Anyone come across good analyses of new US #tariffs .
Longer term projections a bonus. #AskNostr
Thoughtful design that addresses one of the biggest issues around VPN use & privacy: a single chokepoint point of possible privacy failure & exposure to demands for access.
There are still lots of things VPNs don't do..that people think they do.. but this kind of thing is nudging consumer VPNs closer towards what people think when they use them :)
Example of what ppl think VPNs do but they don't: hiding from most websites you visit. Unless you are actively resisting things like browser fingerprinting, cookies, trackers & never logging in, you're still identifiable to most of the sites you visit.
Here's another: a state can still find you if you use a VPN. Trivially, if they can get enough traffic logs. For example, if SERVICE A still has an IP address + time pairing associated with you that is uniquely identifiable (e.g. you touch your email inbox over your VPN connection).. then there's a good chance that a state can quickly associate you with your other activity on SERVICE B. All they need to do is make a legal request that SERVICE A complies with. Then they see what IP is associated with you at that time, maybe get your useragent & a few other things and ...boom.
I've spent my adult life thinking about defending digital privacy.
Yet until a few years ago, financial freedom & privacy was barely on my radar.
This would have probably continued but for a handful of good humans that took the time to talk me through things.
Thanks to thinking they kicked off for me, I now think that individual access to aspects of financial freedom & privacy are necessary to a healthy society.
Why did it take so long? Well, there was a failure of adversarial imagination on my part.
And partly because if you aren't actively asking hard questions, this state of affairs will be hidden from you.
The financial system & how it is taught is set up to hide structural privacy violations & disempowerment.
I'm pretty sure my ignorance was closer to the norm than the exception.
But when you completely restrict financial privacy & freedom, you disempower people...constantly.
And it will keep eroding & blocking the exercise of other core rights.
Until this changes & awareness grows, we're stuck paying the price for it in a thousand ways.
Shoutout to nostr:nprofile1qythwumn8ghj7mn0wd68ytnxd46zuamf0ghxy6t6qy28wumn8ghj7mn0wd68ytn00p68ytnyv4mqqgzccaq65ccv9k3454480sws2wqepz73q5z0m5kckslhyhh6d533jc25xncl for getting & keeping the intellectual ball rolling for me. And to all the good humans that have helped me along the way since. Thank you. You know who you are.
Painting : Egon Schiele, Four Trees, 1917.
I hear what you are saying, and agree that this kind of advanced data collection probably is not necessary.
My view is: don't underestimate the power of these industries.
Consider that there's a difference between what kind of invasiveness might be needed.... and what will be instantly sought & probably granted.
Getting concrete. The cheaper bids on contracts will probably be because they rely heavily on more automated approaches... And to make that work, they are going to want data.
I hear you. I worry that a goldrush of some of the shadiest companies will happen in a blink.
Surveillance-oriented-companies love nothing more than areas where people *have to hand over data*.
And the "we need this data to keep ppl safe" fear thing is going to be a godsend.
If we aren't demanding that concerns about safeguards, limits & accountability are included in every step of the conversation now...it will be 100x harder to get them in place once big companies & lobbyists have set the terms of the game.
Most folks don't love security theater & everyone has had a bad time at a screening checkpoint.
So, let's think for a second about hypothetical private-#TSA companies.
I'd expect them to gravitate towards AI-assigned individual risk ratings to minimize the cost of hiring & training people to interact with travelers.
To create ratings, I'd expect them to demand & consolidate invasive pools of our biometrics, web browsing, commenting, purchasing, movements & private lives.
Just don't call it a "social credit score"
You can bet they'll pivot to trying to monetize their data.
2026: We're a terminal security company
2029: We're a person rating company
Would these ratings make their way into other parts of our lives & things we want to visit?
And who exactly would stand up for us when the ratings are wrong? Or our data is shipped to foreign buyers.
Who holds #PrivateTSA companies accountable? The US doesn't have strong #privacy protections...
I'm also not optimistic about private sector security companies' ability to stop breaches. History backs me up here.
But I do expect that private-TSA companies could use lobbying to limit oversight & accountability.
That's been the history of other privacy-invasive tech companies.
So, as an airline security privatization conversation kicks off, remember that it can't just be "current thing is bad" but needs to consider what kind of future we're inviting in. 
This is an oldie but it always made me super focused at work while also keeping my motivation up.
I’ve tried relaxation music while working but that always makes me too relaxed and more likely to day dream 😂
Similarly for music I can sing along too!
https://music.apple.com/au/playlist/the-matrix-music-from-the-motion-picture/pl.u-EdAV7BeuMDGPo0
Thanks much, great stuff!
slushwave: new term for me! Thanks!
What's your best focused work music?
I'm getting habituated to mine.
Please drop a link.
🚨NEW REPORT: first forensic confirmation of #Paragon mercenary spyware infections in #Italy...
Known targets: Activists & journalists.
We also found deployments around the world. Including ...Canada?
So #Paragon makes zero-click spyware marketed as better than NSO's Pegasus...
Harder to find... 
...And more ethical too!
This caught our attention at #Citizenlab. And we were skeptical. 
So.. it was time to start digging. 
We got a tip about a single bit of #Paragon infrastructure & my brilliant colleague Bill Marczak developed a technique to fingerprint some of the mercenary spyware infrastructure (both victim-facing & customer side) globally. 
So much for invisibility.
What we found startled us.
We found a bunch of apparent deployments of Paragon's mercenary spyware in places like #Australia, #Denmark, #Israel, #Cyprus #Singapore and... #Canada.
Fun. 
We also found interesting stuff at a datacenter in #Germany 
Caveats: the methodology we use only surfaces a subset of customers at a particular time.
So ...about #Canada.
My colleagues on the legal side began digging. The more they pulled, the more questions surfaced about whether the Ontario Provincial Police is rolling mercenary spyware. 
While investigating, we found signs #WhatsApp was being used as a vector for infections.
We shared our analysis with Meta which had an ongoing investigation into Paragon.
They shared findings with WhatsApp which discovered & mitigated a zero-click attack.
They went public, and notified ~90 users that they believed were targeted.
WhatsApp's notifications to targets turbocharged what we all knew about #Paragon.
Cases began coming out: an investigative journalist in #Italy and sea rescue activists were among the first. Francesco Cancellato. Editor in Chief of Fanpage.it, & Luca Casarini and Dr. Giuseppe “Beppe” Caccia of Mediterranea Saving Humans
They consented to us doing a forensic analysis... 
Sure enough, we found traces of infection on several Androids.
We call the indicator #BIGPRETZEL & #WhatsApp confirms that they believe BIGPRETZEL is associated with #Paragon's spyware.
In the weeds a bit: Android log forensics are tricky. Logs get overwritten fast, are captured sporadically & may not go back very far. So, not finding BIGPRETZEL on a targeted phone wouldn't be enough to say it wasn't infected. In such a case, the only safe course of action for a notified Paragon target would be to presume they had been infected.
Our analysis is ongoing.
.... but There's more!
There's more! We'd been analyzing the iPhone of human rights activist David Yambio, who is focused on abuses against migrants in Libya (they are often victims of torture, trafficking, and killings) who works closely with the other targets. 
Last year he got notified by Apple that he was targeted with sophisticated spyware.
We've forensically confirmed the infection & shared details with Apple.
Apple confirms they fixed the vectors used to target him as of iOS 18.
We're not doing a full technical attribution of this novel spyware to a particular company yet. But it's not like anything we've seen.
Troublingly, timeline of David's spyware targeting lines up with when he was providing information to the International Criminal Court about torture by human traffickers in #Libya.
But there's even more spying afoot against this cluster of activists!
Luca also got a notification last February about targeting with a different kind of surveillance tech. 
He wasn't alone. Father Mattia Ferrari, chaplain of Luca's lifesaving organization' also got a notification.
#Italy's response to the unfolding #Paragon scandal has been exceptionally chaotic. So we included a little timeline.
Denials, then admissions, then refusals to say more citing secrecy. 
Honestly, deja vu of how Pegasus-abusing governments have handled PR...
TAKEAWAYS:
TAKEAWAY 1: you can't abuse-proof mercenary spyware. Selling just democracies won't prevent abuses. Most democracies have plenty of historic examples of surveillance abuses. Why should spyware be different?
TAKEAWAY 2: #Paragon's technical tradeoffs to be less detectable didn't prevent them getting discovered.
Just made it harder.
TAKEAWAY 3: I think we're only looking at the tip the #Paragon hackberg
For example, the ~90 notification number from #WhatsApp
only represents 1 infection vector that got caught & notified.
There may be non-notified spyware victims walking around right now who were infected via a different mechanism.
In #Italy, too we also need to better understand the other surveillance technologies pointed at this cluster of people.
Finally, we gave #Paragon room to respond to a summary of our key findings.
Their US Executive Chairman, a 30+ year #CIA veteran, responded in a way that sounded very familiar to how NSO Group did PR.
1 - Say there are inaccuracies..
2- ..But refuse to specify them
3-Cite customer confidentiality as a reason to not say more.
We welcome any clarifications they have now that they've read our full report.
FINAL NOTES: our #citizenlab investigations are usually big, collaborative team productions. Smart co-authors, awesome collaborators. 
The key to nearly all our research into spyware is targets' brave choice to speak out.
And work with us to forensically analyze their devices... We are very grateful to them.
This is how we collectively get a better understanding of mercenary spyware abuses.
And journey towards accountability.
Thanks for reading! Drop questions in the replies!
READ THE FULL REPORT https://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/
NEW: Italian gov reportedly admits it targeted activists with #Paragon mercenary spyware.
After ~2 months that began with denials & slid into evasions, some clarity finally came. But only some...
The spyware targeting of journalist Francesco Cancellato, the first case to come forwards after he got notified by #WhatsApp at the end of January is still unexplained.
We at #Citizenlab have been investigating the case & working with targets. We published a forensic investigation last week. Lots of unanswered questions.
Company Background:
Company frames themselves as the anti-NSO Group (the notorious Israeli spyware company that makes Pegasus spyware). More stealthy. More ethical. Well, they got caught & they now have a big scandal.
Like NSO, Paragon also originates out of alumni from the Israeli intelligence community but was recently acquired by a US defense contractor.
Up Next?
As long as clarity is incomplete... the #Paragon scandal isn't going away for #Italy ... and Italy is going to remain a major pain for the mercenary spyware company.
https://primal.net/e/nevent1qqs8us77wawnjryeacpq0cup22pvwdnhyv6k69fmkadf5r34rppp7usyhlr4e
So, more journalists were just targeted with #Pegasus spyware.
This time journalists in #Serbia that were investigating corruption.
“In Serbia, you can hire a hitman for a half of the money...what else would they be prepared to pay for?!” - a spyware-targeted reporter.
Indeed.
Notice that the targeting is happening over a messenger program with a link, not a zero-click?
The why is unclear. Maybe Pegasus didn't have a working exploit against those phones. Or maybe the customer didn't get the platinum zero click package and so had to do some social engineering. Interesting.
BACKGROUND:
This is the THIRD report of Pegasus abuses in Serbia in 2 years.
And nearly a decade after the first Pegasus abuses got reported, NSO Group is still fueling attacks against freedom of speech.
We're here because spyware companies still don't feel meaningful consequences.
And DC is home to a seemingly-infinite number of lobbyists that are willing to help them try to get off sanctions lists...
READ THE REPORT by Amnesty Tech & BIRN. https://securitylab.amnesty.org/latest/2025/03/journalists-targeted-with-pegasus-spyware/
BREAKING: more journalists targeted with #Pegasus spyware.
This time journalists in #Serbia that were investigating corruption.
Private data & passwords for US officials found online?
Sure. This is true for every official, regardless of party.
And you, if you're an American reading this.
The US hasn't enacted serious privacy protections for citizens. 
This is a consequence.
Companies intrusively soak up your personal data, get breached, and nobody blinks. 
Breaches are one of the first places attackers go when they want to target.
This is why password re-use is dangerous. And two factor authentication is key.
If your favorite 'strong password' is in a breach, an attacker is going to try it against every other account you have.
Datapoint: this administration uses Signal. Like every other administration.
Because encrypted messaging is critical infrastructure.
Remember this the next time a government demands an encryption backdoor.
How did a reporter get added? Well, the use of encrypted chat is ubiquitous but not explicitly accepted, supported or discussed in most institutions.
Which means users are left to fend for themselves in how they use & understand these tools.
And are usually about 1 mistake away from self-doxxing group contents.
This also left me wondering: is anyone screening these devices for mercenary spyware like Pegasus?
Experience tells me the answer is: maybe not.
Report: Researcher's device got searched at US border.
Turned away because he expressed personal view in private about how scientists were being treated.
Seems like France is taking a dim view & speaking to the press as a signal of their displeasure 
(Machine translated)
🚨NEW REPORT: first forensic confirmation of #Paragon mercenary spyware infections in #Italy...
Known targets: Activists & journalists.
We also found deployments around the world. Including ...Canada?
So #Paragon makes zero-click spyware marketed as better than NSO's Pegasus...
Harder to find...
...And more ethical too!
This caught our attention at #Citizenlab. And we were skeptical.
So.. it was time to start digging.
We got a tip about a single bit of #Paragon infrastructure & my brilliant colleague Bill Marczak developed a technique to fingerprint some of the mercenary spyware infrastructure (both victim-facing & customer side) globally.
So much for invisibility.
What we found startled us.
We found a bunch of apparent deployments of Paragon's mercenary spyware in places like #Australia, #Denmark, #Israel, #Cyprus #Singapore and... #Canada.
Fun.
We also found interesting stuff at a datacenter in #Germany
Caveats: the methodology we use only surfaces a subset of customers at a particular time.
So ...about #Canada.
My colleagues on the legal side began digging. The more they pulled, the more questions surfaced about whether the Ontario Provincial Police is rolling mercenary spyware.
While investigating, we found signs #WhatsApp was being used as a vector for infections.
We shared our analysis with Meta which had an ongoing investigation into Paragon.
They shared findings with WhatsApp which discovered & mitigated a zero-click attack.
They went public, and notified ~90 users that they believed were targeted.
WhatsApp's notifications to targets turbocharged what we all knew about #Paragon.
Cases began coming out: an investigative journalist in #Italy and sea rescue activists were among the first. Francesco Cancellato. Editor in Chief of Fanpage.it, & Luca Casarini and Dr. Giuseppe “Beppe” Caccia of Mediterranea Saving Humans
They consented to us doing a forensic analysis...
Sure enough, we found traces of infection on several Androids.
We call the indicator #BIGPRETZEL & #WhatsApp confirms that they believe BIGPRETZEL is associated with #Paragon's spyware.
In the weeds a bit: Android log forensics are tricky. Logs get overwritten fast, are captured sporadically & may not go back very far. So, not finding BIGPRETZEL on a targeted phone wouldn't be enough to say it wasn't infected. In such a case, the only safe course of action for a notified Paragon target would be to presume they had been infected.
Our analysis is ongoing.
.... but There's more!
There's more! We'd been analyzing the iPhone of human rights activist David Yambio, who is focused on abuses against migrants in Libya (they are often victims of torture, trafficking, and killings) who works closely with the other targets.
Last year he got notified by Apple that he was targeted with sophisticated spyware.
We've forensically confirmed the infection & shared details with Apple.
Apple confirms they fixed the vectors used to target him as of iOS 18.
We're not doing a full technical attribution of this novel spyware to a particular company yet. But it's not like anything we've seen.
Troublingly, timeline of David's spyware targeting lines up with when he was providing information to the International Criminal Court about torture by human traffickers in #Libya.
But there's even more spying afoot against this cluster of activists!
Luca also got a notification last February about targeting with a different kind of surveillance tech.
He wasn't alone. Father Mattia Ferrari, chaplain of Luca's lifesaving organization' also got a notification.
#Italy's response to the unfolding #Paragon scandal has been exceptionally chaotic. So we included a little timeline.
Denials, then admissions, then refusals to say more citing secrecy.
Honestly, deja vu of how Pegasus-abusing governments have handled PR...
TAKEAWAYS:
TAKEAWAY 1: you can't abuse-proof mercenary spyware. Selling just democracies won't prevent abuses. Most democracies have plenty of historic examples of surveillance abuses. Why should spyware be different?
TAKEAWAY 2: #Paragon's technical tradeoffs to be less detectable didn't prevent them getting discovered.
Just made it harder.
TAKEAWAY 3: I think we're only looking at the tip the #Paragon hackberg
For example, the ~90 notification number from #WhatsApp
only represents 1 infection vector that got caught & notified.
There may be non-notified spyware victims walking around right now who were infected via a different mechanism.
In #Italy, too we also need to better understand the other surveillance technologies pointed at this cluster of people.
Finally, we gave #Paragon room to respond to a summary of our key findings.
Their US Executive Chairman, a 30+ year #CIA veteran, responded in a way that sounded very familiar to how NSO Group did PR.
1 - Say there are inaccuracies..
2- ..But refuse to specify them
3-Cite customer confidentiality as a reason to not say more.
We welcome any clarifications they have now that they've read our full report.
FINAL NOTES: our #citizenlab investigations are usually big, collaborative team productions. Smart co-authors, awesome collaborators.
The key to nearly all our research into spyware is targets' brave choice to speak out.
And work with us to forensically analyze their devices... We are very grateful to them.
This is how we collectively get a better understanding of mercenary spyware abuses.
And journey towards accountability.
Thanks for reading! Drop questions in the replies!
READ THE FULL REPORT https://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/
Hey Hey! Update your iPhone today!
Apple just blocked an attack discovered by my Citizen Lab teammate Bill Marczak.
Allowed a bypass of Apple's USB Restricted Mode on locked devices.
Actively used by a sophisticated attacker.
Stay safe out there.
And avoid leaving your phones unattended.
https://support.apple.com/en-us/122174
Full biometric KYC for a sandwich.
Absolutely not, Jeff.
NEW: UK secretly demanded Apple build a backdoor into ALL encrypted iCloud accounts. 
You haven't heard about this before because these orders are secret & there are typically bans on talking about them.
SHORT TERM IMPACT:
Apple will probably stop offering encrypted iCloud storage in the UK.
DETAILS:
the UK Home Secretary sent #Apple a so-called "Technical Capability Notice" which is a demand for access.
These flow from the 2016 Investigatory Powers Act (aka "Snooper's Charter") and is a mechanism for the government to *compel* companies to provide access.
ENFORCED SILENCE:
Among the more pernicious parts of this secret demand: Apple would be *FORBIDDEN* from telling users that the backdoor had been introduced into iCloud's Advanced Data Protection.
BIG PICTURE:
The public really doesn't realize it, but cloud backups of phones are constantly used for surveillance. Huge #privacy & #encryption gap.
By introducing optional Advanced Data Protection, Apple extended similar protections of device encryption to users' clouds.
So, since ADP was introduced in 2022, governments have been scheming to undermine it.
LOOKING INTO THE FUTURE:
It's only a matter of time before governments try to target Private Cloud Compute. And do so with the same secret legal tools.
REPORT:
https://www.washingtonpost.com/technology/2025/02/07/apple-encryption-backdoor-uk/