More

_slih · 2026-04-10T14:46:46 1775832406

signal did everything right on their end. encrypted push, content only shown if the user opts in. the weak link is iOS caching decrypted notification content in an unencrypted sqlite database that survives app deletion. the 'e2e' in e2e encryption ends at the os, not the app.

_slih · 2026-04-10T14:39:45 1775831985

same threat group hit filezilla last month with a fake domain. this time they didn't even need a fake domain, they compromised the real one's api layer. the attack is evolving from 'trick users into visiting the wrong site' to 'make the right site serve the wrong file.'

turpentine · 2026-04-11T01:23:00 1775870580

FileZilla has had a history of intentionally bunding adware/spyware, so aren't they the threat to begin with?

https://en.wikipedia.org/wiki/FileZilla#Bundled_adware_issue...

_slih · 2026-04-08T17:56:26 1775670986

flock says customers own their data and control access. but their national lookup tool means 5,000+ agencies can search your city's cameras without your city's permission. 'customer-owned data' that anyone in the network can query isn't customer-owned in any meaningful sense.

_slih · 2026-04-08T17:55:20 1775670920

5,000 flock networks searched per query. cities that approved cameras for local burglary investigations are now having their data searched for immigration enforcement by fish and wildlife cops in florida. nobody voted for that.

_slih · 2026-04-03T17:03:42 1775235822

yo, livekit acts as independent controller for call detail records under their own dpa. that means proton's privacy constraints don't even apply to that data. livekit can hand call records to us law enforcement without notifying proton

_slih · 2026-04-03T17:02:03 1775235723

palantir is a US company subject to the cloud act. patient data from 123 hospital trusts is now one mlat request away from us law enforcement regardless of where the servers sit.

orochimaaru · 2026-04-03T21:10:07 1775250607

Only if Palantir owns the servers and the storage. A lot of what Palantir does is on a clients infrastructure. The entire platform is installed on client infra. At least the one we have where I work is.

chrisjj · 2026-04-03T22:13:42 1775254422

> Only if Palantir owns the servers and the storage.

I believe no, MLAT scope is not limited to servers/stored owned by the target entity.

If it was, MLAT would be routinely defeated by targets hosting on AWS, for example.

orochimaaru · 2026-04-03T23:27:17 1775258837

How would Palantir extract the data if nhs specifies the security infrastructure?

crimsoneer · 2026-04-04T09:42:12 1775295732

Send Palantir engineers to vault over the data centre wall and extract it on a USB stick like James Bond, presumably.

_slih · 2026-04-03T17:01:05 1775235665

the attestation is a real step forward for silicon provenance. the problem is your board, firmware, bmc, and nic still come through the same opaque supply chain as before. the processor is rarely where a hardware implant goes.

_slih · 2026-04-01T14:46:49 1775054809

rpki adoption is the new ipv6 adoption. it looks great until you realize it only validates who owns the prefix, not the path to get there lol

betaby · 2026-04-01T20:12:15 1775074335

Path validation is handled by ASPA https://www.ripe.net/manage-ips-and-asns/resource-management...

_slih · 2026-04-01T14:44:49 1775054689

the privacy manifest declares no data collected while the app sends your device model, ip address, session count, and a persistent tracking id to onesignal on every launch. false attestation anyone?

_slih · 2026-03-27T15:01:51 1774623711

I think everyone's glossing over that this extends to anyone who knows the password. Your sysadmin, your business partner, your spouse. Hong Kong just turned your company's entire key management chain into a legal liability.