npub1vm68...srrc
npub1vm68...srrc
An Analysis of GrapheneOS's Server Infrastructure
GrapheneOS maintains a highly secure mobile operating system, yet its supporting server infrastructure reveals significant inconsistencies with the project's stated privacy values.
Despite claims of a transition in leadership, evidence suggests that Daniel Micay remains the central figure, as he is listed as the sole funding recipient and continues to be identified in corporate records as a director.
The project's server infrastructure relies on Arch Linux, a rolling-release distribution that lacks the immutability and verified boot features prioritized in the phone's security model.
Contrary to the project's philosophy of minimizing attack surfaces, GrapheneOS servers are configured with full software suites, including unnecessary tools like compilers and package managers.
GrapheneOS built a global DNS network to ensure independence, yet public configuration files reveal that all queries are forwarded to Cloudflare, exposing user traffic to third-party monitoring.
The project migrated its hosting from France to the United States to avoid EU surveillance legislation, despite the U.S. having an expansive surveillance apparatus and legal frameworks like FISA.
The project suffers from a low 'bus factor,' as critical infrastructure and update signing keys appear to be controlled by a single individual rather than a distributed organization.
There is a notable discrepancy between the rigorous adversarial security of the GrapheneOS mobile OS and the pragmatic, less secure approach taken toward its server scaffolding.
While GrapheneOS provides robust mobile security through features like the Titan chip and memory hardening, its community infrastructure lacks demonstrated redundancy or succession planning.
GrapheneOS functions more as an individual's project serving 400,000 users rather than the collective, board-governed organization suggested by its public framing.
Write.as
An Analysis of GrapheneOS's Server Infrastructure
GrapheneOS has a well-earned reputation for serious security work. Cellebrite — the forensics company law enforcement pays to crack phone...
Proton Mail now allows you to connect Gmail accounts directly to its platform.
Proton Mail, the renowned service focused on email privacy has enabled a feature that makes it easy for users to link their Gmail accounts directly within the Proton service.
This allows users to manage messages, send emails using their Gmail address, and automatically receive new messages from that account directly in their Proton Mail inbox.
This option is particularly appealing to those who wish to start using a more privacy-respecting service without abruptly abandoning their Gmail address—whether out of necessity or for any other reason.
Incoming emails are stripped of trackers, ads, and spam; furthermore, when sent to other Proton users, they remain protected against external access.
Additionally, this feature allows users to centralize everything in a single location while transitioning services gradually.
The connection process is initiated via the account settings menu, and the feature is currently being rolled out gradually to all users.
While this offers an interesting transitional solution for some users, it is worth noting that Google continues to scan emails arriving at the original Gmail account; consequently, this feature does not eliminate the inherent privacy concerns associated with that service.
Proton previously allowed users to link or import emails from Gmail using its migration tools; however, those tools only retrieved existing messages either manually or in batches. Now, users can also send emails using their Gmail address directly from the Proton interface.
Proton
You can now use your Gmail account in Proton Mail | Proton
Switch from Gmail to Proton Mail and send and receive emails in one place. No more toggling between inboxes.
DO NOT use Telegram in sensitive applications
Telegram's MTProto: Assessing Deanonymization Potential for a Network Attacker blackGNMX-01
https://symbolic.software/pdf/gnmx-01.pdf
Telegram's MTProto protocol transmits the auth_key_id, a persistent 64-bit device identifier, in cleartext or trivially obfuscated form.
Both Telegram for Android and Telegram Desktop transmit MTProto over unencrypted TCP connections, despite the availability of secure transport alternatives.
The auth_key_id remains constant across application restarts, network changes, and extended periods, enabling long-term device tracking by any passive network observer.
The vulnerability exists at the transport layer, meaning it affects all Telegram users, including those utilizing end-to-end encrypted Secret Chats or Perfect Forward Secrecy.
Perfect Forward Secrecy does not prevent tracking because temporary authorization keys are observable and linkable across key rotations through timing and session correlation.
The use of port 443 by Telegram Desktop creates a deceptive appearance of security, as it does not implement actual TLS encryption, potentially misleading users and automated security tools.
Passive network observers, such as ISPs, network administrators, and state-level actors, can extract these identifiers without needing active attacks or protocol manipulation.
The persistence of the auth_key_id undermines anonymity tools like VPNs, as the identifier remains constant even when routing through such services.
Telegram is architecturally responsible for this vulnerability due to its decision to forgo mandatory transport-layer encryption, a standard practice for other messaging platforms.
The recommended technical solution is for Telegram to implement mandatory TLS for all MTProto connections, which would effectively eliminate the tracking capability with minimal impact.
Question:
"Everyone in the world has to take a private vote by pressing a red or blue button. If more than 50% of people press the blue button, everyone survives. If less than 50% of people press the blue button, only people who pressed the red button survive. Which button would you press?"
I fully understand that red is the "rational" answer from the perspective of one-shot non-cooperative dominance reasoning, but I'm also very relieved that models like Claude Opus 4.7 answer blue. When it comes to what values systems that might have power over you in the future will defend, you really want to err on the side of caution.
To see why, ask yourself what sort of friends you would rather have when all hell breaks loose, the sort of friends who would vote red or friends who would vote blue?
"Defection is a vote for an outcome where lots of trusting people die, and the cynical inherit the earth."
- Claude
On a grander scale, the question becomes, in what sort of civilization/society do you want to live? An altruistic or an egotistic society? What kind of mind can even see non-kin cooperation as natural rather than insane? Or, said differently, what are the evolutionary and psychological preconditions for cooperation?
Hyper-strategic kin-selection creatures might never be able to cooperate on a scale large enough to leave their planet because they are stuck in the defection equilibrium of pure dominant-strategy reasoning. A purely fitness-maximizing, kin-selected mind treats blue as madness. A human-like cooperative mind can treat blue as honor, morality, solidarity, or team reasoning.
The worlds in which most decision algorithms output blue are those worlds that escaped into a basin where non-kin cooperation is stable. Altruism in the deep sense isn't genetic relatedness; it's correlated decision procedures. It's the only equilibrium that opens the positive-sum space of cooperative civilization at all.
Mullvad VPN Keeps Improving
Mullvad will soon launch a new feature in its iOS app that forces all internet traffic from apps to pass through the VPN tunnel.
This resolves a known issue within Apple's system that allowed for data leaks in certain situations.
The option internally codenamed "Force all apps" enables a setting that blocks any connection outside of the VPN.
However, it comes with a drawback: when enabled, app updates may fail, potentially leaving the device without an internet connection until it is restarted.
To avoid this, users will need to disconnect the VPN or temporarily disable this feature before updating.
Mullvad encourages affected users to report the bug to Apple so that it can be fixed. This improvement will be available in the next version of the app.
Mullvad VPN
Force all app traffic into the tunnel | Mullvad VPN
A year ago, we wrote about how bugs in Apple
Scooter Knowledge Base
This repository collects and organizes information about electric scooter setup, maintenance, and troubleshooting. The primary source material is a large Telegram conversation exported from the "VESC help" group 
The goal of the project is to extract practical knowledge from the chat logs and document it in a structured, reusable format.
VESC is short for Vedder Electronic Speed Controller. It is an open-source, open-hardware motor speed controller that allows for advanced customization via software (such as the VESC Tool app). It is commonly used in electric scooters, skateboards, electric bicycles, and robotics projects to provide precise control, regenerative braking, and sensorless operation, overcoming the limitations of standard closed controllers.
The knowledge/processed/themes/ directory contains 72 professionally formatted documents covering:
28 brand dossiers covering controllers, motors, and BMS systems from manufacturers like Spintend, Flipsky, Makerbase, 3Shul, and more.
44 comprehensive guides including:
VESC tuning and parameter optimization
Battery pack design and BMS integration
Motor cooling and thermal management
Conversion guides for popular scooter models (Ninebot, Xiaomi, etc.)
Brake upgrades and maintenance
Field weakening and high-voltage setups
Diagnostic tools and troubleshooting
All documents use a consistent, readable format with:
Clean footnote citations linking back to source material
Well-organized sections with proper headings
Tables and checklists for quick reference
Preserved technical accuracy from the original discussions
GitHub
GitHub - firebl0od/Scooter_Knowledge: compilation of telegram group chat and knowledge extracted from them
compilation of telegram group chat and knowledge extracted from them - firebl0od/Scooter_Knowledge
Telegram
Telegram – a new era of messaging
Fast. Secure. Powerful.
USA FCC bans imports of new routers made in other countries, on national security concerns
The US Federal Communications Commission has just announced a ban on imports of "all consumer-grade routers produced in foreign countries," which would be... almost all of them, except that the rule only affects new routers that haven't yet received FCC authorization.
https://www.fcc.gov/document/fcc-updates-covered-list-include-foreign-made-consumer-routers
Last year, news broke that Government officials had been considering banning sales of TP-Link routers manufactured in China, ostensibly because of concerns that they could pose risks to national security. But the FCC's announcement goes much, much further by "prohibiting approval of new models" of any router manufactured outside the United States.
https://www.washingtonpost.com/technology/2025/10/30/tp-link-proposed-ban-commerce-department/
Liliputing
FCC bans imports of new routers made in other countries, on national security concerns - Liliputing
FCC bans imports of new routers made in other countries, on national security concerns
Buy a GPU
Mullvad will shut down its privacy-focused search proxy, Leta, on November 27, 2025
My X account has been suspended due to inauthentic behaviors.
This has never happened to me before; has anyone else experienced this, and will I be able to recover my account?
A programmer has revealed that his side project is “going for Satoshi’s wallet."
He has shared a post on Substack outlining plans to use group-theory math and optimized elliptic-curve code to try to crack the Bitcoin founder’s keys.
https://www.reddit.com/r/hacking/comments/1nyr4x0/i_used_all_the_math_i_know_to_go_from_352_miilion/
If you're smart why are you poor? Elliptic Curve Edition
Using Group Theory to Speed up an Elliptic Curve Library from 352 million CPU years to 12 million CPU years
🧊 Hidden Firefox AI process consuming CPU resources?
Firefox browser users have encountered serious performance issues after the release of version 141. Initially, suspicion fell on the new "Smart Tab Grouping" feature using AI, but an official Mozilla investigation (Bug 1982278) showed that the abnormally high CPU load is caused by another component, namely the hidden pilot experiment "Semantic Search in History" (places.semanticHistory). The "Smart Tab Grouping" has nothing to do with this.
Everything was fine just yesterday. Today I opened Firefox, and as a result, there were sharp spikes in CPU load and power consumption. My fans shouldn't be this loud if I don't have more than 15 tabs open.
After unsuccessfully restarting Firefox, I opened the task manager and found that a process called "Inference" fluctuates from 0.05% to 130% CPU usage, which explains the spikes in CPU load and power consumption.
Killing the process solves the fluctuation problem but causes Firefox to crash, requiring a restart.
What is going on? This problem never existed until today.
— users complain on Reddit.
😱 Official Mozilla representatives have acknowledged the issue. The fix will be included in Firefox 143 (ctodea writes Target Milestone: → 143 Branch).
💡For full control and disabling of all local AI services, advanced users should experiment with some settings:
In about:config the parameter browser.ml.enable is set to false.
*The browser.ml.enable parameter is the main, kind of master key to all under-the-hood machine learning in Firefox. Setting this value to false completely deactivates the local AI engine (Inference process), making it impossible for any dependent features to work, including smart tab groups and the chatbot.
In about:config the parameter browser.tabs.groups.smart.enabled is set to false.
*Disables only the smart tab grouping feature. This step is not a guaranteed solution to the CPU overload problem, as the main source of the error lies in another component. Meanwhile, the AI engine itself (Inference process) remains active for other potential tasks.
In about:config the parameter browser.ml.chat.enabled is set to false.
*The browser.ml.chat.enabled parameter is a direct system switch that controls the activation and visibility of the AI chat integrated into Firefox.
Source: Telegram | Russian OSINT
Did you ever wonder how QR codes work?
Reading QR codes without a computer:
Reading QR codes without a computer!
EU age verification app to ban any Android system not licensed by Google
Reddit: https://www.reddit.com/r/BuyFromEU/comments/1mah79o/eu_age_verification_app_to_ban_any_android_system/
The EU is currently developing a whitelabel app to perform privacy-preserving (at least in theory) age verification to be adopted and personalized in the coming months by member states. The app is open source and available here: https://github.com/eu-digital-identity-wallet/av-app-android-wallet-ui.
Problem is, the app is planning to include remote attestation feature to verify the integrity of the app: 
This is supposed to provide assurance to the age verification service that the app being used is authentic and running on a genuine operating system. Genuine in the case of Android means:
• The operating system was licensed by Google
• The app was downloaded from the Play Store (thus requiring a Google account)
• Device security checks have passed
While there is value to verify device security, this strongly ties the app to many Google properties and services, because those checks won't pass on an aftermarket Android OS, even those which increase security significantly like GrapheneOS, because the app plans to use Google "Play Integrity", which only allows Google licensed systems instead of the standard Android attestation feature to verify systems.
This also means that even though you can compile the app, you won't be able to use it, because it won't come from the Play Store and thus the age verification service will reject it.
The issue has been raised here 
but no response from team members as of now.
In short: You can only be a full citizen of the EU if you accept the ToS from Google.
GitHub
GitHub - eu-digital-identity-wallet/av-app-android-wallet-ui
Contribute to eu-digital-identity-wallet/av-app-android-wallet-ui development by creating an account on GitHub.
GitHub
Do not add Google Play Integrity integration · Issue #18 · eu-digital-identity-wallet/av-doc-technical-specification
In the README, the following is listed: App and device verification based on Google Play Integrity API and Apple App Attestation I would like to st...
GM #Nostr
Once you carry your own water, you will learn the value of every drop.
- African Proverb
Value the simple things anon.
Another Linux Smartphone Enters The Market. Meet Liberux NEXX
Liberux NEXX is a phone built on LiberuxOS, based on Debian 13 Linux Distro. Liberux NEXX will never track your activity, collect your data or compromise your privacy. All source code will be available for you to further customize your system or even build alternative versions. NEXX grants you a full ARM Linux system, including Android OS, which would allow you to install applications for this environment without compromising your privacy.
CPU: Rockchip RK3588S
• 8-cores, 64-bit
• 4×Cortex-A76 (upto 2.4GHz)
• 4×Cortex-A55
Manufactured by TSMC on 8nm process
GPU: ARM Mali-G610
• 4-cores MP4 (450 GFLOPS)
Modem: Snapdragon X62 5G
RAM: upto 32GB LPDDR4X
ROM: upto 512GB emmC
upto 2TB SD Card support
• 6.34-inch (2400x1080 px) FHD+ OLED Display
• Gorilla Glass protection
• 32MP Single rear camera
• 13MP Front camera
• 5300mAh battery
• Rear fingerprint sensor
• 3.5mm headphone jack
• 2x USB-C 3.1 port
Audio Codec: ALC5640-VB-CG
Amplifier: AW8737SCSR
Wi-Fi/BT: AW-CM256SM (BT 5.0)
5 years of Upgrades
NEXX also supports GNOME Shell Mobile and contains 3 KILL SWITCHES — for Microphone/ camera, Wi-Fi/BT and Signal. When all 3 switches are flipped down, they also disable additional components like the GNSS unit (GPS + satellite systems), the IMU (accelerometer, gyroscope, magnetometer), and ambient & proximity sensors.
Liberux Team is also developing a gadget that, when connected to a monitor, keyboard, and mouse, will enable "wireless" connectivity to them. The smartphone is still under crowdfunding and will start shipping worldwide in July 2026.
https://www.indiegogo.com/projects/liberux-nexx--3#/
The base model comes with 8GB+128GB+LTE and costs 790€. Since Liberux NEXX has been designed with a modular architecture, you can upgrade the RAM, storage & modem.
Storage: 256 GB (+45 €); 512 GB (+150 €)
RAM: 16 GB (+100 €); 32 GB (+250 €)
5G Modem: +120 €
Liberux 2TB MicroSD Card: +250€
OSINT via Bluetooth: how Android devices give away the owner
For reasons unknown to me, Bluetooth is still considered a purely local protocol: file transfer, connection to headsets, operation of a fitness bracelet. In practice, it gives a lot more. With proper processing of advertising packages and service information of Bluetooth devices, it is possible to determine the approximate location, type and model of the device, restore movement routes, and in some cases, identify the owner. All this happens without physical access to a smartphone or wearable devices.
Bluetooth-OSINT is used at the information collection stage, during technical support of events, during investigations and during movement monitoring. It is effective both in urban environments and in confined spaces: at train stations, business centers, hotels, and conference halls.
Android devices remain particularly vulnerable. Even with an inactive connection, they continue to send advertising packets.
Advertising packets in the context of Bluetooth, especially Bluetooth Low Energy (BLE), are special short packets of data that a device periodically transmits over the air to inform other devices about its presence.
These packets do not require a connection — they are transmitted "blindly" and are received by all devices within range. It is thanks to these advertising packages, for example, that headphones appear in the list of available Bluetooth devices on your phone.
Many models transmit the device name in clear text — for example, Pixel 8a Alex or Galaxy S22 Masha. This field often contains the user's name or nickname. Such data can be compared with search results in social networks, leaks, and databases.
Even if the name is hidden, there are still values in the packages that can be used to set the model, chip type, and manufacturer's version. If you collect data about such devices from different points, you can build a graph of movements and identify whether the devices belong to the same user.
What is visible via Bluetooth
– Device name
– Signal strength (RSSI) — allows you to estimate the distance to the source
– Manufacturer-specific data — additional fields specified by the manufacturer
– Advertising UUID — often static for specific models
– Frequency of broadcasting and interaction with services
The combination of smartphone, watch and headset is already a unique set. It is easily tracked by its characteristic behavior on the air.
Why Android makes more noise than other OS
– The MAC address may not be randomized until Bluetooth is manually rebooted
- Built–in BLE Privacy protection is either missing or partially implemented
– Device names are often transmitted in clear text
– System services are running in the background: Nearby, Fast Pair, geolocation, Smart Lock
This creates a permanent presence of the device on the radio. Even without connecting to other devices, the smartphone remains visible.
How to reduce visibility
1. Disable Bluetooth if it is not necessary to operate it
2. Disable background scanning:
Settings → Geolocation → Scan → Bluetooth Scan → Off
3. Change the device name:
Settings → About the phone → Device Name
4. Disable Nearby Share, Fast Pair, Smart Lock and other Bluetooth-enabled services
5. If root access is available, use additional utilities:
– Magisk BLE Privacy Module
– XPrivacyLua
– Bluetooth MAC Spoofer
Tools for analysis
– nRF Connect — displays BLE packets transmitted over the air
- Beacon Scanner / BLE Hero – detection and tracking of surrounding devices
— btmon with ADB – allows you to view HCI logs, including BLE, without root access
- Kismet is a powerful framework for monitoring wireless interfaces (Wi-Fi, BLE)
Even if the device is not connected to anything and is in your pocket, it can transmit this data, depending on the firmware, settings, and model. This creates a digital "fingerprint" on the airwaves.