jsr

Chasing digital badness at the citizen lab. All words here are my own.

Public Key

npub1vz03sm9qy0t93s87qx2hq3e0t9t9ezlpmstrk92pltyajz4yazhshfttwj

NIP-05 Address

Profile Code

nprofile1qqsxp8ccdjsz84jccrlqr9tsguh4j4ju30sac93mz4ql4jwep2jw3tcpr4mhxue69uhkummnw3ez6ur4vgh8wetvd3hhyer9wghxuet5qyw8wumn8ghj7mn0wd68yttjv4kxz7fwwak8vuewwdcxzcm955cpez

Publishing to

nostr-pub.wellorder.net

nostr-relay.wlvs.space

Author Public Key

npub1vz03sm9qy0t93s87qx2hq3e0t9t9ezlpmstrk92pltyajz4yazhshfttwj

Show more details

Last Notes

2025-11-25 09:05:18 UTC

Hotel toilet privacy is disappearing.
Glass doors.
Or no door.
Or a big window into the room.
Who is asking for this?

2025-11-15 12:20:00 UTC

Suddenly hearing about zcash everywhere.
Feels inorganic.
What's up?

2025-11-07 21:14:11 UTC

YIKES: NSO floats Pegasus spyware use in a "time of domestic crisis" in 🇺🇸America.
I believe they won't stop lobbying until they get Pegasus into USA.
To hack Americans. https://blossom.primal.net/ede4092ee60114cd3466cf082d7633a9954be5ba91db50c289a4fb2b9ccf8ee1.png

2025-10-21 09:54:04 UTC

POV: you can't sleep because your bed can't talk to AWS.
https://blossom.primal.net/f40fdc9b25221afe46b052d2bcc18bac615d331f0dc7410af485942b8717a350.png
Design thinking that inserts brittle dependence into our lives while extracting fees for life.
Don't be these guys.

2025-10-20 09:53:45 UTC

GOOD MORNING.
Today's massive outages nicely illustrate which of your favorite internet things are secretly Amazon-dependent.
Specifically on US-EAST-1 Region, which woke up with Main Character Syndrome.
Result? Massive outages.
Sure, Amazon has regions.
https://blossom.primal.net/aed56335234470f2190b1dab671bc3f2381aeb1947f60d282eedcc7d3eff1141.png
But US-EAST-1 is the legacy/default for a pile of services...and other Global Amazon services also depended on it.
So when there was trouble...it was quickly everywhere.
Hyperscalers rule *almost* everything around us. And this is absolutely bad news for all sorts of resiliency.
https://blossom.primal.net/8c682d82f772411b5beec356ae30c14b97d8c3cd700456265ce046fa17459478.png
Amazon sez: root cause = DNS resolution with DynamoDB... which a ton depends on.
They say they are mostly mitigated & have a pile of backlog to clear.
https://blossom.primal.net/22ec4642c3406c5e5d2266279370e338e07f91709b5e15e13f5208898899eb14.png
But this is a great moment to think about just how many eggs that matter are in one basket...
https://health.aws.amazon.com/health/status

2025-10-19 09:53:46 UTC

NEW: coalition sues Trump administration to stop viewpoint surveillance.
Buttressed by a survey that found widespread viewpoint self-censorship among union members aware of the program.
https://blossom.primal.net/c73ec48218f84c2df7e6afacff32ae39fe22c9e36337064cb4541e99d0569c3d.png
The survey results aren't surprising and it will be interesting to see them replicated among other populations.
https://blossom.primal.net/29e7b61b854f11ea454e3427655c26bd5b73eac629c472d407698ef394cc277c.png
Unions are core plaintiffs in the suit and the basic claims are that not only does viewpoint surveillance chill freedom of speech, but it constitute unconstitutional coercion.
This will be an interesting suit to watch.
https://www.eff.org/press/releases/labor-unions-eff-sue-trump-administration-stop-surveillance-free-speech-online

2025-10-17 10:15:59 UTC

NEW: 🇰🇵DPRK hackers have begun hiding malware on blockchain.
Result, decentralized, immutable malware from a government crypto theft operation.
https://blossom.primal.net/a107de401a522d0914a28dec26d00b96e8444e3d25259e14cfaa04a023b098b4.png
It only cost $1.37 USD in gas fees per malware change (e.g. to update the command & control server)
https://blossom.primal.net/4ba1cadacaac86882f3363c59e5320db53dd97c6a53fe5a689e49387e81eaa36.png
Blockchains as malware dead drops are a fascinating, predictable evolution for nation state attackers.
https://blossom.primal.net/29d96437b500d63006608b3bba6fdf5ae776c29ff697dfb7485b7aafbbbe38e7.png
And Blockchain explorers are a natural target.
https://blossom.primal.net/4a0cb4b61499359f7d3048d03000f6cce432c7211615a8029f1f7515c379de35.png
Nearly impossible to remove.
https://blossom.primal.net/816dce991b4bd694b9def92d508ae5c35f77df7fd13627ebeb5c8f223e538407.png
Experimentation with putting malware on blockchains is in infancy.
Ultimately there will be some efforts to try and implement social engineering protection around this, but combined with things like agentic AI & vibe coding by low-information people...whew boy this gold seam is going to be productive for a long time.
Still, where here they used social engineering, I expect attackers to also experiment with directly loading zero click exploits onto blockchains targeting things like blockchain explorers & other systems that process blockchains... especially if they are sometimes hosted on the same systems & networks that handle transactions / have wallets.
REPORT: https://cloud.google.com/blog/topics/threat-intelligence/dprk-adopts-etherhiding

2025-10-09 17:26:26 UTC

NEW: Cost to 'poison' an LLM and insert backdoors is relatively constant. Even as models grow.
Implication: scaling security is orders-of-magnitude harder than scaling LLMs.
https://blossom.primal.net/1bdbe13fe20b39f757d6d440b416a74a2099c63cb50bc344cc1d2e96f7c4646b.png
Prior work had suggested that as model sizes grew, it would make them cost-prohibitive to poison.
https://blossom.primal.net/d44c301ef8c297ee3eb30c7e8a161b5dcecc8618dee83607d1532d9d9ad63b02.png
So, in LLM training-set-land, dilution isn't the solution to pollution.
Just about the same size of poisoned training data that works on a 1B model could also work on a 1T model.
https://blossom.primal.net/2c635801a74e4ddc0628adb7d1f1942cb4431550474696a7a7e36702ecb042b7.png
I feel like this is something that cybersecurity folks will find intuitive: lots of attacks scale. Most defenses don't
PAPER: POISONING ATTACKS ON LLMS REQUIRE A NEAR-CONSTANT NUMBER OF POISON SAMPLES https://arxiv.org/pdf/2510.07192

2025-10-06 19:03:59 UTC

- reply

Interesting! If we inflation adjust 1971 to 2025 dollars we get $1,237
I got curious enough to chase down the resident per-semesters costs at WVU in 2025: $5,748
So... it 4.6x'd
I'd say that this is still a comparatively low multiplier compared to the costs at a lot of institutions today.
https://blossom.primal.net/cff7d9281c93b585c301fa00123e4ed0e43210076728c5b7248add4eb6e259d3.png

2025-10-06 15:39:06 UTC

Only four fire department callouts?
Clearly the Asian market isn't stocking enough durians.
https://blossom.primal.net/acccaf548a46746ce45c1ba1bacc51e620cf1cb7e86d5e57ccc1d83219172ba9.png
Durian is one of the only fruits where your nose can tell you if it's in stock before you get near the section.
https://blossom.primal.net/de46b27f37b3b39f7868d756424918e5e71f6b66bf716070c159636f9b39a885.png
Also, I disagree that Durian smells of gas. It smells of sweet old wet socks and vanilla ice cream.
https://blossom.primal.net/dfa0de5167e358c0056c92a8972f7207db72f7e0981cc88521331e40d80e895e.png

2025-10-05 17:05:09 UTC

NEW: breach of Discord age verification data.
For some users this means their passports & drivers licenses.
Discord has only run age verification for 6 months.
Age verification is a badly implemented data grab wrapped in a moral panic.
https://blossom.primal.net/41c3acf48c2d6d9095223d518594566dd9a6362fd09c6bd7a4c2bbb5f5649efd.png
Proponents say age verification = showing your ID at the door to a bar.
But the analogy is often wrong.
It's more like: bouncer photocopies some IDs, & keeps them in a shed around back.
There will be more breaches.
But it should bother you that the technology promised to make us all safer, is quickly making us less so.
STORIES:
https://www.forbes.com/sites/daveywinder/2025/10/05/discord-confirms-users-hacked---photos-and-messages-accessed/
https://www.theverge.com/news/792032/discord-customer-service-data-breach-hack

2025-10-01 17:22:41 UTC

NEW: turns out the EU helped finance a bunch of spyware companies with..public money.
That's YOUR money if you live in Europe.
Eou deserve to know that your money is fueling spyware companies like Paragon.
https://blossom.primal.net/2f01eb6b8fba9ae9d0f8e4e73dbe89e89cfba080b7ffe904792ec640871a2dd1.png
And if you aren't in Europe? There's a good chance that the mercenary spyware crisis is still fueled by your pensions & tax dollars.
Whether it's Oregon public employees or Alaskans, Europeans or folks in South Yorkshire...
The Fund managers stewarding your cash bear a heavy ethical responsibility for the harms they turbocharged.
And they completely sidestep it.
Now a group of MEPs from 4 EU political groups is calling for action & transparency. Good to see them leaning in...
https://blossom.primal.net/643b437873534cfb74a8a38af6817c91ae0ab5f2bac2a8b2171655d6a47f2c1c.png
It's great to see a cross-cutting call for action...
https://blossom.primal.net/e6ff19a2896829e9069a963244441d21088d937b28ddd1b9d91311b1f61b6c1f.png
Kudos to these MEPs for standing up. But honestly, there should be many, many more..
https://blossom.primal.net/8fae27925a8fc32313f7958e881cae3cdb99e453a10591f9c3ef8e887ece1caa.png
Here's the story: https://apache.be/2025/10/01/european-investment-fund-eif-financed-israeli-spyware-company-paragon

2025-10-01 14:05:54 UTC

PAY ATTENTION: The UK again asked Apple to backdoor iCloud encryption.
Backdoors create a massive target for hackers & criminal groups.
https://blossom.primal.net/39751af1c5bba2b2166341f8135068f8c6e54bdfa6911c5313e1bfce4dffb9c9.png
Dictators will inevitably demand that Apple build the same access structure for them.
They insert vulnerable bad things right at the place where we need the strongest protections.
https://blossom.primal.net/cb31d7e5e9ee2da9699e80cda202b1e2ff77feafbfb9eaded77b93f8a2d672ee.png
This latest attempt to demand access is *yet another* unreasonable, secret demand on Apple (a TCN) from the Home Office....
https://www.ft.com/content/d101fd62-14f9-4f51-beff-ea41e8794265

2025-09-12 12:45:32 UTC

Friend,
If scrolling leaves you feeling hollowed...
If anger is frictionless and thinking feels like fighting the current,
You're not swimming, you're being swept in an algorithmic rip tide.
And your mental clarity is the target.
So, take a beat and step out
Put the thing down.
Connect with your own thoughts.
It's what the designers of these algorithms fear most.

2025-09-10 11:46:39 UTC

- reply

Honored to be invited to share my views on the podcast. You are a gentleman and a scholar.
Thank you for having me @nprofile…2vts

2025-09-10 10:33:30 UTC

- reply

The internet needs YOU to stand up against surveillance abuses & mercenary spyware.
Thank you for your attention to this matter.
#nevent1q…wdyg

2025-09-02 10:07:45 UTC

NEW: foreign mercenary spyware is coming to the US.
ICE just quietly unsuspended contract with spyware maker #Paragon.
They got caught this year being used to hack journalists.
Friend, let me me bring you up to speed on why this is bad on multiple fronts.
https://blossom.primal.net/9149c1061b8c41d34f95e36d74f9197bffaaeca0d854081bf16ad63cbde6e22f.png
YOUR BACKGROUND BRIEF:
#Paragon was co-founded in Israel in 2019 by ex head of Israel's NSA equivalent (Unit 8200) w/ major backing from former Israeli PM Ehud Barak.
Pitched themselves as stealthy & abuse-proof alternative to NSO Group's Pegasus.
https://blossom.primal.net/20174dc33c0dfd6b2e621b62621d0ed0d672acde5a2db5ac5e74a93eda49714a.png
The company has been trying to get into the US market for years.
For a long time all we knew about Paragon was their performance as a 'virtuous' spyware company with values.
https://blossom.primal.net/5255146af326cbbd9240db89a6ec67a8b298bae0f91d897ec1161573e19363a7.png
All that came to a crashing halt in 2025 when they got very caught, helping customers hack targets across #WhatsApp.
WhatsApp did the right thing & notified users.
https://blossom.primal.net/eac330ca904f2815e0a813106efe494fd28fd512728b6e561b3c92a4ea309393.png
Almost immediately after the WhatsApp notifications, we started learning about the targets.
They weren't the supposed serious criminals... They were Journalists... human rights defenders...groups working on sea rescues.. etc
In other words, a very NSO-like scandal.
https://blossom.primal.net/a530f88b24d07ffae346e2ed762a391f0e3908142a1aa2032a87bcfe0fb649b0.png
Ultimately Paragon & its Italian customer had a massive spyware scandal on their hands.
WhatsApp wasn't the only player tracking paragon & doing user notifications. Apple got in on the game.
Ultimately, we at the Citizen Lab had forensically analyzed cases from each notification round.
https://blossom.primal.net/312ea0ccc0a650ab5d77c84cd714687bb6e0f18f47159ae91562a2b7f98270ec.png
We testified to Italy's parliamentary intelligence oversight committee about our findings.
https://blossom.primal.net/e6cfcf41d686d7fd1c64f12caf1fc2e5e93b9912536fd63abb51259c4a6633b9.png
https://blossom.primal.net/79cb9ecdfe9c86ba9a4e051f93b8f74d9329f7b14a68e4b1ad7cf382c227d8e0.png
The conclusion? Deeply unsatisfactory.
Italy admitted hacking some targets, but denied hacking journalists.
Tons of loose ends with Paragon. And they haven't been honest about who used their tech to hack journalists in Europe.
BIG PICTURE:
After 14 years investigating countless spyware companies, I tell you with confidence:
Mercenary spyware is a power abuse machine incompatible with American constitutional rights and freedoms.
Our legal system isn't designed for it, oversight mechanisms are woefully inadequate to protect our rights...
Here's the thing. You probably know that mercenary spyware like #Pegasus gets sold to dictators.
Who, predictably, abuse it.
But We have a growing pile of cases where spyware is sold to democracies... and then gets abused.
HISTORY LESSONS
History shows: secret surveillance usually winds up abused.
The history of the US is littered with surveillance abuses.
Thing is, our phones offer an unprecedented window into our lives.
Making zero-click mercenary spyware an especially grave risk to all our freedoms.
If the government has wants access to your accounts for law enforcement...they have to prepare a judicially authorized request and send it to the company, which reviews it.
Mercenary spyware bypasses any external review.
And the whole industry behind it seeks maximum obscurity.
COUNTERINTELLIGENCE THREATS? YEAH THAT TOO
I'm concerned about the impact on our rights an dour privacy.
But there's something else that should worry everybody about the choice to work with the company: Paragon poses a potentially grave counterintelligence threat to the US. Let me explain.
When you use an integrated spyware package to conduct sensitive law enforcement / intelligence business, you have to place a lot of trust in them...
If the developers originate from a foreign intelligence service that aggressively collects against the US government, that should be a huge red flag.
America (or any country) should be maximally wary about using foreign-developed surveillance tech for the same reason that America shouldn't operate a Chinese-made stealth fighter.
So, have Paragon's spyware, people & ops been aggressively vetted for technical and human counterintelligence risks?
MERCENARY SPYWARE = FATE SHARING
Paragon's #Graphite mercenary spyware shares the same downsides as other products in their class:
❌They keep getting caught
We researchers aren't the only ones that have found techniques for tracking and identifying Paragon spyware... I'm sure hostile govs have too.
https://blossom.primal.net/0e709adfa8b5b3dd375c80180988f8e322c36d1803e4c25ec1bde250716c8302.png
❌Customers fate share.
Since all customers roll the same tech, when one gets caught it impacts & potentially exposes everyones' activities.
Now, that fate sharing will include US law enforcement activity.
WHAT CAN YOU DO?
What can you do? Take 5 minutes and call your member of Congress.
Ask them to request a briefing on Paragon.
They should ask whether the company was properly vetted & reviewed.
What is the oversight mechanism for this maximally invasive technology?
What are the guardrails? How would abuses be handled? Etc.
PERSONAL SECURITY?
Paragon & this category of spyware is fiendishly hard to track & defend against.
And on a personal level? Apple's Lockdown Mode & Android Advanced Protection both offer some serious security benefits but neither is a silver bullet..
Unfortunately, as of right now I am pretty confident that no publicly available / commercially developed third party tool can reliably detect Paragon spyware either in realtime. Or retrospectively.
Beware a false sense of security.
If you got this far & found this post useful, let me know! Drop a comment.
SELECTED READING LIST
Exclusive: ICE reactivated its $2 million contract with Israeli spyware firm Paragon, following its acquisition by U.S. capital
https://jackpoulson.substack.com/p/exclusive-ice-has-reactivated-its
Virtue or Vice? A First Look at Paragon’s Proliferating Spyware Operations
https://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/
Graphite Caught
First Forensic Confirmation of Paragon’s iOS Mercenary Spyware Finds Journalists Targeted
https://citizenlab.ca/2025/06/first-forensic-confirmation-of-paragons-ios-mercenary-spyware-finds-journalists-targeted/

2025-09-01 13:02:15 UTC

https://blossom.primal.net/b72f95f8173a430e49c15234758948a892002df9cd03c1f86f693ba4f9e8db17.png
Voices of Insects, 2019
Kaori SOMEYA
https://www.someyakaori.com/

2025-08-31 12:55:20 UTC

NEW: Analysis finds UK's age verification rollout is producing exactly the opposite of the desired effect:
Driving traffic non-compliant adult sites.
Which punishes compliant ones.
https://blossom.primal.net/4406425c4388fd1769af572ba21cbab5e7129f5a048e8d43376b84336b682195.png
Entirely predictable.
The more the government squeezes, the more they reward the very sites that scoff at their rules.
https://blossom.primal.net/9d9d363cfb37b0405a26e629df6aa7ce883baa453606df44dfba28c956ee8314.png
And then there's the matter of the UK government asking people to please stop using VPNs...
It's a harmful embarrassment.
The UK's age verification law forces law-abiding citizens to hand over personal data / scan their faces as they browse.
Compelling folks to participate a massive clandestine census of browsing activity.
As these troves of data grow, they expose everyone to the risk of new breaches. And worse.
Read more: https://www.washingtonpost.com/technology/2025/08/31/age-verification-uk-porn-sites/

2025-08-30 06:07:59 UTC

GOOD MORNING: WhatsApp caught & fixed a sophisticated zero click attack...
They just published an advisory about it.
Say attackers combined the exploit with an Apple vulnerability to hack a specific group of targets (i.e. this wasn't pointed at everybody)
https://blossom.primal.net/b39ccf0552138996a4f86c4ff97fd60d7610ce71fc30f309cc8040b7aab8cfff.png
That's a CROSS-APP exploit chain. Which is fancy. We'll discuss in a second.
But wait, you say, haven't I heard of WhatsApp zero-click exploits not so long ago?
You have.
A big user base makes a platform big target for exploit development.
Attacker's perspective = an exploit against a popular messenger gives you potential access to a lot of devices.
The regular tempo of large platforms catching sophisticated exploits is a good sign.
They're paying attention & devoting resources to a growing category: highly targeted, sophisticated attacks.
But it's also a reminder of the magnitude of the threat.
https://blossom.primal.net/bd2bae1825b7e29da59df2eaf0ac9bd5b3bec75ae8260e135dcdec3de45f8b11.png
Here's the Apple CVE.
Somewhere, earlier this summer, some people in a room probably had a bad day when this clever cross-app chain stopped working.
The cross- app chain = probably also a sign of the increasing tech lift required to get to device compromise. Consequence of various mitigations.
The cost-to-compromise is only going up. Which is arguably a sign that the increasing scrutiny + efforts by platforms & OS developers is having an impact.
That said, the threat of this stuff is going nowhere because there's an infinite governmental appetite for compromise.
Still, I'd argue that increasing costs of zero-clicks has the effect of pricing out a bunch of potential actors which slows the proliferation of this tech to *some* bad actors.
WhatsApp Advisory: https://www.whatsapp.com/security/advisories/2025/
Apple Advisory: https://support.apple.com/en-us/124925

2025-08-26 19:26:16 UTC

The water is boiling.
Frog, it's time to get out of the pot.
https://blossom.primal.net/4276dc095c872ee713b11a8fb2e3315892394b0f2718ccbb01c66eaf20b02606.png

2025-08-24 23:35:39 UTC

Did the University of Chicago blow their endowment on shitcoins?
Nobody is exactly sure how much they gambled and lost on 'crypto.'
But they are now freezing research amidst federal funding cuts.
https://blossom.primal.net/80f8ea9b854920942d5ae0ea946c28e5763ac291ea148e09ea65c3605bddf749.png
If only they'd put that money into BTC those labs where I slaved away as an undergrad would be humming.
Source: https://stanfordreview.org/uchicago-lost-money-on-crypto-then-froze-research-when-federal-funding-was-cut/

2025-08-24 23:26:08 UTC

Age-verification laws are a universal mute button for free speech.

2025-08-23 22:29:52 UTC

Government‑mandated KYC to read is coming fast.
And the walls of castle freedom are cracking.
https://blossom.primal.net/0adf7bd998849dbe165fb9fd64a56ce4b23353d0b8e8ff04c47f678d490eeaac.png

2025-08-23 16:09:40 UTC

Why haven't mosquitoes evolved silent flight?

2025-08-22 02:16:34 UTC

- reply

Warning people on national TV that VPNs let them slip past age verification might be the slickest free advertising the VPN industry has ever received.

2025-08-21 16:26:37 UTC

- reply

Everybody please stop using VPNs begs UK government.
https://blossom.primal.net/dd5a95ed87ff8ce42f04fc3acbcade7207d5b4624e246cd067660f7c2b740e60.png
#nevent1q…nuu8

2025-08-21 14:41:38 UTC

"everybody who's out there thinking of using VPNs, let me just say to you directly, verifying your age keeps a child safe...So let's just not try and find a way around. Just prove your age."
- UK government.
https://blossom.primal.net/603be98e6ef0e56611d5583c63c9ec0b2461541b81785456cd0441048b2db5d3.mp4

2025-08-21 13:59:31 UTC

The goal is to make you numb to total surveillance.
https://blossom.primal.net/0addb7f18b6fe5ae06dc2f95d0332d0b5dbf09b7e2bc1483f66a4494877db889.png
Just say no to snitchglasses.
https://blossom.primal.net/095cc47e879289a4d2f2d2375798d3c6ee808bcd66317a59168557cb672e58cd.png

2025-08-20 19:26:04 UTC

WHOA: Could Germany Ban Ad Blockers?
German megapublisher Axel Springer is asking a German court to ban an ad-blocker.
They claim HTML/ CSS of their sites are protected computer programs.
And influencing they are displayed (e.g by removing ads) violates copyright.
https://blossom.primal.net/f1aac1c7cba207b4d4e91d2b267422fa792447a5cdcdc9d3b27edc3deb899a7a.png
I'm in puzzled wonderment at this claim.
Preventing ad-blocking would be a huge blow to German cybersecurity and privacy.
https://blossom.primal.net/a92542ec974ecc602b7befd2400ae837980bd04b2f7ebf0dfe9744ae8807b2bd.png
There are critical security & privacy reasons to influence how a websites code gets displayed.
Like stripping out dangerous code & malvertising.
Hacking risks from the online advertising are documented.
https://blossom.primal.net/f3ed60773ca3408465acd4dbfdbb649bb9b209ea5d976dcb3b8a15e7b3e15e93.png
Any attempt to force Germans to run all of the code on a website without consideration for their privacy and security rights and needs will end very, very poorly.
Defining HTML/CSS as a protected computer program will quickly lead to absurdities touching every corner of the internet.
Just think of the potential infringements:
-Screen readers for the blind
-'Dark mode' bowser extensions
-Displaying snippets of code in a university class
-Inspecting & modifying code in your own browser
-Website translators
Or blocking unwanted trackers.
This is why most governments do it on their systems.
https://blossom.primal.net/b1d66083392034b2062aebd1cb6059fcca669520b50d065e54dc4dce4bde8c69.png
I'm not a lawyer, but if Axel Springer wins the consequences are just nuts:
Basic stuff like bookmarking & saving a local copy of a website might be legally risky.
The Wayback Machine & internet archives and libraries might be violators.
This might even extend to search engines displaying excerpts of sites.
Code sharing sites like GitHub could become a liability minefield...
The list goes on and on.
Finally, only one country has banned ad-blockers. China.
This is not good company for Germany.
READ MORE: From Mozilla https://blog.mozilla.org/netpolicy/2025/08/14/is-germany-on-the-brink-of-banning-ad-blockers-user-freedom-privacy-and-security-is-at-risk/
Bleeping Computer: https://www.bleepingcomputer.com/news/legal/mozilla-warns-germany-could-soon-declare-ad-blockers-illegal/

2025-08-20 15:11:21 UTC

NEW: UK reportedly drops secret demand for Apple encryption backdoor.
Good.
https://blossom.primal.net/38dc0f66a1f407c85c64a7ea0db90a8f3bb5e7d335249f4036c91589b551842e.png
While there was strong activist pressure here the key push came from the US government.
https://blossom.primal.net/5575a11ab7e5879e296f79d5ef9719175c0b6582643c0493cd8719a2b8030a50.png
But there is zero rest for the weary as the UK has been leaning much harder into Age Verification.
Which is another mechanism for gaining deep visibility into peoples online activity.
Story: https://www.theverge.com/news/761240/uk-apple-us-encryption-back-door-demands-dropped

2025-08-14 16:16:12 UTC

Behind every marble statue account is a...
https://blossom.primal.net/eb2ebc9e29ac27d7e05ad9d5dc222a8c816acbb7962c90ccd8b28a88d08c08b2.png

2025-08-14 00:30:47 UTC

- reply

UPDATE: LAPD is considering acquiring geospy.
First US police Dept. known to be interested in it.
Won't be the last.
Story: https://www.404media.co/lapd-eyes-geospy-an-ai-tool-that-can-geolocate-photos-in-seconds/
#nevent1q…yu23

2025-08-13 18:50:08 UTC

- reply

Yeah! Humans do OSINT. Some do it super well.
So what is different about an automated house locator as a service that uses dwelling interior pics?
Turns out we counted on friction to protect us.
Not rules. Not norms.
There just weren't millions of Trevor Rainbolts that could act instantly OSINT anything that invasive.
https://blossom.primal.net/169aae69feb40bf254177ebfa8c1216f3fca6d771fd556ea6ec8430bebfdb8c7.png
It was a cost thing.
Meanwhile the datasets were getting collected. Zillow. AirBnB.. etc etc.
When the right invasive automation came along... the privacy / rights intrusion became automated & scaled. Unstoppable.
And we were left unprotected.
Like with so many privacy & power things.
#nevent1q…yr9a

2025-08-13 18:28:03 UTC

Designer lets intrusive thoughts win.
Deletes Lorem, calls it a day.
https://blossom.primal.net/9167a5f4a4416b8f8ad576b351cae7e001275c69feaa858c84398435f8ee7dd3.png

2025-08-12 18:43:42 UTC

- reply

I have, it's a clever vector.
But what I find especially interesting is how all of the old categories of attack are sort of getting...rediscovered for the vibecoding era.
This is like the reboot of typosquatting.

2025-08-12 17:58:41 UTC

Location tracking based on interior pictures.
It will be abused to target people.
Post the inside your place at your peril. https://blossom.primal.net/37c8d6d2f6c2c9ce1d8d3332fbbfd044b20ec93e0af249f1013d527e55532178.png

2025-08-12 17:35:29 UTC

Earliest days of vibecoding-as-a-target.
Without a radical increase in security, vibecoders will get wiped out & lose their savings.
https://blossom.primal.net/c462c603484af25db18c1ac377645528de47bb89f48612b656267f31383441b8.png
And their companies will get hit with fat breaches.
https://blossom.primal.net/ca0c5f4be51943cf17235bfa2bbb3aaa4f245ab73676de62df359e56192a3694.png
Me? I'm waiting for attackers to figure out how to reliably slip backdoors into vibecoded outputs at scale.

2025-08-12 15:11:23 UTC

X: we are actively fighting bots
Also X: here's an ad for bots.
https://blossom.primal.net/3198762cd6c26dd51063e2a87123d134f379875c2be0a9c1bf1828bba97fa265.png

2025-08-08 21:26:36 UTC

- reply

If you want to browse the data yourself you can get it here: https://uasvis.usc.edu/corevisualization.php https://blossom.primal.net/79f50b083fa233a25b8509d3953a155b505225b6fd0f1c70d6b42dcabf6e2c42.png

2025-08-08 20:56:05 UTC

Neuroticism? Ripping.
Conscientiousness & agreeableness? Dipping.
https://blossom.primal.net/c12eb7010fba26e5ad3391a0d55e47d3a9bf61fccd2b5aacd584aa86e528da2b.png
Via FT: https://www.ft.com/content/5cd77ef0-b546-4105-8946-36db3f84dc43

2025-08-08 19:15:21 UTC

NEW: 🇩🇪Germany's top court says spyware severely violates fundamental rights.
Bans spyware in cases with <3year sentences.
Enforces tough proportionality tests on all surveillance.
https://blossom.primal.net/c1cb0062fe7c265c22c8d71453b0ba4ac6686c1aedb23f72b02e4b4e2801fb86.png
Restricts spyware to serious cases.
Interesting development.
https://blossom.primal.net/a2ba5661ae80e0ddc56672a4186b5e6dabac8d8c18691a9b4ff7fe0232e6c6bc.png
Court says: capturing data at the source (i.e. on someone's phone) is maximally invasive.
Especially given how much of our lives happens online.
They also surface the security risks to systems from this kind of surveillance.
https://blossom.primal.net/30448a7dfdb898087a6e684cba842c1a01d101c4746863db380187171a70fa5d.png
Watching Germany's highest court grapple with spyware's invasiveness & rights violations is instructive.
States wielding spyware without robust legal limitations and tight judicial oversight... are almost guaranteed to be violating their citizens' basic rights.
In so many jurisdictions, state secrecy & lack of effective legal challenges means spyware harms happening daily
Huge credit to German digital freedoms organization #digitalcourage
for bringing this case.
Court statement:
https://www.bundesverfassungsgericht.de/SharedDocs/Pressemitteilungen/EN/2025/bvg25-069.html

2025-08-08 17:35:23 UTC

Internet-connected microphones in school bathrooms.
What could go wrong?
https://blossom.primal.net/cde78c4f30f6dcc440598f49641fa6c7a29a7a6816f048dce13128be8df7749e.png
Mandated microphones in private spaces are a bad idea.
Throwing invasive sensors into private spaces rarely fixes socially scary problems.
But is almost guaranteed to have risky downsides. https://blossom.primal.net/7da39cdd62cbd37ae4b6ceedc0bfbf8ce729b74809e18f41f697cf54a9b605ea.png
Story: https://www.wired.com/story/school-bathroom-vape-detector-audio-bug/

2025-08-07 21:46:57 UTC

- reply

My prediction for the UK's Age Verification?
The failure to protect children will become obvious.
But the systems that force grownups to provide their IDs before sharing political views will persist.
Because too many bureaucrats and certain big corporations benefit.

2025-08-07 21:25:59 UTC

Regular people know that age verification mandates won't work.
But they are worried about their children's safety, and they aren't being offered non-dystopian alternatives.
https://blossom.primal.net/83ced0c9030964182d85a09e59c52538fd077070dfcace62e06725a5169a0220.png

2025-08-07 17:07:20 UTC

- reply

This is the way

2025-08-07 16:08:11 UTC

LLM chat exposures keep on coming.
Why? My theory is that these platforms don't do a very good job explaining to users what their public/share features mean.
Result: users may think that while something is public that doesn't necessarily mean that anyone is indexing or caching.
https://blossom.primal.net/47540c3cb93e3feaed3c145f56d63c4b91dd852cec321aa8255b0bb81112ec0e.png
Story:
https://www.404media.co/more-than-130-000-claude-grok-chatgpt-and-other-llm-chats-readable-on-archive-org/

2025-08-07 14:49:20 UTC

What took them so long?
Maybe they had to dust off exploits from the 2000s?
Or maybe the better question is: how many unnoticed breaches have happened here.
It is an open secret (ask any lawyer) that these court filing systems are incredibly out of date.
https://blossom.primal.net/9929be055201d173e4091b4a5567af3956e099be1e2a581bf50449498dd1fc22.png
https://www.politico.com/news/2025/08/06/federal-court-filing-system-pacer-hack-00496916

2025-08-06 00:01:15 UTC

They want turbo #KYC in everything.
https://blossom.primal.net/ecd4646e496e885a6a81315009c0a693a60796e885c57e15eda05446aca6dbf0.png
Pic via: X post by Rob Warren (@bikesandbitcoin)

2025-08-05 18:18:54 UTC

Own goal alert.
Governments constantly demand more access to monitor us.
But are completely reckless about the systems they use to handle that data.
Harming all of us.
https://blossom.primal.net/ed9409f106cd7f140996198180580611baecaaabc0e470962090247f642f4275.png

2025-08-05 16:45:14 UTC

How are Daily Active User numbers looking on #Nostr these days?
#AskNostr

2025-08-04 16:26:22 UTC

- reply

Nice, simple framing

2025-08-04 16:16:59 UTC

- reply

Agreed. Meredith has been a powerful voice for sure. And is a great example of a person that has a strategy that works.

2025-08-04 15:29:05 UTC

Age verification laws are coming fast.
And, from my perspective, opponents are struggling to find impactful messaging to explain to the general public the damage they are about to do to freedom.
Or to propose alternate futures that address the underlying anxieties.
Sure, most folks that are here on #Nostr intuitively understand the dangers... And nod along when we gesture at the dangers of surveillance overreach.
But I worry that the common language for talking about these initiatives typically relies on some priors that are not universally shared outside people that live and breathe concerns about tech.
Saying that something is a surveillance dystopia works on me. But not the neighbors.
I'm guilty of being inside this language bubble too, and it's hard to escape.
Yet, when faced with politicians talking about protecting kids from bad things that parents feel they see right now... I worry that the communities doing pushback are struggling to:
1 -find framing that makes *enough sense* to the vast majority of people that they say 'ok this is net bad' and push back
2- find their own ways to productively connect with the anxieties that politicians are drawing on. E.g. worried parents.
3- offer things that are honest, well meaning alternative paths for the underlying problems
Anyone have thoughts on this? #AskNostr

2025-08-04 00:00:55 UTC

We are in the opening chapter of using vibecoding to assert your rights.
And reclaim your freedoms.
Tremendous time to be alive.

2025-08-02 21:45:52 UTC

It seems to me like a strong anti-AI view is becoming left / progressive coded.
I'd love to understand this better.
Anyone have thoughts?

2025-08-01 20:33:46 UTC

Rhisotope https://blossom.primal.net/6d81f88a3bae0b73c45a24e111476ce09e9ab40a27e748c71f6bb86c4265209e.png
Sauce: https://www.bbc.com/news/articles/cyvn3264q01o

2025-08-01 20:22:22 UTC

Google bad ux.
And you'll get your results in Comic Sans.
Try it
https://blossom.primal.net/fafa11b0f30a66107f1d6d9d3ed88fe5377706cf652e5cca9c981c58168e7965.png

2025-08-01 15:20:54 UTC

It is a lot easier to celebrate a turn towards dictatorship when you are untethered to historical knowledge.
No amount of centralized power delivers a society with true personal freedom in the long run.
History shows that even when dictatorships perform 'well' on some factors, especially in the short term, they send people into a freedom-robbing labyrinth.
Do you care about personal liberty?
Because in the long run with dictatorships you will lose on having a society that supports freedom, personal rights and liberties and decentralization of knowledge and innovation.
Because dictatorships concentrate power without balance.
Over time as inequalities & unfairness become severe... the rule gets more brittle.
And dictators have to give more favors to the people that help them stay in power. Like economic favors.
People with ambition then need to play into the system and help prop up the dictator if they want to keep their resources.
Even then they are vulnerable to having everything taken.
And for anyone that dares point out increasingly obvious flaws?
Well, most dictatorships invariably slide into repression.
People with new, better ideas that also happen to challenge the dictators entrenched interests? Or those of the dictators necessary economic allies? Family members? Point out corruption?
Co-opted or cut down.
Fueled by massive surveillance.
And the threat of violence.
Because self-censorship scales better than physical coercion on each person.
People see opportunity for personal advantage. Some become informers.
Some delight in the cruelty of seeing people they dislike arbitrarily punished.
And when the strong leader dies? The society can be incredibly unstable as it carries the weight of so many injustices, so many lies.
And for the system to persist? More repression needed.

2025-07-31 22:42:30 UTC

- reply

The bones of this are already in place.
And if you look at the EU & beyond you see a super-intense push for Age Verification... which is always the leading wedge.
No accident that many of the countries pushing for this are also the biggest hitters in signals intelligence & monitoring...
...With the worst norms for personal privacy and freedoms.
#nevent1q…qdee

2025-07-31 22:27:37 UTC

Objectively, a terrible hammer.
But a reminder that we still are in the earliest days of GenAI touching various fields.
https://blossom.primal.net/fd93f6e53ecb2ea7ae054b9035ba6353cab7d4fe6ac08efd33259e3efcdb733f.png
Like CAD.
Wehere I think the impact of GenAI will be enormous.
Natural place for it.
So many human hours spent creating extremely simple repetitive things with slight variations.
Checking in on the incumbent Autodesk..and looks like they are incorporating AI in assistant / #ML ways.
https://blossom.primal.net/e3342b41c9bfe0ad1f1954d9f5ffef2d2d48b697e22a9a5998baf5acb6656448.png
Looks Interesting. Conservative. Very incremental. Makes sense given their codebase & users.
Lots of inertia there too so I wonder what they have in the pipe?
And how they will handle the upstarts going hard on generative model / asset creation.
https://www.engineering.com/autocad-2025-adds-ai-features/

2025-07-31 20:48:53 UTC

- reply

thoughtful observations, appreciate you sharing.

2025-07-31 19:41:20 UTC

Vibecoding is super interesting. And powerful.
Coding syntax is getting better. But secure coding isn't keeping pace.
https://blossom.primal.net/9a78f8fc77ff207e7b616b7b9cf1e8632dcc090d1ca3929a2571096cc37999f9.png
In a test of 100 coding models, 45% of them introduced a serious vulnerability.
For example, in 86% of tests, code wasn't secured against Cross-Site Scripting.
NOW-TERM IMPLICATIONS
This has big implications. Sure, there are the YOLOcoders that ship whole vibecoded apps without thinking about security. Or code review.
Some percentage of their users will get rekt.
If those projects get near high risk users, they are sprinkling knives in the weeds with potential for harm.
BUT BIGGER MODELS = BETTER?
Interestingly, even big fat models aren't massively better with security.
https://blossom.primal.net/331ac94efdd38beeac1a586c2781d49c4c7add3cef01acbbef3fa32b11c82fda.png
S'EVERYWHERE
My other worry? Vibecoding without security check steps is happening in existing projects / platforms etc.
Even when people say they are coding. Sometimes they be vibecoding.
This sort of thing has already come to tools you use, including to handle your funds & privacy.
Sure secure code writing & review has never been anything near universal, but the scale and speed of new code creation that #vibecoding enables is new.
VULNERABILITY DISCOVERY...ALSO ACCELERATING
ICYMI, vulnerability DISCOVERY is also accelerating a lot faster than secure code creation...
Whole industries are spinning up, including lots of offensive projects.
ME? I #VIBECODE
I love the change in how I create with code. But I think we are in for some really rough times, and the least informed parties are gonna be users. As ever.
https://blossom.primal.net/ef770b918129ade63e4ee5fd0d59870ef8ee5f03d3f88aa5acfe8bd13c2085f4.png
In the longer run this problem space also seems to offer paths for AI-driven improvement in secure code creation. But since not everything is accelerating at the same pace, the deltas = harm.
Sauce: https://www.veracode.com/blog/genai-code-security-report/

2025-07-28 18:52:41 UTC

The EU's Digital Identity Wallet project has a lot of big icks.
Looking at the GitHub for the android Age Verification application feels like chewing rocks.
https://blossom.primal.net/bdf09dad278f101fecfe66177c4b38e8f209581fac0a3b1ab0d54ea9ed77f18f.png
Like the proprietary attestation baked into a must-use form of identification is absolutely the wrong path...
https://blossom.primal.net/e6f73e0cb71e378b675adddbd84df59beca65bc034c82b1388e15a4f7d7b3762.png
And while we're at it, recall the rule of thumb: Age Verification either by deliberate or convenient naïveté is almost always a surveillance trojan horse.
Source:
https://github.com/eu-digital-identity-wallet/av-app-android-wallet-ui

2025-07-26 15:03:31 UTC

Proton #VPN signups spike1,400% as the UK Online Safety Act rolls out.
Proton says spike is sustained & higher than when France blocked adult content.
https://blossom.primal.net/e0b525ae4751aaaeda34b09f81cea469f36238bd809373b2022a0fe5d8f39e2c.png
Source: https://archive.ph/i2d9W

2025-07-26 14:56:13 UTC

Tea enforced ID & selfie collection. And doxxed their own users.
https://blossom.primal.net/cb0f2966b486824fac5732238564bc141b938e86007871eabca721bc54373f42.png
In other news, the UK Online Safety Act is forcing websites to begin collecting IDs.
This will end, predictably in fresh breaches.
https://blossom.primal.net/16f7c9531291322cdc435e7c81e2b24e804e3925f0b0d15f3cc00706af9d0a1e.png
And more harm to users.

2025-07-26 14:33:58 UTC

The only way to deal with an unfree world is to become so absolutely free that your very existence is an act of rebellion.
-Attributed to Camus

2025-07-24 17:52:24 UTC

Your honor, in my defense I was being extremely productive at the time of the crash.
https://blossom.primal.net/3a439dceb61d0fc43f0ead802678afb34067cfed2873206caea8626ad50d7fe1.png

2025-07-01 12:05:48 UTC

You read dystopian sci-fi as a warning.
These companies found business plans..
https://blossom.primal.net/8f7de3a999f76a648e8d3e5a26e7ce06bf3f940a8aefe5e58aa28f3f9250cfc0.png
Just as there are war hawks that delight in hard talk about military action, there are surveillance-yearners...
https://blossom.primal.net/448aedc9350e2acd8165dceb37af2792dc8a5615d72da5c8f5c605d3d7d72afc.png
For reasons I'll never fully understand the UK politicians aren't just surveillance-permissive.
They delight in the idea.
Pre-crime preventative detention coming soon...
https://blossom.primal.net/9f2638a7681b4cbff6e3d1e2dd3d5f607a028c88ae1a730fb4f29d7ca62344a2.png
https://www.theguardian.com/society/2025/jul/01/tech-firms-suggested-placing-trackers-under-offenders-skin-at-meeting-with-justice-secretary

2025-06-29 10:41:36 UTC

Mass biometric surveillance is a one-way ticket away from democracy.

2025-06-23 13:18:24 UTC

How it began: "our service helps consumers quickly do X..."
How it's going: "we help business understand consumer behavior..."
Soon: "we're launching a surveillance subsidiary for government customers..."

2025-06-21 17:24:06 UTC

- reply

You bet. This attack was ... proper clever

2025-06-21 13:05:53 UTC

This is a tool for one person to acquire a lot of power.
Sam Altman wants his technology to become not only unavoidable, but mandatory.
https://blossom.primal.net/bfd04d401a2d8a1a0c6c5b9d474b7188d006c0cc2a1fea619f4e53570494901f.png
Bad move for privacy & freedom.
Worse move for #Reddit , whom he might very well one day compete against.
h/t @nprofile…xncl

2025-06-21 11:18:34 UTC

- reply

The funny bit of this is that the whole thing was actually structured around the deception of setting up a ...secure video meeting

2025-06-21 09:45:39 UTC

- reply

Computer vision & HUDs are cool. AI vision is fascinating.
But this is a trojan horse for megacorp to get into *all* your interactions.
Friends don't let friends bring Zuck in a backpack on their adventures.
https://blossom.primal.net/cc9a7e6cda3ee22b3835c484f56376983e60f171b49b29c723711c11db068caa.png

2025-06-21 09:43:00 UTC

- reply

Or, wear these #Dorkleys yourself & become an NPC constantly asking your eyewear 'hey meta is this real?'
https://blossom.primal.net/5fd0a98bd9541203b6b2854aa0e9cde850e6e4a46fb3f09bf1b7c43a80eb1a5c.png

2025-06-21 09:31:01 UTC

I prefer the company of people that don't snitch my business to skynet. https://blossom.primal.net/f161ba9922a7b534e2a925c5a641c331f659e6f68d70d3a664e98103a5cd87df.png .

2025-06-20 19:14:32 UTC

You can patch software, but you can't patch people.
This is why social engineering will always work.
The human brain is loaded with forever-day vulnerabilities...and attackers are constantly probing.
Sometimes I think that they've developed a more applicable & empirically tested theory of human motivation and cognition than psychologists...
Sometimes tens of thousands of A/B tests a day...

2025-06-20 19:12:58 UTC

- reply

Totally. You can patch software, but not the human brain.
In this case I'd say there was no greed, he was just doing his job. Which often involves having this kind of meeting.
I think part of what worked here is that the attackers were *so slow* and really did things pitch-perfectly to what he'd expect.

2025-06-20 13:46:44 UTC

- reply

Yes #Nostr does! As someone that just finished writing up a long post...Excited for this!
#nevent1q…l4hq

2025-06-20 13:40:33 UTC

🚨NEW REPORT from us: exposing a new social engineering/hacking tactic.
🇷🇺Russian state-backed hackers successfully compromised a prominent (& professionally paranoid) expert on Russian military operations.
Shocking, right? But the attack is solidly clever & worth understanding. I expect more like it.
https://blossom.primal.net/151037fad612bb0112412f07189b1ec3479e3ebd709221dd99af94e1b4123507.png
ATTACK FLOW
Keir Giles gets a message purporting to be from
U.S. State Dept asking for a consultation.
The attackers send the message from a gmail, but CC'd a bunch of email addresses state.gov email addresses. Including one from with same name as the purported sender.
https://blossom.primal.net/e9b747098271f185e66adda014e5d050f570a0120000d74724fd0f376eaa56ba.png
Strong credibility signal to have a bunch of gov ppl on the CC line right?
Well, what the attackers were counting on is that the State Dept mailserver just accepts all email addresses without emitting a bounce.
So they seem to have just created some fake State Dept staff names and addresses.
INTRODUCING THE DECEPTION
The attackers wait for the 2nd interaction to introduce the pivotal deception: getting him to 'connect to a secure platform.'
https://blossom.primal.net/da077358623aab8cc204741a4db027cf41d461254422fadec7872c2d0a94ed4f.png
In the next days they patiently walk him through what they want him to do, even sending a very official looking (but fake) State Dept. document.
https://blossom.primal.net/e4dcc76e9e00377d285dfd3392171aeb604f8be0dac94746db4e11459cee65b8.png
The attack works like this: the attackers try to deceive the target into creating and sharing an App-Specific Password (ASP) with them.
They do this by reframing ASPs as something that will let him access a secure resource (spoiler: not how this works)
REMINDER: WHAT IS AN ASP?
What's an ASP? Well, not every app that users want to use supports Multi-Factor Authentication.
Some older email clients for example don't. So providers like #Google let users create a special password just for those apps.
https://blossom.primal.net/ecc8d336f426eaa27ae4744e7f4cb4c2cac3edd0ec17d6da83bc77b4673aeac8.png
There were so many clever bits to this attack, it's easy to imagine a lot of people falling for it.
https://blossom.primal.net/8d0ed38e7478f802ad67adabc91a6e7f8d4e8453b1dd7c2328732864b5aa0815.png
Everything was clean. Doc looked real. The language was right. Email addresses at the State Dept. seemed to be CC'd.. I could go on.
They even had Keir enter "ms.state. gov" into the ASP name...
SLOW FOOD SOCIAL ENGINEERING
This attack was like slow food. 10 email exchanges over several weeks! Very much not your run-of-the-mill phishing.
It's like they know what we all expect from them...and then did the opposite.
Ultimately, he realized something was wrong and got in touch with us at #citizenlab ... but not before the attackers got access.
He's said that he expects some sort of 'leak' constructed out of a mixture of his real messages & carefully added falsehoods. I tend to agree, this is a pretty common tactic.
Here's what that looks like, btw, from a report we did back in 2017 where we compared what was released after a hack by Russian hackers vs the original:
https://blossom.primal.net/d78c6546306d909b92b1f2df20371c9eeff07b1bfe9081cff27cadf7dc14e1ab.png
Coda: Hilariously (to me at least) the attackers called the fake platform it *MS DoS*
https://blossom.primal.net/ccba459e840ce297664a2bda301d1438b3b8e51b585d169addcf8d21964c7fff.png
WHO DID IT?
Enter the Google Threat Intelligence Group w/analysis & attribution.
GTIG had been working on their own parallel investigation. Our friendly social engineers are: 🇷🇺 #UNC6293, a #Russian state-sponsored threat actor.
https://blossom.primal.net/515d82cd455084e58ae7dff4d35bd5d435912eb37851c400975a236e0ee498b0.png
Google adds bonus additional low confidence association to #APT29 (that would be Russia's #SVR).
Nice people.
TAKEAWAYS?
Takeaway: some gov-backed groups are feeling pressure & experimenting.
Moving from smash & grab phishing... to subtler, slower & perhaps less detectable.
Targeting App-Specific Passwords is novel.
But it's just part of a trend of state-backed attackers innovating & moving beyond simple phishing that targets credentials (maybe multi-factor codes) towards other mechanisms of account access.
https://blossom.primal.net/336640b188c251fa283158375999307dcca111d77eae861bd0a35f74543eed45.png
A lot of more sophisticated attackers are also spreading attacks across platforms.. for example starting the attack on Signal/Telegram, then later pivoting to email, etc. The folks at Volexity (above pic showing a similarly complex operation) have some good reporting on that (link below)
GET SAFER
Do you think you face increased risk because of who you are & what you do?
✅Use Google's free Advanced Protection Program.
Set it up now: https://landing.google.com/intl/en_in/advancedprotection/
https://blossom.primal.net/e5cf606d56a80fd5beff0b27169d03de332bb6653b95bcff6fe4335ec5630dac.png
✅Exercise extra skepticism when unsolicited interactions slide into suggesting you change account settings!
https://blossom.primal.net/56bd9a26f59aa26cfccb5d6aa4570a7b9cb0ad34b25f36fe692098baa3d80e19.png
✅Talk to your IT/ Security team about ASPs. Share the report, we've made some suggestions for them..
READ THE REPORTS
Ours at Citizen Lab: https://citizenlab.ca/2025/06/russian-government-linked-social-engineering-targets-app-specific-passwords/
Google's Post: https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-academics-critics-of-russia
Other citations:
Our Tainted Leaks report where we walk through how materials got manipulated & leaked after a Russian gov hack: https://citizenlab.ca/2017/05/tainted-leaks-disinformation-phish/
Volexity's recent report:
https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/

2025-06-19 15:57:09 UTC

Searching #Youtube, I ignore content less than 12 months old.
To get past the #GenAI sloplayer.
https://blossom.primal.net/99a06fdb07f8738feb873f27d84692e7cd8deead8c5fd9051e202e2f3f82291b.png
Like a volcanic explosion.
Except instead of blanketing the world with ash, it's a smothering burden of low value, low-enjoyment, derivative, error-filled content.

2025-06-18 16:35:05 UTC

“The Arab writer can be easily killed by their government under the pretext of ‘national security’"
-Turki al-Jasser in 2014, unwittingly predicting how he'd die in 2025.
He was just executed by Saudi Arabia, probably by beheading.
For his posts critical of the government.
https://blossom.primal.net/f0e519d22a3b0f37db56b234a0d80d685e6e58578c7bf400e7247257d4308002.png
He was reportedly tortured while in prison.
Story: https://www.theguardian.com/world/2025/jun/18/saudi-arabia-turki-al-jasser-executed

2025-06-17 09:10:58 UTC

- reply

Truly clever stuff.

2025-06-16 19:21:36 UTC

New: WhatsApp announces that they are adding advertising.
Ugh.
https://blossom.primal.net/76573b7d579cdd2595cd6d8ea5c47da8fe7c3a4ddaca0c6547805ffe978251f3.png
As a researcher working on targeted / 0click attacks (including a few that have been done over WhatsApp..) it's hard to see how this works without opening up a fat new attack surface to be probed.
https://blossom.primal.net/433f053e064ffb25187f1fd2e61eba7f82ada119765f79f75a1dbbe438658da7.png
I'm also worried about the ways that these advertising signals get used for tracking people in new parts of their digital lives.
And it bugs me that it's going to be really hard if not impossible to use WhatsApp in a privacy-first way.
What are your thoughts?
Writeup: https://techcrunch.com/2025/06/16/whatsapp-is-adding-ads-to-the-status-screen/

2025-06-16 15:32:07 UTC

- reply

Dihydrogen Monoxide is an oxidizing agent and can quickly lead to corrosion of many metals. These dangerous properties are enhanced when salt is added.
It can also carry many other impurities, even bacteria, amoeba and viruses.
Ingest with caution.
I have a bottle with me right now and I am taking extreme care.

2025-06-16 15:12:24 UTC

- reply

The homeopaths that claimed that the doses were too large to kill were following established homeopathic doctrine...
Where potency is inversely related to efficacy.
And the chances of finding a single molecule of the substance in a dose are infinitesimally small.
Like single atom in a galaxy small.
Here's a helpful chart from wikipedia.
https://blossom.primal.net/dc829ce488d539b4d80a1dbacef5c969562f98cf96e2d2db08915ebede7000ac.png

2025-06-16 14:51:41 UTC

Throwback to the 2010 Mass Homeopathy Overdose that killed scores of skeptics.
https://blossom.primal.net/6afc5ffe7f12308666fa9f7b8c9d54cad5d2ed169816025f029fdc1627333f6a.png
Just kidding, they were fine.
I remember getting curious about this & chasing down homeopaths responses.
My favorite went like: 'well of course they survived! They took to much! If they'd only taken less... it could have been really dangerous'
Pic: https://www.nursingtimes.net/archive/mass-homeopathy-overdose-protest-outside-boots-01-02-2010/

2025-06-14 11:29:20 UTC

Government surveillance powers are like a ziptie.
Nobody has the incentive to loosen them.
They only ratchet tighter.

2025-06-13 20:52:42 UTC

Headline that I saw...
https://blossom.primal.net/0dba01b8ddf305d71f78918a555bd1bd6d2715e087b8f6a5ce6fdaf6a7cf39cf.png
This is not something I was tracking.
https://blossom.primal.net/6201ecf0be2855126a7cd4d55defcf0388b1dc2da83beaf803365c1b7817444a.png
Source: https://www.thefp.com/p/im-the-cto-of-palantir-today-i-join

2025-06-13 18:06:05 UTC

- reply

This is an interesting question that I wondered about too.
Here's why I think it works: you have a mix of things picked up by such an indicator, including spikes in takeout traffic as people are sent to get pizzas...
You probably also pick up things like delivery drivers / doordash etc coming in and out collecting orders.
Ultimately the proof is sort of in the pudding on this indicator: it captured the pre-strike frenzy of activity.

2025-06-13 00:55:02 UTC

- reply

And unfortunately it remains undefeated.

2025-06-13 00:47:17 UTC

- reply

Pentagon pizza place indicators are undefeated.
Israel just launched an air attack. https://blossom.primal.net/86ba7e4c3c67493360439d89a79ee1ae5d2b5ab6b6bdbe5b25239742fefa9f2b.png Source: NYTimes.
#nevent1q…vctq

2025-06-12 16:43:19 UTC

🚨NEW INVESTIGATION: We just forensically unmasked #Paragon 's Apple spyware.
Zero-click targets: Journalists. In 🇪🇺Europe.
Like 🇮🇹Italian reporter Ciro Pellegrino
Reopen's #Italy's spyware scandal.
Follows our earlier Citizenlab investigation of Paragon Android spyware.
https://blossom.primal.net/f84b4ed767f2fc69a0dee3d6fe417f69a7e55e6676620c938ff1645aa5d57a5c.png
BACKGROUND
Back in April, #Apple sent out a threat notification to a select group of users. Some got in touch with us to get analyzed.
WHAT WE FOUND
They'd been targeted with a sophisticated zero-click attack (think: no click, no attachment to open, no mistake needed...).
https://blossom.primal.net/cf1eac34dc665075a1e3761992a6d2d38a155d99e05058401bd685b8843f1a0a.png
While my brilliant colleague Bill Marczak was working on the phone of a prominent European journalist, he made a smoking gun discovery:
Requests to server matching our P1 fingerprint for #Paragon's graphite.
https://blossom.primal.net/68f475e66eb02beadaaed4feb7cb853b26112289a1861b45cbad18fcdb9ad09f.png
Paragon's 'undetectable' Apple spyware had just been found... Just as we'd found their Android spyware some months ago.
https://blossom.primal.net/9d4412f41a7fa7dc618fa7109eb6c40e865f45ca008e017371761c77a194879b.png
The prominent European journalist had another spicy indicator on their iPhone logs:
An iMessage account belonging to a particular #Paragon customer...used to deploy this zero-click attack.
We call this account ATTACKER1. We'd find them again in short order...
https://blossom.primal.net/1921d65e5d4f9734a5f70c4e5007045ab456ff14d473f1ac58264726b2782dd8.png
Earlier this year we uncovered #Paragon's Android spyware after #WhatsApp notified a group of users they'd been targeted with Paragon.
One of the notification recipients? Journalist Francesco Cancellato
His outlet http://fanpage.it had done bombshell reporting that displeased the Italian government.
https://blossom.primal.net/2d34f3ca05c248773b9f7230c9885afc8cc729a38915af01e3300ae38961b470.png
Then, in April, his colleague Ciro Pellegrino also gets a notification.
His is from Apple (Cannot overstate how helpful these notifications are)
We analyze Ciro's iPhone & forensically confirm he's a Paragon target.
And we find the ATTACKER1 iMessage account again!
https://blossom.primal.net/3afa6d81512eacede96d0fa843d1d3e8cdfdccdbbf19dfe5f8abf6bcca9d809e.png
ITALIAN DRAMA
This week #Paragon and #Italy have been locking horns over the case of Francesco Cancellato. Paragon doesn't want to be stuck w/unexplained abuses against journalists.
https://blossom.primal.net/7251a0f76e67272876ddc6fff8a48ac50a31e13b1f69a959e9ad6883d995567c.png
I think Paragon likely want to be able put to it on a customer & wash hands...
But when your customer is a government... they clap back. So Italy has been threatening to declassify things like Paragon's testimony to their intelligence oversight committee. Spicy.
BIG QUESTION
We're left with a big question: who's hacking European journalists with Paragon?
Who targeted Francesco & Ciro?
Right now they have no answers.
Bad look for Paragon. Bad look for Italy.
Curious what Paragon knows about that server...
BIG PICTURE
Paragon's marketing was the 'clean' & stealthy opposite of NSO Group.
Yet Paragon's Apple and Android tech got caught.
And they can't shake a spyware abuse scandal.
Conclusion: the problem isn't just a few bad apples, abuse is axiomatic.
And discovery is a matter of time.
APPLE USERS:
One bit of good news, Apple tells us that the zero-click attack deployed in these cases was mitigated as of iOS 18.3.1.
That's #CVE-2025-43200 for the curious.
https://blossom.primal.net/6f7137d1c02dc47599fcdbe95d1baa9ec3b90a434d02a42331d25a63179d2d4c.png
Make sure to keep your iPhones up to date. And get in touch if you get one of these advanced threat notifications.
OUR FULL REPORT: https://citizenlab.ca/2025/06/first-forensic-confirmation-of-paragons-ios-mercenary-spyware-finds-journalists-targeted/

2025-06-11 23:10:29 UTC

- reply

"@grok is this true?"

2025-06-11 23:07:08 UTC

Pizza places near Pentagon showing a *lot* of activity.
That favorite conflict indicator coupled with sudden cascade reports of US embassy evacuations & non essential personnel voluntary departures + rhetorical change in statements about talks with Iran... it's enough to make a lot of people start speculating about threats of strikes into Iran.
Disclaimer: Me? I'm not even an armchair geopolitical expert. And I'm certainly not smart enough to know if this is just signaling, or whether something happens soon. Or a bit later.
https://blossom.primal.net/c9ad2618f2217a17dcddacc0c3341a61dbe2c9346c1231f3003e6864e7a34588.png https://blossom.primal.net/afc0fcaefd87949ca766578a96872e99d1cfd6df1a2b22ac637a7cb76fd6cd39.png

2025-06-11 22:02:15 UTC

- reply

@grok what does @nprofile…rj62 mean?

2025-06-11 21:59:49 UTC

"@grok just tell me what to think, feel and say about this"

2025-06-10 17:40:28 UTC

- reply

Tried and failed to zap. Very good additional point

2025-06-10 16:24:25 UTC

- reply

Yeah, good point. I'm a big believer of sharing when asked too 😉 in this case the problem is that this sort of thing isn't scalable. It's knowledge friction.