GrapheneOS version 2025032500 released:
grapheneos.org/releases#202503…
See the linked release notes for a summary of the improvements over the previous release.
Forum discussion thread:
discuss.grapheneos.org/d/21207…
#GrapheneOS #privacy #security
GrapheneOS discussion forumGrapheneOS Discussion Forum
Getting started with XMPP/Jabber and PGP for federated, encrypted messaging
This is a short thread where I explain how I started using the XMPP protocol and PGP encryption for secure messaging. I am not a security expert, but I am a mathematician and I am confortable with the Linux command line. This guide is for people who want to use PGP for secure messaging easily. You will need to be okay with typing commands into the Linux command line in order to do this, but I will tell you exactly what to enter.
Part 1: XMPP
Mastodon is like email, but for social media. You sign up for an account with a server, and then you can talk with any other accounts that are signed up on other servers, as long as your servers are getting along. (No one wants emails from the sketchy spam server, and we want to be able to choose between Yahoo, Gmail, etc.) XMPP (a.k.a. Jabber) is the same thing for text messaging.
Just like signing up for an email/Mastodon account, you need to sign up for an account. You can find a list of servers at list.jabber.at/ and will probably at least need to provide an email addess when making an account.
Once you have made an account, you need a client. On Linux, I've been having a good time using Dino (dino.im/). You can then enter your account name and password to log into your XMPP account and start chatting! There are both public rooms and you can also message directly with your friends.
#security #PGP #XMPP #FOSS #Jabber #Dino #MonoclesChat
(1/4)
A privacy-friendly messaging app for the desktop. It uses the XMPP protocol and provides a clean UI with modern features.dino.im
New Privacy Guides article 🔐✨
by me:
If you want to keep your password manager local-only, KeePassXC is a great solution!
It's free,
Open-source,
Easy to install and use,
Doesn't require an account,
Works on Linux, macOS, and Windows,
And the team is here! 👉 @keepassxc
Here's how to set it up with a YubiKey: privacyguides.org/articles/202…
#PrivacyGuides #KeePassXC #Privacy #Security #PasswordManager #Passwords #FOSS
This tutorial demonstrates how to install the local-only password manager KeePassXC and secure a password database with YubiKey.www.privacyguides.org
"Google refuses to deny it received encryption order from UK government"
The UK’s encryption-breaking order for a backdoor into iCloud isn’t a one-off.
The secret hearing happening RIGHT NOW is bigger than just Apple. If the government wins, our right to privacy and security falls.
Other services will be hit.
therecord.media/google-refuses…
Sign our petition ➡️ you.38degrees.org.uk/petitions…
#e2ee #encryption #apple #google #privacy #security #cybersecurity #ukpol #ukpolitics #tech
U.S. lawmakers say Google has refused to deny that it received a Technical Capability Notice from the U.K. — a mechanism to access encrypted messages that Apple reportedly received.therecord.media
📣 Break the silence: Save encryption!
The UK government wants to be able to access anything, anywhere, any time — from your pics to your docs.
It begins with Apple. Other services will be next. That's why we must take a stand NOW!
Sign and share our petition ⬇️
you.38degrees.org.uk/petitions…
#encryption #e2ee #Apple #privacy #security #cybersecurity #ukpolitics #ukpol #icloud #tech
It is reported that the Home Office has ordered Apple to build a backdoor into its encrypted services so that they can get hold of content that any Apple user has upload to the cloud. Encryption keeps our private information safe and secure.38 Degrees
The message is clear across the political divide: let's hear it!
The UK government should argue in open court why they want to make us less secure by ordering a backdoor into Apple encryption.
A secret Tribunal would be an affront to the privacy and security issues at stake. It must be held in public.
Read the joint letter from ORG, Big Brother Watch and Index on Censorship ⬇️
openrightsgroup.org/press-rele…
#Apple #encryption #e2ee #privacy #security #cybersecurity #ukpol #ukpolitics #tech
Rights groups call for Apple’s closed appeal against the Home Office’s encryption-breaching order to be opened to the public.Open Rights Group
Bipartisan US Congress Members want the secrecy around the UK's encryption-breaking order to be lifted.
"It is imperative that the UK's technical demands of Apple - and of any other US companies - be subjected to robust, public analysis and debate."
“Secret court hearings featuring intelligence agencies and a handful of individuals approved by them do not enable robust challenges on highly technical matters.”
wyden.senate.gov/news/press-re…
#encryption #e2ee #Apple #privacy #security #cybersecurity
The Official U.S. Senate website of Senator Ron Wyden of Oregonwww.wyden.senate.gov
UK MPs have joined the chorus of voices wanting the Apple case to be held in public.
"If the Home Office wants to have effectively unfettered access to the private data of the (innocent) general public, they should explain their case in front of the public."
🗣️ David Davis MP.
"People deserve to know what's happening to their private personal information."
🗣️ Victoria Collins MP.
news.sky.com/story/apple-vs-ho…
#encryption #e2ee #Apple #privacy #security #cybersecurity #ukpolitics #ukpol
A row between the tech giant and the government over customer data will reportedly move to London's High Court this week – but the hearing will be held behind closed doors.Tim Baker (Sky News)
📣 Make it public!
The call is getting louder for a public hearing of the appeal over the UK's order to break Apple encryption.
Alongside the joint letter from ORG, Big Brother Watch and Index on Censorship, UK MPs, US Congress Members and the BBC want the secrecy to end.
bbc.co.uk/news/articles/c4g0rr…
#encryption #e2ee #privacy #security #cybersecurity #ukpol #ukpolitics #Apple #tech
Civil liberties campaigners have joined US politicians and the BBC in saying Friday's hearing should not be secret.Tom Singleton (BBC News)
Nutzt ihr Antivirus-Apps auf eurem Android? Spart euch den unnötigen Ballast – sie bieten nur trügerische Sicherheit und sind oft voller Tracker. 👇
kuketz-blog.de/truegerische-si…
#android #security #google #tracking #virus #antivirus #app
Die Sicherheitsarchitektur von Android/iOS schränkt die Funktionsweise von Virenscanner-Apps stark ein und macht sie im Grunde nutzlos. Schlimmer: Die vermeintlichen Sicherheits-Apps sind Datenschleudern.www.kuketz-blog.de
🚨BREAKING🚨 The French National Assembly removed the backdoor section from the amendment to the #Narcotrafic law.
Read here how Politicians tried to undermine everybody's #security: tuta.com/blog/france-surveilla…
🙏 And thank you for fighting against this with us. This is a great win for privacy, yet, the battle is not over. Together we are strong! 💪
#backdoor #encryption #privacy #security
An amendment to the “Nacrotrafic” law is moving to the French National Assembly. Remind your legislators that a backdoor for the good guys only is not possible.Tuta
I manage my own e-mail server. I occasionally have outbound messages rejected because my hosting provider's entire network sometimes appears on block/deny lists. I also have an e-mail account hosted by Microsoft Exchange Online. Yesterday, an outbound message from that account was rejected by a receiving server because the IPv4 address of one or more of Microsoft's servers was on a public block list.
Perhaps having multiple addresses hosted by different providers is now becoming a practical necessity.
#email #smtp #security
Everybody should learn how to use GPG.
#gpg #gnupg #encryption #security #privacy #cybersecurity #linux #pgp
I've switched to lurking here for a while due to the effects the current political situation in the US is having on me. I am making some big changes to how I do things, including how I livestream and host various products of my math research. I'll be posting about the steps I take as I take them.
I have switched from #Firefox to #Librewolf on my desktops. This was pretty easy since I have been storing my bookmarks as a plain text file on my desktop for a while now. Very portable. I just wish #VideoDownloadHelper worked on Librewolf.
I am looking into #XMPP now and trying to find a server to sign up for. Does anyone know any with open registration?
I have also recently gotten into #IRC again, and am excited to get more familiar with the #Pidgin client on desktop.
The #Security #Trinity - spotted at @bitwarden explains how to secure your accounts with 2FA:
👉 bitwarden.com/resources/presen…
And rightly so: Because #encrypted email get even more secure with #2FA and #passwordmanagers 💪
Check out our top 3:
tuta.com/blog/best-password-ma…
France is about to pass the worst surveillance law in the EU.
Here's how you can stop them: 👉 tuta.com/blog/france-surveilla…
#backdoor #encryption #privacy #security
An amendment to the “Nacrotrafic” law is moving to the French National Assembly. Remind your legislators that a backdoor for the good guys only is not possible.Tuta
Here are some of our main takeaways from the EU Open Source Policy Summit 2025:💡 👨💻
— Open and collaborative innovation solves the dilemma of #competitiveness and #sovereignty
— Now is the time to invest in open source #maintenance and #security
— Building sustainable open source ecosystems remains challenging but necessary
— Open source is being increasingly regulated in Europe, and the new challenge is #implementation and #compliance
Read more in our new blog: 👇 🔗
openforumeurope.org/the-eu-ope…
Everyone should be encrypting on device BEFORE uploading now.
A few things come to mind, but for #iOS users, I would use @cryptomator
If anyone needs any help whatsoever securing their communications or files, PLEASE message me. I am here for you.
If you've been hoping for a release that offers more UI customizations, you're in for a treat.Linux Magazine
With the Amazon Appstore shutting down, it's becoming even more important to invest in sustainable alternative stores you can trust.
See how you can invest in Accrescent's future! A little help goes a long way:
accrescent.app/faq#contributin…
More information on the Amazon Appstore discontinuation on Android:
amazon.com/appstoreonandroidFA…
#privacy #security #appstore #accrescent #android
Answers to frequently asked questions about Accrescent.Accrescent
Tuta email, located in Germany, Europe, now uses quantum computers to encrypt their emails.
(Technically, they are using algorithms determined to be safe against attacks from quantum computers. And they don't actually have a quantum computer running 24/7, but that is good enough for me.)
#Tuta #Email #QuantumComputers #Quantum #Privacy #Security
I tried to find when #Signal has published the most recent #security audit, and it turns out they either never published an audit or their code was never audited at all.
The closest thing I found is the list
community.signalusers.org/t/ov…
which only cites research papers and some evidence that in 2018 Signal paid Doyensec, but nothing got published as the result. Even then, it looks like the apps were not audited for more than 5 years since then.
Let’s collect past security audits here: Formal audits Year Auditor(s) Sponsor App/Component Published Link Last update / extended 2013 iSEC Partners (NCC Group) Open Technology Fund RedPhone and TextSecure ❌ Blog post 2014 Frosch et al.Signal Community
The world needs secure communication more than ever, as a bulwark against the surveillance, authoritarianism, and oppression increasingly enabled by Big Tech. Matrix seeks to meet that need, as an open source, decentralised, encrypted comms protocol.
But Trust & Safety is more difficult in a decentralised environment. How are we building a safer Matrix?
matrix.org/blog/2025/02/buildi…
#Matrix #Security #Privacy #TrustAndSafety #OpenSource #FOSS
Matrix, the open protocol for secure decentralised communicationsJim Mackenzie, VP Trust & Safety — The Matrix.org Foundation (matrix.org)
Biometrics are a convenient and secure way to authenticate our devices. Many of us use and trust the biometrics of our devices without much thought, but are they really secure? With so many options, which ones are the best?
privacyguides.org/articles/202…
#Privacy #Biometrics #Security #PrivacyGuides #Article
Privacy Guides is the most popular & trustworthy non-profit privacy resource to find privacy tools and learn about protecting your digital life.www.privacyguides.org
"The UK’s war on encryption affects all of us" via @verge.
Indeed, the UK's actions imperil security across the globe.
It's worth highlighting that open source comms tools, like @matrix and @signalapp, empower researchers and users: you'll _see_ if a backdoor is added.
Not so with proprietary tools. Do you really trust Meta, Apple, or Google not to roll over on you?
theverge.com/policy/612136/uk-…
#FOSS #SoftwareFreedom #OpenSource #Security #Privacy #Encryption
The UK is using its Investigatory Powers Act to demand backdoor access to iCloud users’ encrypted backups worldwide.Gaby Del Valle (The Verge)
If Apple complies with this, the UK government will gain access to all iCloud data globally. The only way Apple comes out of this with any integrity is to leave the UK market. If they give in to this, every regime in the world will demand the same thing. And that’s before we even get to the fact that there’s no such thing as a “backdoor” for just so-and-so. Either there is a door or there isn’t and if there is, anyone who obtains the key can use it.
theguardian.com/technology/202…
#apple #backdoor #UK #encryption #privacy #security #personhood #data #democracy #humanRights #iCloud
Expert says government has ‘lit the blue touch paper on a truly enormous fight’ as it challenges firm’s privacy stanceDan Milmo (The Guardian)
Six times so far ... is how often important parts of #deltachat were independently #security audited and analyzed. Thanks to IncludeSecurity, Cure53, Applied Crypto Team at ETH Zuerich and Radical Open Security.
Last audit is from December 2024 covering @rpgp , the minimal #OpenPGP Rust library that is gaining traction with others projects as well.
Shout-out to dignifiedquire and @hko for their excellent maintenance! For more info on Delta Chat related security audits: delta.chat/en/help#security-au…
What is Delta Chat? Delta Chat is a reliable, decentralized and secure messaging app, available for mobile and desktop platforms. Delta Chat feels like Whatsapp or Telegram but you can also use and...delta.chat
Unbelievable
#ElonMusk’s US #DOGE Service are feeding sensitive data into #AI software via #Microsoft’s #cloud
#Musk’s US #DOGE Service have fed sensitive data from across the #Education Dept into #ArtificialIntelligence software to probe the agency’s programs & spending…. The AI probe includes data w/personally identifiable info for people who manage grants, & sensitive internal financial data…
#law #security #InfoSec #CyberSecurity #NationalSecurity #Trump #TrumpCoup
washingtonpost.com/nation/2025…
A few days ago, a client of mine asked me to install an open-source software (which I won’t name for now). The software has only one official installation method: Docker. This is because, as they themselves admit, it has a huge number of dependencies - some quite outdated - that need to be carefully managed and forced into place; otherwise, nothing works.
I tried replicating the same setup on FreeBSD but didn’t succeed, as some dependencies either aren’t compatible or simply refuse to run. I could try finding workarounds, but I can already picture the chaos every time an update is needed.
So, I decided to build it via Docker to get a better sense of what we’re dealing with. The sheer number of dependencies that Node pulls in is impressive, but even more staggering is the number of warnings and errors it spits out: deprecated and unsupported packages, security vulnerabilities, generic warnings- you name it, and there’s plenty of it.
Since my client needs to launch this service but is subject to audits, they want to be fully compliant and ensure security. Given their substantial budget, they offered financial support to the developers (a company, not just a group of hobbyists) to help improve the project either by making it FreeBSD - compatible or, at the very least, by reducing dependencies with critical vulnerabilities. The client was willing to pay a significant sum, and since the improvements would be open-source, everyone would benefit.
The response from the team? A flat-out refusal. They claimed they couldn’t accept any amount of money because many of these dependencies are "necessary and irreplaceable, as parts of the code relying on them were written by people who no longer work on the project, and we can’t rewrite the core of the software.” Then came the part that really got under my skin: they stated they would rather deal directly “with my client, not with me, because in the end, my concerns are just useless and irrational paranoia.”
Translation? Just pay, and you’ll pass compliance checks - never mind the fact that underneath, it’s a tangled mess of outdated and insecure components. And don’t make a fuss about it.
While I can understand some of the challenges the team faces, I might have accepted this response if it had come from a group of volunteers or hobbyists. But if you’re a company whose sole business revolves around a single software product (with no real competition at the moment), this approach is not just short-sighted - it’s outright dangerous for your users’ security and for your own survival as a business.
The result? They lost a paying client who was ready to invest a significant budget into their software. That budget will now go elsewhere. My client is considering hiring developers to build a similar project with better security (they have both the time and the money for it). I’ll do my best to convince them to release it as open-source - at which point, a new “competitor” will emerge in the market.
Mit Verlaub, das mag hart klingen, aber für so etwas sollte ein Verantwortlicher zur Rechenschaft gezogen werden – mit Konsequenzen, die sicherstellen, dass er nie wieder eine solche Verantwortung übernehmen darf. Solche »Sicherheitslücken« sind grob fahrlässig. 👇
heise.de/news/Datenleck-in-Reh…
#datenleck #security #sicherheit
Ein Datenleck betrifft potenziell hunderttausende Patienten der ZAR-Reha-Kliniken in ganz Deutschland. Abrufbar waren unter anderem hochsensible Patientendaten.Ronald Eikenberg (heise online)
Dear #Android #App #Developers, as it still happens far too often (no naming, no shaming! 💩 happens to everyone of us) a reminder to take good care of your #signing keys – and also take precautions for the case that your keystore might get lost. Please take a look at: f-droid.org/2023/09/03/reprodu… where I outline this topic.
Thanks!
Earlier this year, we reported about our progress concerning reproduciblebuilds. Meanwhile,more and more apps are using this; you can find some statisticsher...f-droid.org
Wer eine so gravierende Sicherheitslücke wie d-trust zu verantworten hat, sollte die Fehler eingestehen, statt mit Cyber-Rhetorik vom eigenen Versagen abzulenken. Datenlecks durch Schlamperei sind inakzeptabel, ebenso wie die Kriminalisierung von Sicherheitsforschern. Verantwortung, Entschuldigung, Konsequenzen – jetzt!
ccc.de/de/updates/2025/dont-tr…
#security #sicherheit #schwachstelle #verantwortung
Der Chaos Computer Club ist eine galaktische Gemeinschaft von Lebewesen für Informationsfreiheit und Technikfolgenabschätzung.www.ccc.de
Some fascinating research out on hacking a Subaru via STARLINK connected vehicle service.
"On November 20, 2024, Shubham Shah and I discovered a security vulnerability in Subaru’s STARLINK connected vehicle service that gave us unrestricted targeted access to all vehicles and customer accounts in the United States, Canada, and Japan.
Using the access provided by the vulnerability, an attacker who only knew the victim’s last name and ZIP code, email address, phone number, or license plate could have done the following:
Remotely start, stop, lock, unlock, and retrieve the current location of any vehicle.
Retrieve any vehicle’s complete location history from the past year, accurate to within 5 meters and updated each time the engine starts.
Query and retrieve the personally identifiable information (PII) of any customer, including emergency contacts, authorized users, physical address, billing information (e.g., last 4 digits of credit card, excluding full card number), and vehicle PIN.
Access miscellaneous user data including support call history, previous owners, odometer reading, sales history, and more.
After reporting the vulnerability, the affected system was patched within 24 hours and never exploited maliciously."
samcurry.net/hacking-subaru#in…
#cars #security #subaru @starlink
On November 20, 2024, Shubham Shah and I discovered a security vulnerability in Subaru’s STARLINK admin panel that gave us unrestricted access to all vehicles and customer accounts in the United States, Canada, and Japan.samcurry.net
Signal is a secure messenger, but there are interesting alternatives, such as @matrix , @session , @delta , @simplex or XMPP …
➡️ matrix.org
➡️ delta.chat
➡️ simplex.chat
➡️ xmpp.org
If you’d like to learn more about these options, have a look at the responses to this toot.
#matrix #session #signal #XMPP #messenger #decentralized #tech #technology #OpenSource #FOSS #WhatsApp #security #InfoSec #data #safety
Session is a private messenger that aims to remove any chance of metadata collection by routing all messages through an onion routing network.Session
Really good article. My experience with "security experts" is that most actually have very limited knowledge in the field. And lack critical thinking. This leads to an almost blind trust in these tools that spit out reports on CVSS scores that can easily be exported to nice looking spreadsheets.
Unfortunately, those tend to be taken as gospel by management. Because management never have a clue about anything.
The United States Government, in the wake of mobile cellular networks being compromised by China, finally suggested Americans use encrypted apps and services. One of those suggestions, provided as an exexample, by the Joe Biden Administration, was Signal.
Donald Trump, however, around the time Mark Zuckerberg made his announcement, concerning Meta policy, has continuously used WhatsApp as their example.
#Signal #WhatsApp #Privacy #Encryption #Safety #Security #Meta
Die Signatur-Problematik bei F-Droid ist offenbar noch immer nicht gelöst: "We find it concerning that F-Droid constantly chooses to move the goalposts and continues to rely on a fundamentally broken approach for certificate pinning, merely patching [15] known vulnerabilities without ever addressing the underlying cause." 😵👇
github.com/obfusk/fdroid-fakes…
#fdroid #security #privacy #certpinning #signature
F-Droid Fake Signer PoC. Contribute to obfusk/fdroid-fakesigner-poc development by creating an account on GitHub.GitHub
