde.fr/en/pixels/article/2025/06/04/suspected-mastermind-of-french-crypto-kidnappings-arrested-in-morocco_6742008_13.html

2025-06-04 13:44:08 CEST

Has anyone asked DeepSeek what happened in Beijing on today's date in1989?

2025-06-04 13:37:57 CEST

- reply

What happened in China was morally indefensible oppression.
Students that stood up for the truth and basic freedoms paid with their lives.
Their memories should be celebrated. Not the government that chose to perpetuate violence instead of dialogue.

2025-06-04 12:41:23 CEST

Do you know what the date is today?
Today is the anniversary of the Tiananmen square massacre.
Take a moment to watch this video.
https://blossom.primal.net/3b513c2c5774a2150d240931b83db5d13625fcd789d7f5c8924acc18da1275ce.mp4
Dictators hope that if they make us afraid to speak the truth for long enough... we'll forget it.
And the next generation will never learn.
This is how history is erased.
A Day to Remember, 2005, by Liu Wei
Full: https://vimeo.com/44078865

2025-06-03 13:13:07 CEST

- reply

Another reminder of why using mercenary spyware is such a big risk for governments: they open themselves to retaliation & blackmail.
#nevent1q…9k8t

2025-06-03 12:44:39 CEST

- reply

You might be right. And an even bigger argument for why it makes sense to pay attention to the network effects that can be harnessed, minus the VC vibes..

2025-06-03 12:10:13 CEST

VERY interesting research on how academic twitter migrated to #Bluesky.
Interesting topline takeaways for growing #nostr. No rocket science that's not been said before, but it's nice to have some data:
1- External shocks are key. Capitalize on them. >15% of transitions explained this way. Think geopolitical events, outages, Musk making a big disliked policy change etc.
https://blossom.primal.net/bf7b42d4e5dfb1bfd81d36cd7bb4aab961c2d4c7af41d0e9298f61af62af9da8.png
2- Audiences move from incumbent platforms following influential voices that they follow. Focus on onboarding these influential voices. This is more impactful than just trying to bring the whole audience first.
https://blossom.primal.net/50d77aaffce370c49f1cc853471560ce49c8e560cb5551bf79168704335ed781.png
This dynamic can build contagion. Find ways to more publicly highlight when influential accounts join.
And make it super easy for Nostr users to use clients to reconstruct followees & social graphs from incumbent platform. Trick will be to do this in a privacy respecting way.
(sidenote: that's way the follow packs were such a good idea. But we need much more of this)
(note: influential voices may experience a period of 'where's my audience?' So it's key to find ways to get the transitioning user from that to the reconstruction of their network. )
3- Multiple peers transitioning is key. Having local clusters develop is important (& probably helps with the dry period before an audience is rebuilt.)
Interesting nuance: transition rates to #bluesky were 25-30% in fields like arts/social sciences, but about half that in medical / physical sciences / engineering. Possible predictors include baseline political engagement & political values expressed.
https://blossom.primal.net/bf60153b7d7a9a282b632d2f120a9883391a7a902b577f12abdfec90d5c93942.png
This has an implication for Nostr: focus messaging on Nostr features that may align with people in incumbent platforms. There has to be desire.
Paper "Why Academics Are Leaving Twitter for Bluesky" https://arxiv.org/pdf/2505.24801

2025-06-02 19:11:35 CEST

Now more than ever it is critical to recognize where you've outsourced your cognition.
And whose hidden assumptions your mental economy is now running on.

2025-05-21 21:34:56 CEST

NEW: Senator Wyden just exposed which companies keep silent about government surveillance.
No = doesn't respect Americans' privacy rights.
Choose accordingly.
https://blossom.primal.net/d33cb9659ff0dd0ff3e2162ec3c9f61454418e48a2ba77ad004c7576dbc262d7.png
But Wyden didn't stop there. https://blossom.primal.net/d883f77fd240365c07b3ac7162a213d8b7ebbe2d8f1b6063243d1bbfba36a0a0.png
He highlighted troubling evidence that when government-ordered surveillance of Senators took place, companies failed to notify Senators.
https://blossom.primal.net/a118f1f62f54b3a414e33149197001de409e75adeba7b3632d514cebabc6c5d1.png
This is a bad, scary look for these companies. And it drives home the fact that Americans are often running blind when it comes to potential surveillance overreach.
Sources:
Wyden Letter to colleagues: https://www.wyden.senate.gov/imo/media/doc/wyden_dear_colleague_on_senate_cyber_and_surveillance_surveillancepdf.pdf
Wyden press release: https://www.wyden.senate.gov/news/press-releases/wyden-reveals-which-phone-companies-protect-privacy-by-telling-customers-about-government-surveillance

2025-05-16 22:27:14 CEST

NEW: #Google's #Android 16 to feature optional high security mode. Cool.
Advanced Protection has a bunch of requested features that address the kinds of threats we worry about.
https://blossom.primal.net/f19388ad4282b6473df62c60cedd2c633ff3e3aba32cae33d8b4f03e1fb6e265.png
It's the kind of 'turn this one thing on if you face elevated risk' that we've been asking for from Google.
And likely reflects some learning after Google watched #Apple's Lockdown Mode play out.
Here are some thoughts:
SOME FEATURES IM EXCITED FOR:
The Intrusion Logging feature is interesting & is going to impose substantial cost on attackers trying to hide evidence of exploitation. Logs get e2ee encrypted into the cloud. This one is spicy.
The Offline Lock, Inactivity Reboot & USB protection will frustrate non-consensual attempts to physically grab device data.
Memory Tagging Extension is going to make a lot of attack & exploitation categories harder.
2G Network Protection & disabling Auto-connect to insecure networks are going to address categories of threat from things like IMSI catchers & hostile WiFi.
FEATURES IM ..MORE CAUTIOUSLY CURIOUS ABOUT
Spam & Scam detection: Google messages feature that suggests message content awareness and some kind of scanning.
https://blossom.primal.net/5b3a85ad8c678393c5e8c03f88902e25a994899776c15dc8a3517e2752235a17.png
Scam detection for Phone by Google is interesting & coming later. The way it is described suggests phone conversation awareness. This also addresses a different category of threat than the stuff above. I can see it addressing a whole category of bad things that regular users (& high risk ones too!) face. Will be curious how privacy is addressed or if this done purely locally.
FRICTION POINTS?
I see Google thinking some of thisC through, but I'm going to add a potential concern: what will users do when they encounter friction? Will they turn this off & forget to re-enable?
We've seen users turn off iOS Lockdown Mode when they run into friction for specific websites or, say, legacy WiFi.
They then forget to turn it back on. And stay vulnerable.
Bottom line: users disabling Apple's Lockdown Mode for a temporary thing & leaving it off because they forget to turn it on happens a lot. This is a serious % of users in my experience... And should be factored into design decisions for similar modes.
GIVE US A SNOOZE BUTTON
I feel like a good balance is a 'snooze button' or equivalent so that users can disable all/some features for a brief few minute period to do something they need to do, and then auto re-enable.
Yes, during that brief period there is vulnerability (and a potential social engineering target), but if the trade off is that the user likely just turns the whole thing off and forgets it..that is worse.
HIGH SECURITY & HIGH PARANOIA USERS
Some users, esp. those that migrated to security & privacy-focused Android distros because of because of the absence of such a feature are clear candidates for it...
But they may also voice privacy concerns around some of the screening features. And about the fact that the phone would need to be re-googled (think:Graphene which confers a lot of privacy by stripping out most google features)
Clear communication from the Google Security / Android team will be key here.
TAKEAWAYS
I'm excited to see how #Android Advanced Protection plays with high risk users' experiences.
I'm also super curious whether the spam/scam detection features may also be helpful to more vulnerable users (think: aging seniors)...
Google's blog: https://security.googleblog.com/2025/05/advanced-protection-mobile-devices.html

2025-05-12 00:18:47 CEST

- reply

Terrible ad from a cynical man trying to steal your privacy.
https://blossom.primal.net/3a28369f9a5c6ee2f5c7536473b0bafb2361c77e754c298d3f40203e55c21bda.mp4
I've talked about the Orb Mini before:
#nevent1q…6758

2025-05-07 01:19:43 CEST

BREAKING: jury awards massive $167 million in punitive damages against spyware company NSO Group.
https://blossom.primal.net/b969407c98a4b0e39a6cb3c7fd4a5dcbd9819babc71fb7f62e623690d825de15.png
It turns out that the regular people on a jury think it is evil when you help dictators hack dissidents.
After years of every trick & delay tactic it only took a California jury ONE DAY of deliberation to get this Monsanto-scale verdict. Precedent-setting win against notorious #Pegasus spyware maker.
BACKSTORY:
Rewind to 2019. About this time (April-May) #WhatsApp catches NSO Group hacking its users with #Pegasus.
They investigated.
https://blossom.primal.net/8f50f124ebff031a6a37b33270aacce1b5a3ff5e26ef77f53a039a56e38c7a90.png
We at Citizen Lab helped to investigate the targets & get in touch with the activists journalists & civil society members that were targeted
https://blossom.primal.net/8aeb34cb2052d2af92bcd34e4443525c45648eb9224cadc70d1ec8d760afe393.png
We identified at least 100. And got in touch. It was a tremendous push of sleepless days. But it made it so clear just how much harm was being done.
Then, In October 2019 WhatsApp sued.
Prior to the lawsuit, NSO had acted the playground bully.
Targeting victims that dared speak up & researchers like us.
Suddenly, the bully wasn't so surefooted. Like the scene in a high school movie where the cousin shows up in the beat up car & collars the bully.
You might not remember, but in 2019 no country had sanctioned NSO Group... No parliamentary hearings, no hearings in congress, no serious investigations.
For years, WhatsApp's lawsuit helped carry momentum & showed governments that their tech sectors were in the crosshairs from mercenary spyware too...
Credit due to Meta & WhatsApp leadership on this one, they stuck the fight out & carried it across the finish line.
NOTIFICATIONS MATTER
WhatsApp's choice to notify targets was also hugely consequential.
A lot of cases were first surfaced from these notifications.
With dissidents around the world suddenly learning that dictators were snooping in their phones...with NSO Group's help.
A SIDEBAR: HARASSING RESEARCHERS
One of NSO's many tactics was to leverage the case to badger me & us Citizen Lab researchers to try and extract information.
https://blossom.primal.net/3e4a3bd8248a954b919f660bdefc12ca76178f37d2eb7250ce17b0bdffaddab3.png
It never worked, but it laid bare the tactics that these firms prefer...instead of coming clean.
ROLE OF CIVIL SOCIETY
Ultimately, we wouldn't be here without civil society investigations of mercenary spyware... and alarm raising.
And victims choosing to come forwads.
Thankfully today there's a whole accountability ecosystem growing around this work.
Dozens of orgs engaging.
Numbers are growing.
IS THERE GONNA BE IMPACT? YES
NSO Group emerges from the trial severely damaged.
The damages ($167,254,000 punitive, $440K+ compensatory) is big enough to make your eyes water.
NSO'S BUSINESS IS NOW ALL OVER THE NET
The case is also a blow to NSO's secrecy, with their business splashed all over a courtroom.
https://blossom.primal.net/3d9bfc037d31d95cc052430e8cdd8570c36506388de63a5f08cd185ffe6f3c54.png
WhatsApp just published NSO's depositions, exposing an unprecedented amount of info on a spyware company's operations:
✅https://about.fb.com/wp-content/uploads/2025/05/WhatsApp-v-NSO-Eshkar-Transcrips_Case-4-19-cv-07123-PJH.pdf
✅https://about.fb.com/wp-content/uploads/2025/05/WhatsApp-v-NSO-Gil-Transcrips_Case-4-19-cv-07123-PJH.pdf
✅https://about.fb.com/wp-content/uploads/2025/05/WhatsApp-v-NSO-Shohat-Transcrips_Case-4-19-cv-07123-PJH.pdf
✅https://about.fb.com/wp-content/uploads/2025/05/WhatsApp-v-NSO-Gazneli-Transcrips_Case-4-19-cv-07123-PJH.pdf
This will scare customers. And investors. And other companies that do the same thing. Good.
MY VIEW:
Watching a jury of regular citizens see right through NSO's mendacity & hypocrisy...and to the need to protect privacy is amazing.
Gives me hope.
Despite all the fancy lawyering & lobbying, people know that this kind of privacy invasion is wrong.
Read more:
They Exposed an Israeli Spyware Firm. Now the Company Is Badgering Them in Court. https://theintercept.com/2024/05/06/pegasus-nso-group-israeli-spyware-citizen-lab/
Spyware maker NSO ordered to pay $167 million for hacking WhatsApp
https://www.washingtonpost.com/technology/2025/05/06/nso-pegasus-whatsapp-damages/
NSO Group must pay more than $167 million in damages to WhatsApp for spyware campaign https://techcrunch.com/2025/05/06/nso-group-must-pay-more-than-167-million-in-damages-to-whatsapp-for-spyware-campaign/

2025-05-03 23:08:00 CEST

Age verification is often a trojan horse for broader surveillance demands.

2025-05-02 18:06:11 CEST

AI friends consoling me because my cat bonded to the robot vacuum & ignores me.
https://blossom.primal.net/0eb9a07bc096d7a790a469b26ff5f0c213e2518e56710533e8d4b8bcb0806ce6.png

2025-05-01 13:49:15 CEST

Friends don't let friends get their eyeballs scanned to buy a coffee.
This portable dystopia machine is Tools for Humanity's latest effort to live up to their Orwellian name.
https://blossom.primal.net/7d3f813ec8e8f88e1a8a65895687a43d772b2d908e88b1e69c79e84b2110f578.png
Connoisseurs of the AI-will-end-humanity marketing hype train of a few years ago should find plenty to appreciate in an eyeball scanner framed as as a 'helpful' tool to distinguish between AI agents & humans.
Or is it for that? Or maybe point of sale? Or nebulous 'verification?'
The only clear thing? This device starts from a point of biometric #privacy invasion.
https://blossom.primal.net/f157bbd63933c1cbe87afc9af071afb975504950e1cf151d5e1688afcf47cd21.png
It sure looks to me like another effort by the company Sam Altman founded to make a global data-grab.
https://blossom.primal.net/8cf71cc4ea27e87adbbe93081213e0f6bae366791e92896eaacd60702371ee08.png
Just say no.
https://techcrunch.com/2025/04/30/sam-altmans-world-unveils-a-mobile-verification-device/

2025-04-29 22:16:47 CEST

- reply

Amazing.

2025-04-29 21:52:34 CEST

- reply

Part of what makes Nostr so special.
No other community comes close to this much experimental *building*

2025-04-29 21:40:03 CEST

- reply

Starter packs of people worth following.
You need em.
Nostr needs em.
Huge props to @nprofile…h36r for again building a thing that needed to happen.
Now, how do we get support built natively into clients?
#nevent1q…ezqz

2025-04-29 14:14:37 CEST

Use sunscreen. Get enough fiber. Do regular backups.

2025-04-28 12:03:28 CEST

Fear is dictatorship glue.
You can't imprison everyone with a dissenting thought.
Or inconvenient factual observation.
But fear teaches self censorship. And is a scalable system of control.
The challenge, of course, is to keep the fear going.
And push it all the way down into private conversations.
In the 20th century, such fear required massive human investment. Informants... model punishments...information control. All on a linear scale.
And there was a post-cold war school of thought that said: once everyone is connected, these systems won't work.
But tech isn't, by nature, an a dictatorship antidote. It can equally be an expedient. Just ask China.
In the past 20 years the government has empirically developed technologies & private sector partnerships for scaling fear and self censorship to north of 1.4 billion ppl. Log scale.
Out here in the rest of the world take a look around.
The major underpinnings of our online & financial behavior have comprehensive person-tracking surveillance and information-shaping built right in... primarily to sell us even more things.
But it is the shortest possible distance from that to a totalizing system of government surveillance. Punishment. And information control.
We all carry informants in our pockets. Ready to snitch on us, shape what we feel, and implement punishments.
This is a tremendously inviting system for governments with the instincts to grab these levers.
Increasingly, they are doing just that.
Pictured: Stasi interrogation rooms.
https://blossom.primal.net/020478322d5622f0ed497c35fafe1b7cb286af99cd645664d7f5faa0cd0f71b7.png
Image source: https://hyperallergic.com/151019/mundane-horror-in-abandoned-stasi-spaces/

2025-04-25 15:03:27 CEST

- reply

Yes.

2025-04-25 14:51:46 CEST

2027: we can't wait to show our advertising partners how we deliver behavior shaping across whole lives.
this is a surprisingly great feature, imo.
https://blossom.primal.net/9643f6078a67118e252c3882fd9cf08a3dce075467075a1fb41a989a64eae41e.png

2025-04-25 13:23:28 CEST

- reply

And it is no coincidence.
https://blossom.primal.net/97e44350fcad30efb7fcf6e301f1724ccdd02d71940430022663813feb311aa2.png
#nevent1q…453f

2025-04-24 12:46:05 CEST

Government censorship has come to #Bluesky.
https://m.primal.net/QbYz.png
LATEST:
On demands from the Turkish government, Bluesky restricted access to 72 accounts per a report from a Turkish NGO.
https://m.primal.net/QbXO.png
DETAIL:
Accounts are restricted for users in Turkey.
Accounts aren't banned from Bluesky's AT Protocol relays etc, but access is moderated at the official client level through geography-specific labels.
https://m.primal.net/QbXg.png
WORKAROUNDS?
Realistically impacted accounts are no longer visible to the majority of Bluesky users (most aren't on 3rd party clients) in Turkey.
However, since 3rd party client apps for the AT Protocol aren't forced to use geography-specific labels, they an still be used to view the content.
In theory, official client + VPN would also result in seeing the accounts.
LOOKING AT SOME DATA:
Bluesky has been publishing transparency reporting about legal & government requests. The most recent report covers 2024 and shows a relatively modest number of takedown requests, but about 50% response by Bluesky.
https://m.primal.net/QbYR.png
Unfortunately, the company doesn't differentiate between legal demands in civil litigation and *government* demands. This makes it hard to get a clear picture.
https://m.primal.net/QbYr.png
I hope Bluesky segments out these very different kinds of pressure in 2025 reporting so we can get a better sense of what's happening.
BIG PICTURE:
Looking ahead, governments are probing for new ways to enforce content restrictions. These are early days for Bluesky and it is likely that a lot more requests like this will be inbound as users head there to try and avoid the well-greased censorship machinery on legacy platforms like X.
Recommended reading & Sources:
Super-helpful-to-me TechCrunch article: https://techcrunch.com/2025/04/23/government-censorship-comes-to-bluesky-but-not-its-third-party-apps-yet/
Mastodon post confirming blocking with testing : https://mastodon.online/@mastodonmigration/114348331162291326
Bluesky post with the notification email screenshot: https://bsky.app/profile/aliskorkut.com/post/3lmul5pt34c2b
Bluesky 2024 Moderation Report: https://bsky.social/about/blog/01-17-2025-moderation-2024
Bluesky post describing geography-specific labels as a content-removal technique: https://bsky.social/about/blog/09-18-2024-trust-safety-update

2025-04-23 18:17:39 CEST

They Criticized Musk on X. Then Their Reach Collapsed.
https://m.primal.net/Qagt.png
Graphs from this story are stark.
https://m.primal.net/QahA.png
Link: https://www.nytimes.com/interactive/2025/04/23/business/elon-musk-x-suppression-laura-loomer.html

2025-04-23 14:25:58 CEST

- reply

3/ Here's the thing: there's a global market for trustworthy privacy-respecting apps.
The secure messaging market alone is worth billions & growing.
If European leaders can move past the un-imaginative anti-encryption myopia...it is a natural place to incubate & innovate these industries.

2025-04-23 14:21:59 CEST

- reply

2/ Today, our most intimate worlds and thoughts pass through our phones.
States forcing their way into these interactions for every citizen is the equivalent of putting a police camera and a microphone between everyones' pillows.
Then asking us to trust they'll will never look...

2025-04-23 12:55:59 CEST

https://m.primal.net/QaSB.png
Maybe we can all 'live without' private messaging?
Pay attention.
Denmark is set to take over the rotating EU Council presidency.
And is sending signals that they want to go after encryption.
Backdoors end badly.
Demanding backdoors isn't just surest way to chase away innovation...it's collective punishment for security services' own failures to adapt.
And the history of democracies is littered with states abusing secret surveillance powers to undermine core values.
Article: https://www.politico.eu/article/encryption-crime-denmark-peter-hummelgaard-europe-privacy/

2025-04-20 13:19:42 CEST

- reply

Right on. So many of our contacts with technology today are with systems that are built from a place of disrespect & distain for autonomy & human agency.

2025-04-20 12:52:40 CEST

Constant algorithmic improvements have empirically reverse engineered the human psyche.
I suspect that explicit research neuroscience hasn't caught up to the insights about how to induce behavioral dependence that are embodied in these systems.
The user experience of most platforms now mirrors maladaptive behavior-maintaining effects you could *only* achieve with most addictive drugs up to about a decade ago.
We need to avoid the moral panic, but it's impossible to overstate how novel this is for our brains.
One thing we know from behavioral addiction research (my old field) is that the brain is plastic.
When you induce one category of addiction, it changes the motivational substrate of the brain in sticky ways.
And coss-sensitizes / potentiates other forms of addiction and behavioral dependence.
This will only accelerate & become less scrutable with improvements in AI.
We are in the earliest, earliest days of trying to understand what this means for the next decades of human life.
Painting: The Opium Den, Edward Burra,1933
https://m.primal.net/QXBE.jpg

2025-04-14 15:10:55 CEST

NEW: 🇪🇺EU issuing burner phones to staff traveling to 🇺🇸US.
Anecdotal: matches what I'm seeing, which is orgs retooling what was once the high security "China travel policy" into a US travel policy.
Burner phones, dedicated travel devices & border wipes are the new normal.
Story: https://www.ft.com/content/20d0678a-41b2-468d-ac10-14ce1eae357b
https://m.primal.net/QPHR.png

2025-04-03 20:25:46 CEST

https://m.primal.net/QDHd.png
Anyone come across good analyses of new US #tariffs .
Longer term projections a bonus. #AskNostr

2025-03-31 02:33:19 CEST

- reply

Thoughtful design that addresses one of the biggest issues around VPN use & privacy: a single chokepoint point of possible privacy failure & exposure to demands for access.
There are still lots of things VPNs don't do..that people think they do.. but this kind of thing is nudging consumer VPNs closer towards what people think when they use them :)
Example of what ppl think VPNs do but they don't: hiding from most websites you visit. Unless you are actively resisting things like browser fingerprinting, cookies, trackers & never logging in, you're still identifiable to most of the sites you visit.
Here's another: a state can still find you if you use a VPN. Trivially, if they can get enough traffic logs. For example, if SERVICE A still has an IP address + time pairing associated with you that is uniquely identifiable (e.g. you touch your email inbox over your VPN connection).. then there's a good chance that a state can quickly associate you with your other activity on SERVICE B. All they need to do is make a legal request that SERVICE A complies with. Then they see what IP is associated with you at that time, maybe get your useragent & a few other things and ...boom.

2025-03-30 23:00:50 CEST

https://m.primal.net/PyiS.jpg I've spent my adult life thinking about defending digital privacy.
Yet until a few years ago, financial freedom & privacy was barely on my radar.
This would have probably continued but for a handful of good humans that took the time to talk me through things.
Thanks to thinking they kicked off for me, I now think that individual access to aspects of financial freedom & privacy are necessary to a healthy society.
Why did it take so long? Well, there was a failure of adversarial imagination on my part.
And partly because if you aren't actively asking hard questions, this state of affairs will be hidden from you.
The financial system & how it is taught is set up to hide structural privacy violations & disempowerment.
I'm pretty sure my ignorance was closer to the norm than the exception.
But when you completely restrict financial privacy & freedom, you disempower people...constantly.
And it will keep eroding & blocking the exercise of other core rights.
Until this changes & awareness grows, we're stuck paying the price for it in a thousand ways.
Shoutout to @nprofile…xncl for getting & keeping the intellectual ball rolling for me. And to all the good humans that have helped me along the way since. Thank you. You know who you are.
Painting : Egon Schiele, Four Trees, 1917.

2025-03-30 01:58:15 CET

- reply

I hear what you are saying, and agree that this kind of advanced data collection probably is not necessary.
My view is: don't underestimate the power of these industries.
Consider that there's a difference between what kind of invasiveness might be needed.... and what will be instantly sought & probably granted.
Getting concrete. The cheaper bids on contracts will probably be because they rely heavily on more automated approaches... And to make that work, they are going to want data.