Is there an open source solution that lets you record from your phone to an offsite location? Preferably something self hosted, but not crucial I guess.

Just thinking about scenarios where people in the US are stopped by cops and need to record their interactions, but want to make sure that the local info isn't destroyed. I've tried the Mobile Justice app for my state but it's not very reliable and I have no insight into the data after it's left my device.

A prominent computer scientist who has spent 20 years publishing academic papers on cryptography, privacy, and cybersecurity has gone incommunicado, had his professor profile, email account, and phone number removed by his employer Indiana University, and had his homes raided by the FBI. No one knows why.

Xiaofeng Wang has a long list of prestigious titles. He was the associate dean for research at Indiana University's Luddy School of Informatics, Computing and Engineering, a fellow at the Institute of Electrical and Electronics Engineers and the American Association for the Advancement of Science, and a tenured professor at Indiana University at Bloomington. According to his employer, he has served as principal investigator on research projects totaling nearly $23 million over his 21 years there.

He has also co-authored scores of academic papers on a diverse range of research fields, including cryptography, systems security, and data privacy, including the protection of human genomic data. I have personally spoken to him on three occasions for articles here, here, and here.

"None of this is in any way normal"

In recent weeks, Wang's email account, phone number, and profile page at the Luddy School were quietly erased by his employer. Over the same time, Indiana University also removed a profile for his wife, Nianli Ma, who was listed as a Lead Systems Analyst and Programmer at the university's Library Technologies division.

According to the Herald-Times in Bloomington, a small fleet of unmarked cars driven by government agents descended on the Bloomington home of Wang and Ma on Friday. They spent most of the day going in and out of the house and occasionally transferred boxes from their vehicles. TV station WTHR, meanwhile, reported that a second home owned by Wang and Ma and located in Carmel, Indiana, was also searched. The station said that both a resident and an attorney for the resident were on scene during at least part of the search.

Attempts to locate Wang and Ma have so far been unsuccessful. An Indiana University spokesman didn't answer emailed questions asking if the couple was still employed by the university and why their profile pages, email addresses and phone numbers had been removed. The spokesman provided the contact information for a spokeswoman at the FBI's field office in Indianapolis. In an email, the spokeswoman wrote: "The FBI conducted court authorized law enforcement activity at homes in Bloomington and Carmel Friday. We have no further comment at this time."

Searches of federal court dockets turned up no documents related to Wang, Ma, or any searches of their residences. The FBI spokeswoman didn't answer questions seeking which US district court issued the warrant and when, and whether either Wang or Ma is being detained by authorities. Justice Department representatives didn't return an email seeking the same information. An email sent to a personal email address belonging to Wang went unanswered at the time this post went live. Their resident status (e.g. US citizens or green card holders) is currently unknown.

Fellow researchers took to social media over the weekend to register their concern over the series of events.

"None of this is in any way normal," Matthew Green, a professor specializing in cryptography at Johns Hopkins University, wrote on Mastodon. He continued: "Has anyone been in contact? I hear he’s been missing for two weeks and his students can’t reach him. How does this not get noticed for two weeks???"

In the same thread, Matt Blaze, a McDevitt Professor of Computer Science and Law at Georgetown University said: "It's hard to imagine what reason there could be for the university to scrub its website as if he never worked there. And while there's a process for removing tenured faculty, it takes more than an afternoon to do it."

Local news outlets reported the agents spent several hours moving boxes in an out of the residences. WTHR provided the following details about the raid on the Carmel home:

Neighbors say the agents announced "FBI, come out!" over a megaphone.

A woman came out of the house holding a phone. A video from a neighbor shows an agent taking that phone from her. She was then questioned in the driveway before agents began searching the home, collecting evidence and taking photos.

A car was pulled out of the garage slightly to allow investigators to access the attic.

The woman left the house before 13News arrived. She returned just after noon accompanied by a lawyer. The group of ten or so investigators left a few minutes later.

The FBI would not say what they were looking for or who is under investigation. A bureau spokesperson issued a statement: “I can confirm we conducted court-authorized activity at the address in Carmel today. We have no further comment at this time.”

Investigators were at the house for about four hours before leaving with several boxes of evidence. 13News rang the doorbell when the agents were gone. A lawyer representing the family who answered the door told us they're not sure yet what the investigation is about.

This post will be updated if new details become available. Anyone with first-hand knowledge of events involving Wang, Ma, or the investigation into either is encouraged to contact me, preferably over Signal at DanArs.82. The email address is: dan.goodin@arstechnica.com.

I was thinking about how all of my passwords are compromised if I have malware on my system. It made me wonder, does Vaultwarden or KeePassXC/KeePassDX offer better protection on a malware infected system?

Vaultwarden

• Only accessed locally via LAN/VPN
• Set up for 2 factor authentication using WebAuthn (FIDO)

KeePasssXC/KeePassDX

• Synced locally via syncthing
• Set up for 2 factor authentication using HMAC-SHA1 Challenge-Response
• All clients blocked from internet access

I don't use browser extensions and I manually copy/paste my passwords to fill in entries.

KeePass has good memory protection, but the 2FA can be read from USB and doesn't change every time the database is decrypted. Vaultwarden enables the more secure FIDO2 2FA, but to my knowledge has less secure memory management as the entire entire database is decrypted on unlock.

I was thinking about personal data security and let my mind wander. I decided that if you were exceptionally paranoid then........

When thinking about personal data it may occur to you that, once you have implemented an adequate 3 stage backup system to avoid data loss, your main risk is the exfiltration and use of that data for nefarious purposes.

Personal data, e.g. the pictures or messages on your phone or pc, can imply many different things such as religion, sexual orientation, health details, political views etc. that could potentially be used against you by a bad actor.

As such, it would seem rather inadvisable to hold any data on any device that is not encrypted in a fashion whereby only you hold the encryption key.

Further, if you are going online using the device then, even if the device has a trusted os that implements full disk encryption, then it would also seem inadvisable to hold any data on the device that isn't seperately encrypted within the operating system. The data would be protected before first unlock by the os encryption and after first unlock by the seperate encryption.

As the password for this seperate encryption would neccessarily need to be complex you would be best storing this within a trusted password manager that employs zero-knowledge encryption or even better one that does not employ cloud-based syncing. You would also probably want to pepper the password with memorised additional digits.

You might then consider that, as encrypted data, while not especially useful now, may be seen as potentially more valuable should it be exfiltrated and stored for future decryption once technology allows, it may not be the best idea to store this encrypted personal data on any device that connects to the internet or even in a zero knowledge encrypted cloud-based storage solution.

You would then presumably decide that it is best to carry all the data you may wish to access at short notice encrypted on a portable simple data storage device that you could connect to any devices you wish to access the data on. You make the assumption that whoever mugs/holds you up/pickpockets and takes the data device is less likely to hold onto the encrypted data than an online attacker.

It is possible that you would then adjust your 3 stage backup system to be based on 3 non-internet-connected simple data storage devices kept in 3 seperate locations, one of which you carry around with you.

It was at this point that I decided to stop thinking about it. Lol. As noted, this train of thought would probably only occur if you were exceptionally paranoid and it could be theorised that at that point it is debateable whether you are more at danger from data exfiltration and exploitation or the very angry rabbits that want to know why you are so far down the rabbit hole. Lol.

A massive thanks to @LuanRT for providing the fix regarding to the extraction of the deciphering functions. Also, big thanks to @PikachuEXE for coming up with a potential alternative solution!

https://github.com/FreeTubeApp/FreeTube/releases

I am looking for a simple to use VoIP provider that I mainly plan to use for 2FA (when a cell number is required). I know there are checks that sometimes prevent VoIP from being used but I figure it's worth a shot.

MySudo looks nice but they require Google play services to be installed, VoIP.ms looks nice too but I've had a hard time getting a hold of anyone there to help with activating my account.

Anyone have any recommendations?

I tend to play Team Fortress 2. It's a rather old game. The server I play on used to allow anyone to connect. Later on, it kicked me (sometimes) because it detected me originating from one of MullvadVPN's IP addresess. They seem to have updated the blacklist list so it always seems to detect me using a VPN. I just don't want to share my public IP with them.

Is there a clever way around this? I feel like all the residential proxies tend to be quite pricey compared to a normal VPN

Hey all, so I randomly decided to check over Windscribe's VPN relationship chart again to look over some stuff on various providers. I always make sure to check the sources rather than just taking what it says and I already use Mullvad so it was really just mindless reading more than anything.

But going through Surfshark's entry, there was this

[3] SurfShark's TrustDNS app is used to collect data on the user for advertising and marketing purposes.

Advertising. We may receive certain information about you (cookie id, mobile device id, when you use our Trust DNS app – advertising IDs, in app events, such as in-app purchase or amount and type of ads watched, information about what browser, network, or device is used to access and use Trust DNS) from certain advertisers and advertising partners for advertising purposes. Our advertising partners help us deliver more relevant ads and promotional messages to you, which may include interest-based advertising and account-based advertising." Legal basis for the processing of personal information is our legitimate interest to deliver relevant ads and promotional messages to you." 

The source they provided to find the privacy policy was: https://surfshark.com/trust-dns

Obviously a VPN company ever making something that does all this is... Pretty bad? From what I can tell looking up stuff it was launched in September 2019. For how long it lasted I have no real clue. Best I can find was this Github repo developed by someone who has like no other commit or repository history that only hosts DNS servers and was last updated in 2020??? Archive.org and other sites on cachedvuew provide nothing when I use the URL above, and it just goes to the normal Surfshark homepage now.

https://github.com/TrustDNS https://github.com/SharonBarcia

This whole thing just feels very strange overall. So if someone could shed some light on this I'd be pleased!

I keep thinking about this.

1. Most retro handhelds do not have cellular network chips, gps, or even built it microphones or cameras in many cases. But many do still support wifi and Bluetooth.

2. The vast majority of them do support either Linux, Android, or both. This is the area that needs the most work, since the Linux distros on these devices are so stripped down that they can't do much more than run emulators and a few bespoke game engine compilations. And for the Android-supporting devices, there would be a need to build more privacy-respecting roms. But that's the thing - many of these devices openly support that, it's just not something the communities have gotten around to creating.

3. While this would become less useful with popularity, this kind of approach would be a form of steganography. If you're in an extreme situation where you or your belongings are being searched, how many people are going to suspect that the little Retroid Pocket gaming handheld is even something you can or might be storing your private info on?

Edit: Judging by the comments so far, I underestimated how unknown these devices must be still. While they do technically include handhelds like the PSP/Vita, 3/DS, etc; these days when people use the term "retro handheld" they're usually referring to a veritable cornucopia of gaming devices that come in a wide variety of hardware configurations and form factors. They are most often ARM-based devices, though there are even a couple that are pocketable fpga devices. Some of them are even small enough to be keychains.

Right now some of the most popular companies in this category include Retroid, Anbernic, Ayn, and Ayaneo. There is also a large selection of 3rd party custom firmwares out for many of these devices. But again, most of these are just very stripped down versions of Linux. Instead of full fledged desktop environments, they normally have media center style frontends like Emulation Station. And as far as I know, none of them have bothered to port any of the conventional Linux package managers.

As far as I understand, there is no technical reason why PostmarketOS, Mobian, or LineageOS for MicroG couldn't be ported to at least some of these devices, as some examples.

Hopefully that is enough resources for anyone to start to get up to speed. It should be apparent that full, unbroken system experiences with up-to-date software is possible on at least some of these devices, even including apps like Signal.

So I have a young teen entering 7th grade and so they're about to receive their first phone. With that, it opens a lot of doors to all the big tech social media apps and privacy invasive services.

I'm not sure how to approach this. My parents probably want tracking features so it'll probably be Find My or a 3rd party app like life360 depending on if we choose iphone or degoogled pixel.

Social media I'm not sure if fediverse stuff is the right path especially for lemmy, since it's just tech nerd stuff and politics which isn't interesting really unless they go out of their way to find smaller communities. Their friends will probably force them onto Instagram or some shit and I don't really want them doomscolling on reels, that shit algorithm, and the malicious messaging app built in to it.

It's just kinda hard trying to blend being a functional member of society and maintain your mental well being and privacy.

• I tried to copy the text. Couldn't.
• I tried to use Reader Mode. Couldn't.
• I tried to use Firefox's webpage screenshot feature. Couldn't.
• I tried to scrape it with a home-made script. Couldn't.
• I tried to scrape it with an online LLM. Couldn't.
• I tried to find the text in Archive.org. Couldn't.

They want you to see that they ticked the boxes as a responsible company ("Ah, yes. A formal privacy policy. Ooh. Such a responsible company."), but they don't want you to hold them accountable for their words, because they want no registry of what they've promised!

I've used Graphene OS for years, but only recently started taking advantage of the profiles feature.

Currently the Owner profile that you log into on first boot is my main profile, and I have a secondary decoy profile that I can switch to. Is this the best way to do this, or should it be the other way around so that on first boot you go into the decoy, which also allows you to end the session of the main profile?

I've been thinking about this for a bit but I couldn't come up with anything.

The idea is that you have a VOIP number and some self-hosted VOIP infrastructure connected to a landline phone. WhatsApp, Signal and voice traffic from other apps would be redirected to this landline phone instead of your mobile phone.

Is there a way to do this? How do I get started?

Reasoning: I can now keep my phone isolated, wrapped in a thick towel and inside a solid box to prevent it from eavesdropping on me inside my own house.

Please do not respond with messages like "you're too paranoid", it doesn't help.

Thanks

Just wanted to share my setup and see if anyone has suggestions or feedback. Also share yours.

Phone : GrapheneOS(pixel 7a)

1. No google play service on my main profile. Rethink DNS (NextDNS DoH) blocks ads, trackers, and all Google & Facebook DNS (except WhatsApp).

2. Some FOSS apps like Aurora Store & NewPipe need Google servers, so I have excluded them in rethink dns.

3. Work Profile (with Island) with GrapheneOS’ sandboxed Play Services, but I use it maybe once or twice a month only for apps that absolutely need it. It stays turned off most of the time. If an app works on main profile without any issues, will use it. If not, will try to use it in firefox (as lack of play services doesn't matter). If only app is available (and not web version) and it doesn't work on main profile, will use it in work profile.

4. Hardened Firefox fork(Ironfox) for private browsing. Main Firefox for a few services where I have to stay logged in and don't have apps or want to use their apps.

5. Network & Sensor Restrictions: If an app works offline, I block its internet access. Also, disabled sensors for apps that don’t need them.

6. Mostly use foss apps from f-droid(droidify).

7. Email: moved from gmail to protonmail

PC/laptop: Arch linux kde on pc and fedora kde on laptop.

1. Not much to say. Most used apps are firefox and Zed. I allow data collection on kde as I want them to improve it.

Home Server: Raspberry Pi 4B

1. SSH hardening: Non standard ssh port(yes, I opened the port externally because I depend on my home server and need to access it remotely). SSH keys or password+totp, Fail2Ban, ufw.
2. Services running: Arr setup(jellyfin, prowlarr, radarr,sonarr, qbittorrent), pihole, Immich, Authelia(for now). All data sensitive services behind authelia with totp.
3. Nginx Geo-blocking: Only allows access from my country IPs
4. Weekly backups because data loss sucks.

Network & Router: OpenWRT (TP-Link)

1. Not much to say: Running default firewall rules with network-wide ad/tracker blocking via pihole and some ports opened.

Looking for the most privacy respecting baby monitor available. Doesn't have to be overly complicated, just the ability to watch a video feed from an app on my phone. It's a must have from the wife, so trying to find the best option and accepting some losses in privacy is likely necessary.

Does anyone know of any resources regarding threat modeling worksheets? Specifically for individuals (as opposed to a corporation)

cross-posted from: https://sopuli.xyz/post/24530208

ROME - For nearly two months, the Italian government has evaded questions, dismissed allegations, and shifted its narrative in the face of mounting pressure from opposition parties and activists.

Now, a turning point: Undersecretary Alfredo Mantovano has reportedly admitted that Italy’s intelligence services authorised spyware surveillance on members of the NGO Mediterranea Saving Humans. Yet, a crucial mystery remains - who was behind the surveillance of Fanpage.it director Francesco Cancellato?

The parliamentary intelligence oversight committee (Copasir) is investigating whether the use of the Israeli spyware complied with Italian law and whether intelligence services acted within their mandate in authorizing preventive wiretaps.

While the hearings remain classified, leaks from Tuesday’s session published by La Repubblicasuggest that Mantovano - who oversees intelligence agencies - acknowledged that the government had approved surveillance on certain activists. However, he maintained that Cancellato was never among the targets.

I am resharing it to benefit the highest amount of people.

I wanted to list and ask for platforms that can substitute YouTube.

Here it's:

• NASA+, Space and Astronomy Videos.
• Vimeo, Professional Videos and Documentaries.
• TED, Talks and presentations.
• PeerTube, there is not a lot of videos, but some creators upload there.
• ARTE, Euro documantries and analysis.
• RedBull TV, Sports related videos.
• RTE Player, Journalism.
• BBC videos, diverse topics.
• NFB Films, Canadian Films.

Hej,

Tractive is a service to track dogs and cats, via a GPS tag attached to their collar.

I'm more than aware this isn't a privacy conscious service, but from what research I did it was by far the most "effective" service and easily accessible.

I paid a full year subscription for this service during January. But now two months later they have changed their terms. They do not list what these changes are.

My Questions are:

1. What's the best way to find the differences in the old vs. new terms?

2. I bought the product before these changes were made, does that somehow give me a right to continue using them under the old terms?

3. Considering I bought this before the changes, and if I don't agree with new terms, do I have the right to a refund?

Appricate any suggestions!

Rayhunter is a new open source tool we’ve created that runs off an affordable mobile hotspot that we hope empowers everyone, regardless of technical skill, to help search out cell-site simulators (CSS) around the world.

Hi,

The general consensus amongst the Android community is that rooting is detrimental to privacy. In a sense, I agree with them since privilege escalation because of human error becomes a much bigger threat if the user has root access.

Android has a big privacy problem encapsulated in one word: "baseband". Your modem and other hardware running in your device don't run FOSS firmware and are likely actively malicious towards your privacy.

I am a Linux user, and I understand that concepts do not necessarily transfer well between the two. With that in mind:

1. If I wanted to be absolutely certain that sensistive hardware like Camera, Microphone and Modem were truly off, would shutting them off as root hold any real significance?
   • I do not know what the equivalent of Intel ME is called in the Android space, but I doubt that a highly complex OS is running beneath general Android as we know it. I think it's just the firmware of the individual device that we need to worry about.
2. Is it possible to replace the bootloader on some Android devices/prevent it from loading unwanted firmware?

With Google taking Android behind closed doors, I suspect we will start seeing some suspicious snippets of code here and there with questionable purpose, but which might be missed by FOSS volunteers because of the sheer volume of work that is. I'm thinking of ways we can try to evade this blatant grab of our personal data.

It is fascinating that the search engine changes domains every single time you use it. While I'm big into privacy, I don't understand all these intricate details, but it seems cool and has yielded pinpoint results so far.

I just learned about the vast network of https://trom.tf/ through... hmm, I can't remember any more, haha! But it was either somewhere in the Lemmyverse or on Reddit, perhaps in a comment on a post in /r/privacy.

This TROM endeavor looks incredibly ambitious, so while FOSS is always welcome, I'm not sure about how long they'll be able to last running so many different projects. It feels like it's trying to be an immediate Google replacement and I fear that those who run it may be biting off more than they can chew... so I'm just trying the search engine for now.

Hello, do you know any place to buy Monero for online payment ? It seems that LocalMonero is winding down and I don't want to use some big exchanges like Coinbase for obvious reasons. Thank you very much!