jsr
JSR

Chasing digital badness at the citizen lab. All words here are my own.

Public Key

npub1vz03sm9qy0t93s87qx2hq3e0t9t9ezlpmstrk92pltyajz4yazhshfttwj

NIP-05 Address

Profile Code

nprofile1qqsxp8ccdjsz84jccrlqr9tsguh4j4ju30sac93mz4ql4jwep2jw3tcpr4mhxue69uhkummnw3ez6ur4vgh8wetvd3hhyer9wghxuet5qyw8wumn8ghj7mn0wd68yttjv4kxz7fwwak8vuewwdcxzcm955cpez

Publishing to

nostr-pub.wellorder.net

nostr-relay.wlvs.space

Author Public Key

npub1vz03sm9qy0t93s87qx2hq3e0t9t9ezlpmstrk92pltyajz4yazhshfttwj

Show more details

Last Notes

2025-06-20 13:40:33 GMT

🚨NEW REPORT from us: exposing a new social engineering/hacking tactic.
🇷🇺Russian state-backed hackers successfully compromised a prominent (& professionally paranoid) expert on Russian military operations.
Shocking, right? But the attack is solidly clever & worth understanding. I expect more like it.
https://blossom.primal.net/151037fad612bb0112412f07189b1ec3479e3ebd709221dd99af94e1b4123507.png
ATTACK FLOW
Keir Giles gets a message purporting to be from
U.S. State Dept asking for a consultation.
The attackers send the message from a gmail, but CC'd a bunch of email addresses state.gov email addresses. Including one from with same name as the purported sender.
https://blossom.primal.net/e9b747098271f185e66adda014e5d050f570a0120000d74724fd0f376eaa56ba.png
Strong credibility signal to have a bunch of gov ppl on the CC line right?
Well, what the attackers were counting on is that the State Dept mailserver just accepts all email addresses without emitting a bounce.
So they seem to have just created some fake State Dept staff names and addresses.
INTRODUCING THE DECEPTION
The attackers wait for the 2nd interaction to introduce the pivotal deception: getting him to 'connect to a secure platform.'
https://blossom.primal.net/da077358623aab8cc204741a4db027cf41d461254422fadec7872c2d0a94ed4f.png
In the next days they patiently walk him through what they want him to do, even sending a very official looking (but fake) State Dept. document.
https://blossom.primal.net/e4dcc76e9e00377d285dfd3392171aeb604f8be0dac94746db4e11459cee65b8.png
The attack works like this: the attackers try to deceive the target into creating and sharing an App-Specific Password (ASP) with them.
They do this by reframing ASPs as something that will let him access a secure resource (spoiler: not how this works)
REMINDER: WHAT IS AN ASP?
What's an ASP? Well, not every app that users want to use supports Multi-Factor Authentication.
Some older email clients for example don't. So providers like #Google let users create a special password just for those apps.
https://blossom.primal.net/ecc8d336f426eaa27ae4744e7f4cb4c2cac3edd0ec17d6da83bc77b4673aeac8.png
There were so many clever bits to this attack, it's easy to imagine a lot of people falling for it.
https://blossom.primal.net/8d0ed38e7478f802ad67adabc91a6e7f8d4e8453b1dd7c2328732864b5aa0815.png
Everything was clean. Doc looked real. The language was right. Email addresses at the State Dept. seemed to be CC'd.. I could go on.
They even had Keir enter "ms.state. gov" into the ASP name...
SLOW FOOD SOCIAL ENGINEERING
This attack was like slow food. 10 email exchanges over several weeks! Very much not your run-of-the-mill phishing.
It's like they know what we all expect from them...and then did the opposite.
Ultimately, he realized something was wrong and got in touch with us at #citizenlab ... but not before the attackers got access.
He's said that he expects some sort of 'leak' constructed out of a mixture of his real messages & carefully added falsehoods. I tend to agree, this is a pretty common tactic.
Here's what that looks like, btw, from a report we did back in 2017 where we compared what was released after a hack by Russian hackers vs the original:
https://blossom.primal.net/d78c6546306d909b92b1f2df20371c9eeff07b1bfe9081cff27cadf7dc14e1ab.png
Coda: Hilariously (to me at least) the attackers called the fake platform it *MS DoS*
https://blossom.primal.net/ccba459e840ce297664a2bda301d1438b3b8e51b585d169addcf8d21964c7fff.png
WHO DID IT?
Enter the Google Threat Intelligence Group w/analysis & attribution.
GTIG had been working on their own parallel investigation. Our friendly social engineers are: 🇷🇺 #UNC6293, a #Russian state-sponsored threat actor.
https://blossom.primal.net/515d82cd455084e58ae7dff4d35bd5d435912eb37851c400975a236e0ee498b0.png
Google adds bonus additional low confidence association to #APT29 (that would be Russia's #SVR).
Nice people.
TAKEAWAYS?
Takeaway: some gov-backed groups are feeling pressure & experimenting.
Moving from smash & grab phishing... to subtler, slower & perhaps less detectable.
Targeting App-Specific Passwords is novel.
But it's just part of a trend of state-backed attackers innovating & moving beyond simple phishing that targets credentials (maybe multi-factor codes) towards other mechanisms of account access.
https://blossom.primal.net/336640b188c251fa283158375999307dcca111d77eae861bd0a35f74543eed45.png
A lot of more sophisticated attackers are also spreading attacks across platforms.. for example starting the attack on Signal/Telegram, then later pivoting to email, etc. The folks at Volexity (above pic showing a similarly complex operation) have some good reporting on that (link below)
GET SAFER
Do you think you face increased risk because of who you are & what you do?
✅Use Google's free Advanced Protection Program.
Set it up now: https://landing.google.com/intl/en_in/advancedprotection/
https://blossom.primal.net/e5cf606d56a80fd5beff0b27169d03de332bb6653b95bcff6fe4335ec5630dac.png
✅Exercise extra skepticism when unsolicited interactions slide into suggesting you change account settings!
https://blossom.primal.net/56bd9a26f59aa26cfccb5d6aa4570a7b9cb0ad34b25f36fe692098baa3d80e19.png
✅Talk to your IT/ Security team about ASPs. Share the report, we've made some suggestions for them..
READ THE REPORTS
Ours at Citizen Lab: https://citizenlab.ca/2025/06/russian-government-linked-social-engineering-targets-app-specific-passwords/
Google's Post: https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-academics-critics-of-russia
Other citations:
Our Tainted Leaks report where we walk through how materials got manipulated & leaked after a Russian gov hack: https://citizenlab.ca/2017/05/tainted-leaks-disinformation-phish/
Volexity's recent report:
https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/

2025-06-18 16:35:05 GMT

“The Arab writer can be easily killed by their government under the pretext of ‘national security’"
-Turki al-Jasser in 2014, unwittingly predicting how he'd die in 2025.
He was just executed by Saudi Arabia, probably by beheading.
For his posts critical of the government.
https://blossom.primal.net/f0e519d22a3b0f37db56b234a0d80d685e6e58578c7bf400e7247257d4308002.png
He was reportedly tortured while in prison.
Story: https://www.theguardian.com/world/2025/jun/18/saudi-arabia-turki-al-jasser-executed

2025-06-13 00:47:17 GMT

- reply

Pentagon pizza place indicators are undefeated.
Israel just launched an air attack. https://blossom.primal.net/86ba7e4c3c67493360439d89a79ee1ae5d2b5ab6b6bdbe5b25239742fefa9f2b.png Source: NYTimes.
#nevent1q…vctq

2025-06-12 16:43:19 GMT

🚨NEW INVESTIGATION: We just forensically unmasked #Paragon 's Apple spyware.
Zero-click targets: Journalists. In 🇪🇺Europe.
Like 🇮🇹Italian reporter Ciro Pellegrino
Reopen's #Italy's spyware scandal.
Follows our earlier Citizenlab investigation of Paragon Android spyware.
https://blossom.primal.net/f84b4ed767f2fc69a0dee3d6fe417f69a7e55e6676620c938ff1645aa5d57a5c.png
BACKGROUND
Back in April, #Apple sent out a threat notification to a select group of users. Some got in touch with us to get analyzed.
WHAT WE FOUND
They'd been targeted with a sophisticated zero-click attack (think: no click, no attachment to open, no mistake needed...).
https://blossom.primal.net/cf1eac34dc665075a1e3761992a6d2d38a155d99e05058401bd685b8843f1a0a.png
While my brilliant colleague Bill Marczak was working on the phone of a prominent European journalist, he made a smoking gun discovery:
Requests to server matching our P1 fingerprint for #Paragon's graphite.
https://blossom.primal.net/68f475e66eb02beadaaed4feb7cb853b26112289a1861b45cbad18fcdb9ad09f.png
Paragon's 'undetectable' Apple spyware had just been found... Just as we'd found their Android spyware some months ago.
https://blossom.primal.net/9d4412f41a7fa7dc618fa7109eb6c40e865f45ca008e017371761c77a194879b.png
The prominent European journalist had another spicy indicator on their iPhone logs:
An iMessage account belonging to a particular #Paragon customer...used to deploy this zero-click attack.
We call this account ATTACKER1. We'd find them again in short order...
https://blossom.primal.net/1921d65e5d4f9734a5f70c4e5007045ab456ff14d473f1ac58264726b2782dd8.png
Earlier this year we uncovered #Paragon's Android spyware after #WhatsApp notified a group of users they'd been targeted with Paragon.
One of the notification recipients? Journalist Francesco Cancellato
His outlet http://fanpage.it had done bombshell reporting that displeased the Italian government.
https://blossom.primal.net/2d34f3ca05c248773b9f7230c9885afc8cc729a38915af01e3300ae38961b470.png
Then, in April, his colleague Ciro Pellegrino also gets a notification.
His is from Apple (Cannot overstate how helpful these notifications are)
We analyze Ciro's iPhone & forensically confirm he's a Paragon target.
And we find the ATTACKER1 iMessage account again!
https://blossom.primal.net/3afa6d81512eacede96d0fa843d1d3e8cdfdccdbbf19dfe5f8abf6bcca9d809e.png
ITALIAN DRAMA
This week #Paragon and #Italy have been locking horns over the case of Francesco Cancellato. Paragon doesn't want to be stuck w/unexplained abuses against journalists.
https://blossom.primal.net/7251a0f76e67272876ddc6fff8a48ac50a31e13b1f69a959e9ad6883d995567c.png
I think Paragon likely want to be able put to it on a customer & wash hands...
But when your customer is a government... they clap back. So Italy has been threatening to declassify things like Paragon's testimony to their intelligence oversight committee. Spicy.
BIG QUESTION
We're left with a big question: who's hacking European journalists with Paragon?
Who targeted Francesco & Ciro?
Right now they have no answers.
Bad look for Paragon. Bad look for Italy.
Curious what Paragon knows about that server...
BIG PICTURE
Paragon's marketing was the 'clean' & stealthy opposite of NSO Group.
Yet Paragon's Apple and Android tech got caught.
And they can't shake a spyware abuse scandal.
Conclusion: the problem isn't just a few bad apples, abuse is axiomatic.
And discovery is a matter of time.
APPLE USERS:
One bit of good news, Apple tells us that the zero-click attack deployed in these cases was mitigated as of iOS 18.3.1.
That's #CVE-2025-43200 for the curious.
https://blossom.primal.net/6f7137d1c02dc47599fcdbe95d1baa9ec3b90a434d02a42331d25a63179d2d4c.png
Make sure to keep your iPhones up to date. And get in touch if you get one of these advanced threat notifications.
OUR FULL REPORT: https://citizenlab.ca/2025/06/first-forensic-confirmation-of-paragons-ios-mercenary-spyware-finds-journalists-targeted/

2025-06-11 23:07:08 GMT

Pizza places near Pentagon showing a *lot* of activity.
That favorite conflict indicator coupled with sudden cascade reports of US embassy evacuations & non essential personnel voluntary departures + rhetorical change in statements about talks with Iran... it's enough to make a lot of people start speculating about threats of strikes into Iran.
Disclaimer: Me? I'm not even an armchair geopolitical expert. And I'm certainly not smart enough to know if this is just signaling, or whether something happens soon. Or a bit later.
https://blossom.primal.net/c9ad2618f2217a17dcddacc0c3341a61dbe2c9346c1231f3003e6864e7a34588.png https://blossom.primal.net/afc0fcaefd87949ca766578a96872e99d1cfd6df1a2b22ac637a7cb76fd6cd39.png

2025-06-10 13:29:30 GMT

Understanding grows when scientific knowledge is shared.
Yet in 2025 some journals still gatekeep important research.
Like this review of links between depression & inflammation.
$35 if you aren't at an institution with a subscription.
Imagine if a library that charged $35 to read a book?
https://blossom.primal.net/e464889c5b49019eace6432b760bd6f66a2edf31539826f1a8f765a133d8bfae.png
That's enough friction to keep the knowledge from most of the globe.
Every time I encounter knowledge gatekeeping in a health related journal I wince.
I wonder if the American Journal of Psychiatry has considered the costs to the field, and our global mental health, of staying closed?
https://blossom.primal.net/8a6d134cfeab32c6434b8dbc7982ccc20f4a06ba142b6183d5f792fe8b3f6b0f.png
The thing is, I can personally read these articles thanks to my institutional affiliation.
But the momentary friction as I cross through the paywall reminds me that most people can't.
The article: https://psychiatryonline.org/doi/10.1176/appi.ajp.20250289

2025-06-07 12:05:59 GMT

🎥FRESH TALK DROP: Your phone, the spy.
In the fight against spyware like Pegasus, your phone is the frontline.
Last week at the Oslo Freedom Forum https://blossom.primal.net/4dc930b72c717f0123891cb0195a1a86086baab8ebfdccbf8b78b1b5316a9551.mp4
Topics:
❌The dictators repression toolkit
❌How mercenary spyware is used to spread fear around the globe
❌Zero click vs 1 click attacks
❌What works in the fight to pump the brakes on spyware proliferation
BONUS:
✅What you can do right now to make yourself harder to hack
Full talk:
https://youtu.be/qknOIafYODs?t=63

2025-06-05 19:49:39 GMT

- reply

This kind of thoughtful answer is why I decided to #asknostr first. Thank you @nprofile…zy8w

2025-06-05 19:29:31 GMT

I keep getting asked for recommendations from journalists & dissidents for the "most private #AI"
Their concerns about privacy aren't wrong. And are probably prescient. Prudent to avoid the big name platforms.
But that doesn't mean they shouldn't be wielding powerful tools as they do their important work.
The usual recommendation for someone with a bit of skill and a good machine is to get cooking on a locally run model.
But not everyone is that person...
So I've been looking for recommendations that don't require the above skills/bandwidth/machine & I keep hearing interesting things about Open Secret / Maple AI.
Anyone have experience? Know the specs & models? Are there other similar offerings around?
https://blossom.primal.net/c74159e93a169eeedd5f1015d8ab39e6dbe356013ec7fc3fef92a86aa7881d8e.png
Their website: https://trymaple.ai/

2025-06-04 21:01:29 GMT

NEW: accused mastermind of French crypto kidnappings arrested in Morocco.
24-yo Badiss Mohamed Amide Bajjou allegedly orchestrated the kidnappings & assaults from abroad.
https://blossom.primal.net/b8eb69823492b37acbb7a86fe1268760540246ea425ea069e81752b78fd3d34c.png
Including severing Ledger founder David Balland's finger.
Authorities are probing possible links to additional cases.
https://blossom.primal.net/4655a25fc242c70c4ba936b223bdd5e7fe0f2dcd7f5fc4126dfc01bb611cec1c.png
This dynamic of remotely-masterminded attacks is terrifying. Nothing about these attacks requires super special skills, and the sheer ease of moving the assets once the wrench attack has happened is likely to attract more criminal groups.
https://blossom.primal.net/c6bc85410271025c79260328f797c0925c4f6281e773f148bbb0ef0eb181f9a6.png
I still think we're in the earliest days of these. Plenty of #OPSEC lessons and complexities to start thinking about here.
Also, almost certainly the case that post- #Coinbase breach we will see more of these attacks.
Read the news story: https://www.lemonde.fr/en/pixels/article/2025/06/04/suspected-mastermind-of-french-crypto-kidnappings-arrested-in-morocco_6742008_13.html

2025-06-04 10:41:23 GMT

Do you know what the date is today?
Today is the anniversary of the Tiananmen square massacre.
Take a moment to watch this video.
https://blossom.primal.net/3b513c2c5774a2150d240931b83db5d13625fcd789d7f5c8924acc18da1275ce.mp4
Dictators hope that if they make us afraid to speak the truth for long enough... we'll forget it.
And the next generation will never learn.
This is how history is erased.
A Day to Remember, 2005, by Liu Wei
Full: https://vimeo.com/44078865

2025-06-03 10:44:39 GMT

- reply

You might be right. And an even bigger argument for why it makes sense to pay attention to the network effects that can be harnessed, minus the VC vibes..

2025-06-03 10:10:13 GMT

VERY interesting research on how academic twitter migrated to #Bluesky.
Interesting topline takeaways for growing #nostr. No rocket science that's not been said before, but it's nice to have some data:
1- External shocks are key. Capitalize on them. >15% of transitions explained this way. Think geopolitical events, outages, Musk making a big disliked policy change etc.
https://blossom.primal.net/bf7b42d4e5dfb1bfd81d36cd7bb4aab961c2d4c7af41d0e9298f61af62af9da8.png
2- Audiences move from incumbent platforms following influential voices that they follow. Focus on onboarding these influential voices. This is more impactful than just trying to bring the whole audience first.
https://blossom.primal.net/50d77aaffce370c49f1cc853471560ce49c8e560cb5551bf79168704335ed781.png
This dynamic can build contagion. Find ways to more publicly highlight when influential accounts join.
And make it super easy for Nostr users to use clients to reconstruct followees & social graphs from incumbent platform. Trick will be to do this in a privacy respecting way.
(sidenote: that's way the follow packs were such a good idea. But we need much more of this)
(note: influential voices may experience a period of 'where's my audience?' So it's key to find ways to get the transitioning user from that to the reconstruction of their network. )
3- Multiple peers transitioning is key. Having local clusters develop is important (& probably helps with the dry period before an audience is rebuilt.)
Interesting nuance: transition rates to #bluesky were 25-30% in fields like arts/social sciences, but about half that in medical / physical sciences / engineering. Possible predictors include baseline political engagement & political values expressed.
https://blossom.primal.net/bf60153b7d7a9a282b632d2f120a9883391a7a902b577f12abdfec90d5c93942.png
This has an implication for Nostr: focus messaging on Nostr features that may align with people in incumbent platforms. There has to be desire.
Paper "Why Academics Are Leaving Twitter for Bluesky" https://arxiv.org/pdf/2505.24801

2025-06-02 17:11:35 GMT

Now more than ever it is critical to recognize where you've outsourced your cognition.
And whose hidden assumptions your mental economy is now running on.

2025-05-21 19:34:56 GMT

NEW: Senator Wyden just exposed which companies keep silent about government surveillance.
No = doesn't respect Americans' privacy rights.
Choose accordingly.
https://blossom.primal.net/d33cb9659ff0dd0ff3e2162ec3c9f61454418e48a2ba77ad004c7576dbc262d7.png
But Wyden didn't stop there. https://blossom.primal.net/d883f77fd240365c07b3ac7162a213d8b7ebbe2d8f1b6063243d1bbfba36a0a0.png
He highlighted troubling evidence that when government-ordered surveillance of Senators took place, companies failed to notify Senators.
https://blossom.primal.net/a118f1f62f54b3a414e33149197001de409e75adeba7b3632d514cebabc6c5d1.png
This is a bad, scary look for these companies. And it drives home the fact that Americans are often running blind when it comes to potential surveillance overreach.
Sources:
Wyden Letter to colleagues: https://www.wyden.senate.gov/imo/media/doc/wyden_dear_colleague_on_senate_cyber_and_surveillance_surveillancepdf.pdf
Wyden press release: https://www.wyden.senate.gov/news/press-releases/wyden-reveals-which-phone-companies-protect-privacy-by-telling-customers-about-government-surveillance

2025-05-16 20:27:14 GMT

NEW: #Google's #Android 16 to feature optional high security mode. Cool.
Advanced Protection has a bunch of requested features that address the kinds of threats we worry about.
https://blossom.primal.net/f19388ad4282b6473df62c60cedd2c633ff3e3aba32cae33d8b4f03e1fb6e265.png
It's the kind of 'turn this one thing on if you face elevated risk' that we've been asking for from Google.
And likely reflects some learning after Google watched #Apple's Lockdown Mode play out.
Here are some thoughts:
SOME FEATURES IM EXCITED FOR:
The Intrusion Logging feature is interesting & is going to impose substantial cost on attackers trying to hide evidence of exploitation. Logs get e2ee encrypted into the cloud. This one is spicy.
The Offline Lock, Inactivity Reboot & USB protection will frustrate non-consensual attempts to physically grab device data.
Memory Tagging Extension is going to make a lot of attack & exploitation categories harder.
2G Network Protection & disabling Auto-connect to insecure networks are going to address categories of threat from things like IMSI catchers & hostile WiFi.
FEATURES IM ..MORE CAUTIOUSLY CURIOUS ABOUT
Spam & Scam detection: Google messages feature that suggests message content awareness and some kind of scanning.
https://blossom.primal.net/5b3a85ad8c678393c5e8c03f88902e25a994899776c15dc8a3517e2752235a17.png
Scam detection for Phone by Google is interesting & coming later. The way it is described suggests phone conversation awareness. This also addresses a different category of threat than the stuff above. I can see it addressing a whole category of bad things that regular users (& high risk ones too!) face. Will be curious how privacy is addressed or if this done purely locally.
FRICTION POINTS?
I see Google thinking some of thisC through, but I'm going to add a potential concern: what will users do when they encounter friction? Will they turn this off & forget to re-enable?
We've seen users turn off iOS Lockdown Mode when they run into friction for specific websites or, say, legacy WiFi.
They then forget to turn it back on. And stay vulnerable.
Bottom line: users disabling Apple's Lockdown Mode for a temporary thing & leaving it off because they forget to turn it on happens a lot. This is a serious % of users in my experience... And should be factored into design decisions for similar modes.
GIVE US A SNOOZE BUTTON
I feel like a good balance is a 'snooze button' or equivalent so that users can disable all/some features for a brief few minute period to do something they need to do, and then auto re-enable.
Yes, during that brief period there is vulnerability (and a potential social engineering target), but if the trade off is that the user likely just turns the whole thing off and forgets it..that is worse.
HIGH SECURITY & HIGH PARANOIA USERS
Some users, esp. those that migrated to security & privacy-focused Android distros because of because of the absence of such a feature are clear candidates for it...
But they may also voice privacy concerns around some of the screening features. And about the fact that the phone would need to be re-googled (think:Graphene which confers a lot of privacy by stripping out most google features)
Clear communication from the Google Security / Android team will be key here.
TAKEAWAYS
I'm excited to see how #Android Advanced Protection plays with high risk users' experiences.
I'm also super curious whether the spam/scam detection features may also be helpful to more vulnerable users (think: aging seniors)...
Google's blog: https://security.googleblog.com/2025/05/advanced-protection-mobile-devices.html

2025-05-15 20:16:12 GMT

I just tried the new #Primal article editor.
It's awesome.
https://primal.net/jsr/the-cognitive-style-of-long-form-notes https://blossom.primal.net/795405498fe4a0359b4aac1b95c026e4518c4e057b00f2e87b425fa8acc4f318.png

2025-05-11 22:18:47 GMT

- reply

Terrible ad from a cynical man trying to steal your privacy.
https://blossom.primal.net/3a28369f9a5c6ee2f5c7536473b0bafb2361c77e754c298d3f40203e55c21bda.mp4
I've talked about the Orb Mini before:
#nevent1q…6758

2025-05-06 23:25:36 GMT

- reply

Coda: WhatsApp acknowledges long road to collecting damages, but are stating their intention to donate to help orgs that assist spyware victims.
https://blossom.primal.net/98fbd28dde36a2e26551d08d601f731cab39415055fe0626da4522ff32f43812.png
Source: https://about.fb.com/news/2025/05/winning-the-fight-against-spyware-merchant-nso/

2025-05-06 23:19:43 GMT

BREAKING: jury awards massive $167 million in punitive damages against spyware company NSO Group.
https://blossom.primal.net/b969407c98a4b0e39a6cb3c7fd4a5dcbd9819babc71fb7f62e623690d825de15.png
It turns out that the regular people on a jury think it is evil when you help dictators hack dissidents.
After years of every trick & delay tactic it only took a California jury ONE DAY of deliberation to get this Monsanto-scale verdict. Precedent-setting win against notorious #Pegasus spyware maker.
BACKSTORY:
Rewind to 2019. About this time (April-May) #WhatsApp catches NSO Group hacking its users with #Pegasus.
They investigated.
https://blossom.primal.net/8f50f124ebff031a6a37b33270aacce1b5a3ff5e26ef77f53a039a56e38c7a90.png
We at Citizen Lab helped to investigate the targets & get in touch with the activists journalists & civil society members that were targeted
https://blossom.primal.net/8aeb34cb2052d2af92bcd34e4443525c45648eb9224cadc70d1ec8d760afe393.png
We identified at least 100. And got in touch. It was a tremendous push of sleepless days. But it made it so clear just how much harm was being done.
Then, In October 2019 WhatsApp sued.
Prior to the lawsuit, NSO had acted the playground bully.
Targeting victims that dared speak up & researchers like us.
Suddenly, the bully wasn't so surefooted. Like the scene in a high school movie where the cousin shows up in the beat up car & collars the bully.
You might not remember, but in 2019 no country had sanctioned NSO Group... No parliamentary hearings, no hearings in congress, no serious investigations.
For years, WhatsApp's lawsuit helped carry momentum & showed governments that their tech sectors were in the crosshairs from mercenary spyware too...
Credit due to Meta & WhatsApp leadership on this one, they stuck the fight out & carried it across the finish line.
NOTIFICATIONS MATTER
WhatsApp's choice to notify targets was also hugely consequential.
A lot of cases were first surfaced from these notifications.
With dissidents around the world suddenly learning that dictators were snooping in their phones...with NSO Group's help.
A SIDEBAR: HARASSING RESEARCHERS
One of NSO's many tactics was to leverage the case to badger me & us Citizen Lab researchers to try and extract information.
https://blossom.primal.net/3e4a3bd8248a954b919f660bdefc12ca76178f37d2eb7250ce17b0bdffaddab3.png
It never worked, but it laid bare the tactics that these firms prefer...instead of coming clean.
ROLE OF CIVIL SOCIETY
Ultimately, we wouldn't be here without civil society investigations of mercenary spyware... and alarm raising.
And victims choosing to come forwads.
Thankfully today there's a whole accountability ecosystem growing around this work.
Dozens of orgs engaging.
Numbers are growing.
IS THERE GONNA BE IMPACT? YES
NSO Group emerges from the trial severely damaged.
The damages ($167,254,000 punitive, $440K+ compensatory) is big enough to make your eyes water.
NSO'S BUSINESS IS NOW ALL OVER THE NET
The case is also a blow to NSO's secrecy, with their business splashed all over a courtroom.
https://blossom.primal.net/3d9bfc037d31d95cc052430e8cdd8570c36506388de63a5f08cd185ffe6f3c54.png
WhatsApp just published NSO's depositions, exposing an unprecedented amount of info on a spyware company's operations:
✅https://about.fb.com/wp-content/uploads/2025/05/WhatsApp-v-NSO-Eshkar-Transcrips_Case-4-19-cv-07123-PJH.pdf
✅https://about.fb.com/wp-content/uploads/2025/05/WhatsApp-v-NSO-Gil-Transcrips_Case-4-19-cv-07123-PJH.pdf
✅https://about.fb.com/wp-content/uploads/2025/05/WhatsApp-v-NSO-Shohat-Transcrips_Case-4-19-cv-07123-PJH.pdf
✅https://about.fb.com/wp-content/uploads/2025/05/WhatsApp-v-NSO-Gazneli-Transcrips_Case-4-19-cv-07123-PJH.pdf
This will scare customers. And investors. And other companies that do the same thing. Good.
MY VIEW:
Watching a jury of regular citizens see right through NSO's mendacity & hypocrisy...and to the need to protect privacy is amazing.
Gives me hope.
Despite all the fancy lawyering & lobbying, people know that this kind of privacy invasion is wrong.
Read more:
They Exposed an Israeli Spyware Firm. Now the Company Is Badgering Them in Court. https://theintercept.com/2024/05/06/pegasus-nso-group-israeli-spyware-citizen-lab/
Spyware maker NSO ordered to pay $167 million for hacking WhatsApp
https://www.washingtonpost.com/technology/2025/05/06/nso-pegasus-whatsapp-damages/
NSO Group must pay more than $167 million in damages to WhatsApp for spyware campaign https://techcrunch.com/2025/05/06/nso-group-must-pay-more-than-167-million-in-damages-to-whatsapp-for-spyware-campaign/

2025-05-05 10:24:49 GMT

#Skype shuts down TODAY.
Here's the link to download your contacts, chats etc:
secure.skype.com/en/data-export
https://blossom.primal.net/fdc98c0d7f38405d38f4714ab7084b18ff46b62252d4bf5a6e208366bf04437f.png

2025-05-02 16:06:11 GMT

AI friends consoling me because my cat bonded to the robot vacuum & ignores me.
https://blossom.primal.net/0eb9a07bc096d7a790a469b26ff5f0c213e2518e56710533e8d4b8bcb0806ce6.png

2025-05-01 12:32:17 GMT

- reply

Any time you see a name like 'Tools for Humanity' you should slow down and scrutinize.
Especially when paired with AI hype.
The level of documented exploitation around the WorldCoin project is wild.
Everything @nprofile…cms0 said x1000.
https://blossom.primal.net/1a809ee53b3740691e66ba6be67084648ff4a0ca232028d2a4ec4c8952b434e0.png
Now the company wants more data.
https://blossom.primal.net/133bc1022f0bc76a5544028188cdc1da99c3521d473623e529afa39e88a55c41.png
Exploitation was baked right in from the earliest days of this hype train. https://blossom.primal.net/ae2b4dd3b61c4d6ce1f160470569c1eae36eb2af1635bf048a9ac8df26f47d1a.png
Sources;
-https://www.dlnews.com/articles/people-culture/how-worldcoin-crypto-biz-in-berlin-exploded-in-fistfights/ -https://nation.africa/kenya/news/kenyans-scanning-their-eyeballs-worldcoin-cryptocurrency-tokens-4319600
-https://www.technologyreview.com/2022/04/06/1048981/worldcoin-cryptocurrency-biometrics-web3/
#nevent1q…8h7w

2025-05-01 11:49:15 GMT

Friends don't let friends get their eyeballs scanned to buy a coffee.
This portable dystopia machine is Tools for Humanity's latest effort to live up to their Orwellian name.
https://blossom.primal.net/7d3f813ec8e8f88e1a8a65895687a43d772b2d908e88b1e69c79e84b2110f578.png
Connoisseurs of the AI-will-end-humanity marketing hype train of a few years ago should find plenty to appreciate in an eyeball scanner framed as as a 'helpful' tool to distinguish between AI agents & humans.
Or is it for that? Or maybe point of sale? Or nebulous 'verification?'
The only clear thing? This device starts from a point of biometric #privacy invasion.
https://blossom.primal.net/f157bbd63933c1cbe87afc9af071afb975504950e1cf151d5e1688afcf47cd21.png
It sure looks to me like another effort by the company Sam Altman founded to make a global data-grab.
https://blossom.primal.net/8cf71cc4ea27e87adbbe93081213e0f6bae366791e92896eaacd60702371ee08.png
Just say no.
https://techcrunch.com/2025/04/30/sam-altmans-world-unveils-a-mobile-verification-device/

2025-04-29 19:40:03 GMT

- reply

Starter packs of people worth following.
You need em.
Nostr needs em.
Huge props to @nprofile…h36r for again building a thing that needed to happen.
Now, how do we get support built natively into clients?
#nevent1q…ezqz

2025-04-29 12:14:37 GMT

Use sunscreen. Get enough fiber. Do regular backups.

2025-04-28 18:22:26 GMT

- reply

That's super interesting. I had no idea. Absolutely love this kind of history.

2025-04-28 17:37:35 GMT

NEW INVESTIGATION: Uyghurs far from China's borders are being targeted.
Attackers impersonated legit software developers & contacted the targets asking for testing help on a language app.
Then they sent a trojan.
Let's talk about why this was clever.
https://blossom.primal.net/c172136b784bbb1559f0ca8345bc1b1072a1ff72c8f03e2432775a5353097b07.png
TECHNICAL SOPHISTICATION? NAH.
Technical sophistication of this attack was...meh.
https://blossom.primal.net/6a9e740d311bce1d2afd66ef7390ed0b109f84d4797f1c64be2a9efd4b73fb28.png
But that's not where the attackers focused.
INTELLIGENCE-DRIVEN? YAH.
They spent their effort carefully crafting credible bait that matched what they knew about their targets:
Trojanizing a legit Uyghur language app was a clever, cynical move.👇
Many marginalized communities struggle with getting fonts & dictionaries to capture their language.
https://blossom.primal.net/a2287b43d725e1ff5a05d813c251aa12a3e5698ac0a5c83d0a4ca2b13487159f.png
And developer talent is very welcome.
With a lure that credible you don't need to burn your most sophisticated exploits.
Good news in this case: Gmail spotted & blunted the attacks which were only found whey my colleagues worked with vigilant targets to screen for them.
But the theme of China-nexus hacking groups being economical about exposing technical methods (just using minimum necessary stuff) while drawing from (presumably) vast amounts of intelligence and understanding of their targets to craft effective social engineering is something we at the Citizen Lab have tracked for decades.
READ THE FULL REPORT:
By my talented colleagues: https://citizenlab.ca/2025/04/uyghur-language-software-hijacked-to-deliver-malware/

2025-04-28 10:03:28 GMT

Fear is dictatorship glue.
You can't imprison everyone with a dissenting thought.
Or inconvenient factual observation.
But fear teaches self censorship. And is a scalable system of control.
The challenge, of course, is to keep the fear going.
And push it all the way down into private conversations.
In the 20th century, such fear required massive human investment. Informants... model punishments...information control. All on a linear scale.
And there was a post-cold war school of thought that said: once everyone is connected, these systems won't work.
But tech isn't, by nature, an a dictatorship antidote. It can equally be an expedient. Just ask China.
In the past 20 years the government has empirically developed technologies & private sector partnerships for scaling fear and self censorship to north of 1.4 billion ppl. Log scale.
Out here in the rest of the world take a look around.
The major underpinnings of our online & financial behavior have comprehensive person-tracking surveillance and information-shaping built right in... primarily to sell us even more things.
But it is the shortest possible distance from that to a totalizing system of government surveillance. Punishment. And information control.
We all carry informants in our pockets. Ready to snitch on us, shape what we feel, and implement punishments.
This is a tremendously inviting system for governments with the instincts to grab these levers.
Increasingly, they are doing just that.
Pictured: Stasi interrogation rooms.
https://blossom.primal.net/020478322d5622f0ed497c35fafe1b7cb286af99cd645664d7f5faa0cd0f71b7.png
Image source: https://hyperallergic.com/151019/mundane-horror-in-abandoned-stasi-spaces/

2025-04-25 14:38:55 GMT

- reply

Yes. A core challenge with advertising & behavior shaping = understanding how people really *feel* exposure to different content.
Everything is a somewhat distant proxy.
This would be an excellent way to get closer.. and start modeling and leveraging it.

2025-04-25 12:51:46 GMT

2027: we can't wait to show our advertising partners how we deliver behavior shaping across whole lives.
this is a surprisingly great feature, imo.
https://blossom.primal.net/9643f6078a67118e252c3882fd9cf08a3dce075467075a1fb41a989a64eae41e.png

2025-04-24 10:46:05 GMT

Government censorship has come to #Bluesky.
https://m.primal.net/QbYz.png
LATEST:
On demands from the Turkish government, Bluesky restricted access to 72 accounts per a report from a Turkish NGO.
https://m.primal.net/QbXO.png
DETAIL:
Accounts are restricted for users in Turkey.
Accounts aren't banned from Bluesky's AT Protocol relays etc, but access is moderated at the official client level through geography-specific labels.
https://m.primal.net/QbXg.png
WORKAROUNDS?
Realistically impacted accounts are no longer visible to the majority of Bluesky users (most aren't on 3rd party clients) in Turkey.
However, since 3rd party client apps for the AT Protocol aren't forced to use geography-specific labels, they an still be used to view the content.
In theory, official client + VPN would also result in seeing the accounts.
LOOKING AT SOME DATA:
Bluesky has been publishing transparency reporting about legal & government requests. The most recent report covers 2024 and shows a relatively modest number of takedown requests, but about 50% response by Bluesky.
https://m.primal.net/QbYR.png
Unfortunately, the company doesn't differentiate between legal demands in civil litigation and *government* demands. This makes it hard to get a clear picture.
https://m.primal.net/QbYr.png
I hope Bluesky segments out these very different kinds of pressure in 2025 reporting so we can get a better sense of what's happening.
BIG PICTURE:
Looking ahead, governments are probing for new ways to enforce content restrictions. These are early days for Bluesky and it is likely that a lot more requests like this will be inbound as users head there to try and avoid the well-greased censorship machinery on legacy platforms like X.
Recommended reading & Sources:
Super-helpful-to-me TechCrunch article: https://techcrunch.com/2025/04/23/government-censorship-comes-to-bluesky-but-not-its-third-party-apps-yet/
Mastodon post confirming blocking with testing : https://mastodon.online/@mastodonmigration/114348331162291326
Bluesky post with the notification email screenshot: https://bsky.app/profile/aliskorkut.com/post/3lmul5pt34c2b
Bluesky 2024 Moderation Report: https://bsky.social/about/blog/01-17-2025-moderation-2024
Bluesky post describing geography-specific labels as a content-removal technique: https://bsky.social/about/blog/09-18-2024-trust-safety-update

2025-04-23 16:17:39 GMT

They Criticized Musk on X. Then Their Reach Collapsed.
https://m.primal.net/Qagt.png
Graphs from this story are stark.
https://m.primal.net/QahA.png
Link: https://www.nytimes.com/interactive/2025/04/23/business/elon-musk-x-suppression-laura-loomer.html

2025-04-23 12:21:59 GMT

- reply

2/ Today, our most intimate worlds and thoughts pass through our phones.
States forcing their way into these interactions for every citizen is the equivalent of putting a police camera and a microphone between everyones' pillows.
Then asking us to trust they'll will never look...

2025-04-23 10:55:59 GMT

https://m.primal.net/QaSB.png
Maybe we can all 'live without' private messaging?
Pay attention.
Denmark is set to take over the rotating EU Council presidency.
And is sending signals that they want to go after encryption.
Backdoors end badly.
Demanding backdoors isn't just surest way to chase away innovation...it's collective punishment for security services' own failures to adapt.
And the history of democracies is littered with states abusing secret surveillance powers to undermine core values.
Article: https://www.politico.eu/article/encryption-crime-denmark-peter-hummelgaard-europe-privacy/

2025-04-20 10:52:40 GMT

Constant algorithmic improvements have empirically reverse engineered the human psyche.
I suspect that explicit research neuroscience hasn't caught up to the insights about how to induce behavioral dependence that are embodied in these systems.
The user experience of most platforms now mirrors maladaptive behavior-maintaining effects you could *only* achieve with most addictive drugs up to about a decade ago.
We need to avoid the moral panic, but it's impossible to overstate how novel this is for our brains.
One thing we know from behavioral addiction research (my old field) is that the brain is plastic.
When you induce one category of addiction, it changes the motivational substrate of the brain in sticky ways.
And coss-sensitizes / potentiates other forms of addiction and behavioral dependence.
This will only accelerate & become less scrutable with improvements in AI.
We are in the earliest, earliest days of trying to understand what this means for the next decades of human life.
Painting: The Opium Den, Edward Burra,1933
https://m.primal.net/QXBE.jpg

2025-04-14 13:10:55 GMT

NEW: 🇪🇺EU issuing burner phones to staff traveling to 🇺🇸US.
Anecdotal: matches what I'm seeing, which is orgs retooling what was once the high security "China travel policy" into a US travel policy.
Burner phones, dedicated travel devices & border wipes are the new normal.
Story: https://www.ft.com/content/20d0678a-41b2-468d-ac10-14ce1eae357b
https://m.primal.net/QPHR.png

2025-04-03 18:25:46 GMT

https://m.primal.net/QDHd.png
Anyone come across good analyses of new US #tariffs .
Longer term projections a bonus. #AskNostr

2025-03-31 02:54:53 GMT

- reply

The wild and horrid thing is that the answer is: sorta.
Yes when you use a VPN your ISP can't passively collect your data (though through DPI they can know what VPN you are using & possibly the IP of your endpoint)...
But plenty of ISPs user data businesses are already enriching data profiles about you from things like advertising exchanges & surveillance SDKs that will keep working (& are still uniquely associated with you) through the VPN's tunnel. Which is a horrible reality of the multiply tracked digital shitscape.

2025-03-31 02:24:05 GMT

- reply

Very cool, tag me when you post it I'd love to listen.

2025-03-31 00:40:07 GMT

- reply

Ultimately, more friction around simple forms of tracking & user data grabs is good, but there is still a huge gap between how users understand VPNs & what the provide...vs the much more limited benefits that they actually provide
No VPN will ever be close to a silver bullet for privacy or security, but it's nice to see design choices that address weakpoints.

2025-03-31 00:33:19 GMT

- reply

Thoughtful design that addresses one of the biggest issues around VPN use & privacy: a single chokepoint point of possible privacy failure & exposure to demands for access.
There are still lots of things VPNs don't do..that people think they do.. but this kind of thing is nudging consumer VPNs closer towards what people think when they use them :)
Example of what ppl think VPNs do but they don't: hiding from most websites you visit. Unless you are actively resisting things like browser fingerprinting, cookies, trackers & never logging in, you're still identifiable to most of the sites you visit.
Here's another: a state can still find you if you use a VPN. Trivially, if they can get enough traffic logs. For example, if SERVICE A still has an IP address + time pairing associated with you that is uniquely identifiable (e.g. you touch your email inbox over your VPN connection).. then there's a good chance that a state can quickly associate you with your other activity on SERVICE B. All they need to do is make a legal request that SERVICE A complies with. Then they see what IP is associated with you at that time, maybe get your useragent & a few other things and ...boom.

2025-03-30 22:35:44 GMT

- reply

Great job @nprofile…5kd8 . You lasered on some key themes and took open questions right towards the important stuff. That segment was better because they had you on!

2025-03-30 21:00:50 GMT

https://m.primal.net/PyiS.jpg I've spent my adult life thinking about defending digital privacy.
Yet until a few years ago, financial freedom & privacy was barely on my radar.
This would have probably continued but for a handful of good humans that took the time to talk me through things.
Thanks to thinking they kicked off for me, I now think that individual access to aspects of financial freedom & privacy are necessary to a healthy society.
Why did it take so long? Well, there was a failure of adversarial imagination on my part.
And partly because if you aren't actively asking hard questions, this state of affairs will be hidden from you.
The financial system & how it is taught is set up to hide structural privacy violations & disempowerment.
I'm pretty sure my ignorance was closer to the norm than the exception.
But when you completely restrict financial privacy & freedom, you disempower people...constantly.
And it will keep eroding & blocking the exercise of other core rights.
Until this changes & awareness grows, we're stuck paying the price for it in a thousand ways.
Shoutout to @nprofile…xncl for getting & keeping the intellectual ball rolling for me. And to all the good humans that have helped me along the way since. Thank you. You know who you are.
Painting : Egon Schiele, Four Trees, 1917.

2025-03-30 03:58:03 GMT

- reply

Now to figure out what *actually better* looks like

2025-03-30 00:58:15 GMT

- reply

I hear what you are saying, and agree that this kind of advanced data collection probably is not necessary.
My view is: don't underestimate the power of these industries.
Consider that there's a difference between what kind of invasiveness might be needed.... and what will be instantly sought & probably granted.
Getting concrete. The cheaper bids on contracts will probably be because they rely heavily on more automated approaches... And to make that work, they are going to want data.

2025-03-30 00:53:36 GMT

- reply

I hear you. I worry that a goldrush of some of the shadiest companies will happen in a blink.
Surveillance-oriented-companies love nothing more than areas where people *have to hand over data*.
And the "we need this data to keep ppl safe" fear thing is going to be a godsend.
If we aren't demanding that concerns about safeguards, limits & accountability are included in every step of the conversation now...it will be 100x harder to get them in place once big companies & lobbyists have set the terms of the game.

2025-03-29 21:56:02 GMT

Most folks don't love security theater & everyone has had a bad time at a screening checkpoint.
So, let's think for a second about hypothetical private-#TSA companies.
I'd expect them to gravitate towards AI-assigned individual risk ratings to minimize the cost of hiring & training people to interact with travelers.
To create ratings, I'd expect them to demand & consolidate invasive pools of our biometrics, web browsing, commenting, purchasing, movements & private lives.
Just don't call it a "social credit score"
You can bet they'll pivot to trying to monetize their data.
2026: We're a terminal security company
2029: We're a person rating company
Would these ratings make their way into other parts of our lives & things we want to visit?
And who exactly would stand up for us when the ratings are wrong? Or our data is shipped to foreign buyers.
Who holds #PrivateTSA companies accountable? The US doesn't have strong #privacy protections...
I'm also not optimistic about private sector security companies' ability to stop breaches. History backs me up here.
But I do expect that private-TSA companies could use lobbying to limit oversight & accountability.
That's been the history of other privacy-invasive tech companies.
So, as an airline security privatization conversation kicks off, remember that it can't just be "current thing is bad" but needs to consider what kind of future we're inviting in. https://m.primal.net/Pxhw.png

2025-03-29 19:45:32 GMT

- reply

PS: I was going to #Zap you but don't see a lightning address. If you do set one up, let me know!

2025-03-29 19:44:27 GMT

- reply

Thank you Jason!

2025-03-29 17:51:45 GMT

- reply

Was having the same reaction https://primal.net/e/nevent1qqsy0p7khgqqmhcjslkdp3qv0evqe4x7knlqg2mmvckgpp79vtthewqe3gtn9

2025-03-29 17:48:59 GMT

- reply

Did some math:
1944: New House = 1.4x yearly income
2023: New House = 5.3x *median* household income
(2023 New US house $427,400, Median US individual income $80,610)
Then got interested & found some more data and graphed it (starting 1984, note that it's sales price, not new house, but trend is clear) https://m.primal.net/PxVa.png

2025-03-29 01:32:36 GMT

- reply

Thanks much, great stuff!

2025-03-28 22:02:34 GMT

- reply

slushwave: new term for me! Thanks!

2025-03-28 22:01:51 GMT

- reply

haven't listened. do you have a suggested track?

2025-03-28 20:11:09 GMT

What's your best focused work music?
I'm getting habituated to mine.
Please drop a link.

2025-03-28 18:36:58 GMT

A journalist asked me: why does NSO Group keep getting caught?
Isn't #Pegasus supposed to be undetectable?
My answer: because the maker of Pegasus spyware isn't as good at hiding their activities as their government customers believe.
https://m.primal.net/PwUG.png
Making it worse for customers, Pegasus spyware customers fate share.
If a gulf dictator abuses Pegasus against an activist & get caught..this impacts the whole customer base when the zero day gets burned.
https://m.primal.net/PwTy.png
This is because the main mercenary spyware model involves selling the same tech to multiple customers.
https://m.primal.net/PwUB.png
This includes building & maintaining customer infrastructures for things like infecting, command & control, and exfiltrating data from phones.
Similarly, as researchers, when we get a first bit of that spyware infrastructure, we fingerprint... and expand out from there. Like we did with Paragon spyware.
https://m.primal.net/PwUM.png
Often the result is to surface new customers since the tech is going to multiple clients. https://m.primal.net/PwUK.png
And yet again... customers fate share.
This dynamic is likely to continue as long as companies proliferate mercenary spyware to a broad customer base... the spyware gets abused... and researchers like us keep hunting for abuses.
Story: https://techcrunch.com/2025/03/28/again-and-again-nso-groups-customers-keep-getting-their-spyware-operations-caught/

2025-03-28 03:51:23 GMT

- reply

Highly recommend. Farrow gives victims space to speak about the experience of being targeted with such invasive tech & covers some investigative work we're very proud of.

2025-03-28 03:28:28 GMT

- reply

NEW: Italian gov reportedly admits it targeted activists with #Paragon mercenary spyware.
After ~2 months that began with denials & slid into evasions, some clarity finally came. But only some...
https://m.primal.net/Pvti.png
The spyware targeting of journalist Francesco Cancellato, the first case to come forwards after he got notified by #WhatsApp at the end of January is still unexplained.
We at #Citizenlab have been investigating the case & working with targets. We published a forensic investigation last week. Lots of unanswered questions.
Company Background:
Company frames themselves as the anti-NSO Group (the notorious Israeli spyware company that makes Pegasus spyware). More stealthy. More ethical. Well, they got caught & they now have a big scandal.
Like NSO, Paragon also originates out of alumni from the Israeli intelligence community but was recently acquired by a US defense contractor.
Up Next?
As long as clarity is incomplete... the #Paragon scandal isn't going away for #Italy ... and Italy is going to remain a major pain for the mercenary spyware company.
Report: https://www.euractiv.com/section/politics/news/spyware-scandal-italian-government-reportedly-admits-targeting-activists/
https://primal.net/e/nevent1qqs8us77wawnjryeacpq0cup22pvwdnhyv6k69fmkadf5r34rppp7usyhlr4e

2025-03-27 17:58:44 GMT

So, more journalists were just targeted with #Pegasus spyware.
This time journalists in #Serbia that were investigating corruption.
https://m.primal.net/PvTf.png
“In Serbia, you can hire a hitman for a half of the money...what else would they be prepared to pay for?!” - a spyware-targeted reporter.
Indeed.
https://m.primal.net/PvTk.png
Notice that the targeting is happening over a messenger program with a link, not a zero-click?
The why is unclear. Maybe Pegasus didn't have a working exploit against those phones. Or maybe the customer didn't get the platinum zero click package and so had to do some social engineering. Interesting.
BACKGROUND:
This is the THIRD report of Pegasus abuses in Serbia in 2 years.
And nearly a decade after the first Pegasus abuses got reported, NSO Group is still fueling attacks against freedom of speech.
We're here because spyware companies still don't feel meaningful consequences.
https://m.primal.net/PvTm.png
And DC is home to a seemingly-infinite number of lobbyists that are willing to help them try to get off sanctions lists...
READ THE REPORT by Amnesty Tech & BIRN. https://securitylab.amnesty.org/latest/2025/03/journalists-targeted-with-pegasus-spyware/

2025-03-27 17:45:15 GMT

BREAKING: more journalists targeted with #Pegasus spyware.
This time journalists in #Serbia that were investigating corruption.

2025-03-26 21:47:12 GMT

Private data & passwords for US officials found online?
Sure. This is true for every official, regardless of party.
And you, if you're an American reading this.
The US hasn't enacted serious privacy protections for citizens. https://m.primal.net/PuNS.png
This is a consequence.
Companies intrusively soak up your personal data, get breached, and nobody blinks. https://m.primal.net/PuNT.png
Breaches are one of the first places attackers go when they want to target.
https://m.primal.net/PuNW.png
This is why password re-use is dangerous. And two factor authentication is key.
If your favorite 'strong password' is in a breach, an attacker is going to try it against every other account you have.
https://m.primal.net/PuNZ.png
Story: https://www.spiegel.de/international/world/hegseth-waltz-gabbard-private-data-and-passwords-of-senior-u-s-security-officials-found-online-a-14221f90-e5c2-48e5-bc63-10b705521fb7

2025-03-24 18:47:40 GMT

Datapoint: this administration uses Signal. Like every other administration.
Because encrypted messaging is critical infrastructure.
Remember this the next time a government demands an encryption backdoor.
https://m.primal.net/Priw.png
How did a reporter get added? Well, the use of encrypted chat is ubiquitous but not explicitly accepted, supported or discussed in most institutions.
Which means users are left to fend for themselves in how they use & understand these tools.
And are usually about 1 mistake away from self-doxxing group contents.
https://m.primal.net/Prix.png
This also left me wondering: is anyone screening these devices for mercenary spyware like Pegasus?
https://m.primal.net/PrjS.png
Experience tells me the answer is: maybe not.
Article: https://www.theatlantic.com/politics/archive/2025/03/trump-administration-accidentally-texted-me-its-war-plans/682151/

2025-03-24 17:37:37 GMT

- reply

Some of the least exploitative consumer interactions happen between individuals & small / local vendors. These have the potential for mutual trust and reciprocity + possibility for sanctions in both directions if trust is violated.*
Trust + your private information is held in a distributed way & there are some social protections for your data.
A small shop gets hurt if you stop patronizing them because they violated your trust, for example. And if you cheat your nearest grocery store and they refuse you service, this is a cost for you.
These relationships are increasingly being replaced with unidirectional information harvesting where all arrows of data sharing point to the intake pipes of a centralizing enterprise.
The more this happens, the more the power consolidates up. And payment processors are speeding the process... trying to become the intercessors in those trust dynamics.
Your data heads to companies whose incentive is to always exploit any biometric / personal information you share with them for every-profitable-thing they can think of. Collecting biometrics to validate a trusted transaction becomes...hey we now have a new identity database we can sell for mass surveillance.
The incentive will always be data disempowerment: propagate your info as widely as profitable, far outside of what you would ever want or meaningfully consent to.
The bigger the set of such data & the more centralized, the more potential for harm...
And the lower the ability for any individual that has been burned by the transaction to meaningfully sanction the entity that abused their trust/ information.
*of course there are always edge cases where the vendor is small but super wealthy/connected etc and the consumer isn't. The point is that the further we get from this, the greater the chance that the dynamic is fully unequal.#nevent1q…d2m0

2025-03-24 03:22:13 GMT

Happy stuck ship anniversary.
Hard to imagine being able to epically tell that story on legacy social media today.
I feel in my bones that any attempt at such a participatory longform conversation where expertise is shared across days would be drowned out with AI slop, herded partisanship, and lowest common denominator engagement-farming.
https://m.primal.net/Pqwj.png

2025-03-19 20:23:02 GMT

Report: Researcher's device got searched at US border.
Turned away because he expressed personal view in private about how scientists were being treated.
Seems like France is taking a dim view & speaking to the press as a signal of their displeasure https://m.primal.net/PloO.png
(Machine translated)
Original (FR): https://www.lemonde.fr/international/article/2025/03/19/etats-unis-un-chercheur-francais-refoule-pour-avoir-exprime-une-opinion-personnelle-sur-la-politique-menee-par-l-administration-trump_6583618_3210.html

2025-03-19 19:26:45 GMT

🚨NEW REPORT: first forensic confirmation of #Paragon mercenary spyware infections in #Italy...
Known targets: Activists & journalists.
We also found deployments around the world. Including ...Canada?
https://m.primal.net/Pljg.png https://m.primal.net/Plji.png
So #Paragon makes zero-click spyware marketed as better than NSO's Pegasus...
Harder to find... https://m.primal.net/Pljo.png
...And more ethical too!
This caught our attention at #Citizenlab. And we were skeptical. https://m.primal.net/Pljq.png
So.. it was time to start digging. https://m.primal.net/Pljr.png
We got a tip about a single bit of #Paragon infrastructure & my brilliant colleague Bill Marczak developed a technique to fingerprint some of the mercenary spyware infrastructure (both victim-facing & customer side) globally. https://m.primal.net/Pljv.png
So much for invisibility.
What we found startled us.
We found a bunch of apparent deployments of Paragon's mercenary spyware in places like #Australia, #Denmark, #Israel, #Cyprus #Singapore and... #Canada.
Fun. https://m.primal.net/Pljz.png
We also found interesting stuff at a datacenter in #Germany https://m.primal.net/PlkB.png
Caveats: the methodology we use only surfaces a subset of customers at a particular time.
So ...about #Canada.
My colleagues on the legal side began digging. The more they pulled, the more questions surfaced about whether the Ontario Provincial Police is rolling mercenary spyware. https://m.primal.net/PlkJ.png
While investigating, we found signs #WhatsApp was being used as a vector for infections.
We shared our analysis with Meta which had an ongoing investigation into Paragon.
They shared findings with WhatsApp which discovered & mitigated a zero-click attack.
They went public, and notified ~90 users that they believed were targeted.
https://m.primal.net/PlkM.png
WhatsApp's notifications to targets turbocharged what we all knew about #Paragon.
https://m.primal.net/Plkd.png
Cases began coming out: an investigative journalist in #Italy and sea rescue activists were among the first. Francesco Cancellato. Editor in Chief of Fanpage.it, & Luca Casarini and Dr. Giuseppe “Beppe” Caccia of Mediterranea Saving Humans
They consented to us doing a forensic analysis... https://m.primal.net/Plkc.png
Sure enough, we found traces of infection on several Androids.
We call the indicator #BIGPRETZEL & #WhatsApp confirms that they believe BIGPRETZEL is associated with #Paragon's spyware.
In the weeds a bit: Android log forensics are tricky. Logs get overwritten fast, are captured sporadically & may not go back very far. So, not finding BIGPRETZEL on a targeted phone wouldn't be enough to say it wasn't infected. In such a case, the only safe course of action for a notified Paragon target would be to presume they had been infected.
https://m.primal.net/PlkT.png
Our analysis is ongoing.
.... but There's more!
There's more! We'd been analyzing the iPhone of human rights activist David Yambio, who is focused on abuses against migrants in Libya (they are often victims of torture, trafficking, and killings) who works closely with the other targets. https://m.primal.net/Plki.png
Last year he got notified by Apple that he was targeted with sophisticated spyware.
We've forensically confirmed the infection & shared details with Apple.
https://m.primal.net/Plka.png
Apple confirms they fixed the vectors used to target him as of iOS 18.
We're not doing a full technical attribution of this novel spyware to a particular company yet. But it's not like anything we've seen.
Troublingly, timeline of David's spyware targeting lines up with when he was providing information to the International Criminal Court about torture by human traffickers in #Libya.
But there's even more spying afoot against this cluster of activists!
Luca also got a notification last February about targeting with a different kind of surveillance tech. https://m.primal.net/Plkp.png
He wasn't alone. Father Mattia Ferrari, chaplain of Luca's lifesaving organization' also got a notification.
https://m.primal.net/PllW.png
#Italy's response to the unfolding #Paragon scandal has been exceptionally chaotic. So we included a little timeline.
Denials, then admissions, then refusals to say more citing secrecy. https://m.primal.net/Plks.png
Honestly, deja vu of how Pegasus-abusing governments have handled PR...
TAKEAWAYS:
TAKEAWAY 1: you can't abuse-proof mercenary spyware. Selling just democracies won't prevent abuses. Most democracies have plenty of historic examples of surveillance abuses. Why should spyware be different?
https://m.primal.net/Plku.png
TAKEAWAY 2: #Paragon's technical tradeoffs to be less detectable didn't prevent them getting discovered.
Just made it harder.
https://m.primal.net/Plkx.png
TAKEAWAY 3: I think we're only looking at the tip the #Paragon hackberg
For example, the ~90 notification number from #WhatsApp
only represents 1 infection vector that got caught & notified.
There may be non-notified spyware victims walking around right now who were infected via a different mechanism.
In #Italy, too we also need to better understand the other surveillance technologies pointed at this cluster of people.
Finally, we gave #Paragon room to respond to a summary of our key findings.
Their US Executive Chairman, a 30+ year #CIA veteran, responded in a way that sounded very familiar to how NSO Group did PR.
https://m.primal.net/Plkz.png
1 - Say there are inaccuracies..
2- ..But refuse to specify them
3-Cite customer confidentiality as a reason to not say more.
https://m.primal.net/PllF.png
We welcome any clarifications they have now that they've read our full report.
FINAL NOTES: our #citizenlab investigations are usually big, collaborative team productions. Smart co-authors, awesome collaborators. https://m.primal.net/PllG.png
The key to nearly all our research into spyware is targets' brave choice to speak out.
And work with us to forensically analyze their devices... We are very grateful to them.
This is how we collectively get a better understanding of mercenary spyware abuses.
And journey towards accountability.
Thanks for reading! Drop questions in the replies!
READ THE FULL REPORT https://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/

2025-02-11 20:32:59 GMT

- reply

Fascinating study. Hard not to overstate how many moral panics are happening in parallel.

2025-02-11 20:31:09 GMT

- reply

This is cool

2025-02-10 19:07:46 GMT

Hey Hey! Update your iPhone today!
Apple just blocked an attack discovered by my Citizen Lab teammate Bill Marczak.
Allowed a bypass of Apple's USB Restricted Mode on locked devices.
Actively used by a sophisticated attacker.
Stay safe out there.
And avoid leaving your phones unattended.
https://support.apple.com/en-us/122174
https://m.primal.net/OZok.png

2025-02-10 18:43:38 GMT

Full biometric KYC for a sandwich.
Absolutely not, Jeff.
https://m.primal.net/OWgA.png

2025-02-07 19:39:27 GMT

- reply

@nprofile…cms0 is a fascinating guy working on some of the most interesting projects. Absolutely worth investing in his vision.

2025-02-07 18:57:15 GMT

- reply

yes.

2025-02-07 18:56:37 GMT

- reply

Big. Cool.

2025-02-07 18:00:40 GMT

- reply

Graphene does fantastic work to show what is possible. I wish more of their innovations showed up in OEM Android.

2025-02-07 16:14:43 GMT

NEW: UK secretly demanded Apple build a backdoor into ALL encrypted iCloud accounts. https://m.primal.net/OUsQ.png
You haven't heard about this before because these orders are secret & there are typically bans on talking about them.
SHORT TERM IMPACT:
Apple will probably stop offering encrypted iCloud storage in the UK.
DETAILS:
the UK Home Secretary sent #Apple a so-called "Technical Capability Notice" which is a demand for access.
These flow from the 2016 Investigatory Powers Act (aka "Snooper's Charter") and is a mechanism for the government to *compel* companies to provide access.
ENFORCED SILENCE:
Among the more pernicious parts of this secret demand: Apple would be *FORBIDDEN* from telling users that the backdoor had been introduced into iCloud's Advanced Data Protection.
BIG PICTURE:
The public really doesn't realize it, but cloud backups of phones are constantly used for surveillance. Huge #privacy & #encryption gap.
By introducing optional Advanced Data Protection, Apple extended similar protections of device encryption to users' clouds.
So, since ADP was introduced in 2022, governments have been scheming to undermine it.
LOOKING INTO THE FUTURE:
It's only a matter of time before governments try to target Private Cloud Compute. And do so with the same secret legal tools.
REPORT:
https://www.washingtonpost.com/technology/2025/02/07/apple-encryption-backdoor-uk/

2025-01-29 22:53:06 GMT

- reply

#nostr, you just zapped my post hard enough to pay for tasty tacos.
Amazing.
P.S. Current energy reconversion: 1 sat =18 kcal
https://m.primal.net/OGpe.png
#nevent1q…8448

2025-01-29 17:34:19 GMT

No notes.
#deepseek #openai https://m.primal.net/OGSV.png

2025-01-29 03:28:20 GMT

- reply

Welcome to nostr!

2025-01-28 16:57:10 GMT

- reply

YES

2025-01-28 16:56:37 GMT

- reply

Things are sadly heading towards *all cars, all the time* and more and more car systems like infotainment break-ish when you try and disable these features.

2025-01-28 16:32:46 GMT

- reply

The trick will be going beyond mapping the conversation about censorship directly onto geopolitical concerns and to bigger & universal concerns about the control of knowledge in *any* AI system

2025-01-28 16:13:29 GMT

Watching journalists get censored on deepseek app
I'm glad to see the conversation about censorship in AI entering into new spheres.
Hoping that the concerns stick.
https://m.primal.net/OEcO.png

2025-01-28 04:59:24 GMT

Monday edition of *Car privacy is an absolute nightmare*:
https://m.primal.net/ODrS.png
Subaru's employee portal holds a year's worth of location data for all internet-connected cars. https://m.primal.net/ODrt.png
We know this because it was vulnerable (now fixed). You could pull a year's worth of driving just with a license plate.
https://m.primal.net/ODrn.png
Props to Sam Curry & Shubham Shah for exposing it. Pic is a years' worth of Sam's mom's #Subaru locations.
I seriously doubt any owner has a clear idea that this data is being collected on them.
But the same thing is replicated for almost every car mfr (see the #Mozilla foundation report on car privacy link)
Literally no car owner has asked for their whip to be turned into a surveillance portal.
And yet..
Car companies feel basically no pressure to do right by customers, but experience a lot of incentives to mine their movements for money.
Sidenote: same (now closed) vulnerability also enabled remote unlocks & starts and a bunch of other highly undesirable things.
Reading list:
The Subaru research: https://samcurry.net/hacking-subaru
News report on it: https://www.wired.com/story/subaru-location-tracking-vulnerabilities/
Mozilla Foundation's key investigation into car privacy: https://foundation.mozilla.org/en/privacynotincluded/articles/its-official-cars-are-the-worst-product-category-we-have-ever-reviewed-for-privacy/

2025-01-28 04:35:49 GMT

- reply

Agreed

2025-01-28 04:13:20 GMT

- reply

Great suggestion, @nprofile…h36r is a gem

2025-01-28 00:03:13 GMT

Who on #nostr is saying interesting things about #privacy?
Help me fill out my follows!

2025-01-28 00:01:29 GMT

- reply

Maybe we need to hire a bunch of amazing marketers to help message test privacy.

2025-01-27 21:08:51 GMT

- reply

We are in the earliest days of sensing the privacy implications of incorporating #chatgpt / #deepseek et al. into our lives.
I think this period will be viewed as a time of a massive willing...but not fully witting... transfer of personal information, right down to our ways of reasoning & understanding the world...into the hands of a new set of companies & their CEOs.
The same companies that have the ambition to shape how we think.
And shape how society looks.

2025-01-27 21:00:08 GMT

It shouldn’t take a panic over Chinese AI to remind people that most companies in the business set the terms for how they use your private data.
And when you use their AI apps, you’re doing work for them, not the other way around.

2025-01-27 14:54:05 GMT

- reply

spywareland is a wild world!

2025-01-27 14:49:37 GMT

- reply

Thank you!

2025-01-27 03:17:19 GMT

- reply

Thank you @nprofile…thgr I'm excited to he here.

2025-01-27 02:59:59 GMT

- reply

UofT!