cross-posted from: https://piefed.world/c/tech/p/1159225/good-luck-opting-out-whitepages-meta-google-x-uber-lyft-openai-tinder-and-other-companie

Full Report (PDF).

Android:

• BlueMoon;
• Periodical;
• Menstrudel.

iOS:

• Menstrudel;
• Drip;
• Euki;
• Apple Health.

cross-posted from: https://lemmy.world/post/47443525

I wonder if the people at X ever read their own announcements.

Literally explaining how they sold out and enshittified the "blue checkmark".

This also seem like yet another step towards mandatory IDverification on social media! (only to protect them kids & democratize the platforms of course 😉)

Good read. I don’t trust the people who wrote it or who sponsor them, but good read for awareness.

I hope not very many of you are wondering WTF awkward interactions have to do with privacy, but hopefully the following examples make it clear to any of you who are wondering that.

Story 1

So, I go to sign up for a bank account at <insert big-ass household-name (in the U.S.) bank name here>. As soon as I walk in the door and tell the person I want to sign up for a checking account, they say "ok, let's get you set up with the app."

Now, I was running Lineage at the time with no Google apps. Just F-Droid and stuff I could install from there. I had yet to install any proprietary apps on my phone. (Not necessarily saying there was nothing proprietary running on my phone. I'd be surprised if Lineage doesn't depend on some binary blob drivers and such for my particular phone. But still, my rule was "no proprietary apps." And even if I decided to break that rule at the time, I kindof doubt the bank's app wouldn't just refuse to work without Google Play Services.)

My mistake was to say "it won't work on my phone" rather than "I'm not interested in the app; can I still get a bank account here?" They pushed it hard. "It's Android, right?" "...Technically, but not the way you're-" "Ok, go to the Play Store." "I don't have the Play Store." "Let me see your home screen." (My second mistake was not ending that line of conversation there with a "no, just give me a bank account.")

Before it was all said and done, I'd scanned their QR code and hit the "install" button so I could show them the error message that resulted. It wasn't until then that they dropped it.

I honestly wonder if they didn't get a commission when folks installed the app.

Lesson learned. Don't say "my phone's weird and it won't work." Say "I'm not installing the app. The only question that remains is whether that means I'm taking my business elsewhere or not."

Story 2

Much more recent. Same phone, but by that point I'd switched to Ubuntu Touch. My phone just stops working as a phone abruptly. No calls or texts.

(The astute among you may already be thinking "oh, probably the carrier dropped 2G/3G support and now requires VoLTE." And if you're thinking that, congratulations you get 100 internet points, but don't spoil it for the rest of the class.)

Now, I've always been really nervous about cell phones. About the time they started being ubiquitous (back in the days of Nokia candy-bar phones with black-and-white LCD displays), I had just quit Windows for OpenSuSE, and then not long after that, Gentoo. And when cell phones started becoming smart phones, stuck with the dumbest phones I could find in the used-phone bin at the phone repair place in the mall. In other words, I was (and largely still am) Amish for QWERTY.

So, I honestly don't know shit about cellular communication technologies because I've never really used them. I've literally never had a data plan. I'm still grandfathered in on a no-data prepaid plan with my carrier that isn't available any more.

Anyway, back to my current story where my phone wasn't working. I had gotten a message a while previous that my SIM card (a physical SIM) would stop working at some point and I had to get a new SIM card. And my SIM card was super old. It was one I'd had to cut down to size and everything. I hadn't followed through on the SIM card replacement, so I figured that was the issue.

I don't have an online/web account with my carrier. And I still have never installed any proprietary apps on any phone, so I didn't have my carrier's official app. The chat and phone support wouldn't help me because they couldn't get proof that I was me. (They required text-message-code authentication, but my phone didn't work, so I couldn't receive the text.) They referred me to the T-Mobile store to get a new SIM card that would ostensibly work.

So, I suppressed my gag reflex and walked into the T-Mobile store. At the door, they asked me some basic questions and entered me into the queue. They told me it'd be 15 to 20 minutes of wait time.

I went and had a seat to wait. Well over an hour later, I finally asked someone for an updated wait time estimate. I'd apparently slipped through the cracks because as a prepaid customer, I appear on a different wait queue in their software than other customers. But at least prompting them got me attended to.

I told them the whole situation. I was glad they didn't try to push me to get a new phone and plan. And they did give me a new SIM card. But when they found out I was running Ubuntu Touch, they referred to it as a "bootleg rom", intimated that I might be doing something shady (because custom roms can supposedly "break the rules" and... I dunno get calls for free or some shit, I don't know), and warned me strongly to be very careful with what data I store on the phone. (As if a stock-firmware phone is completely trustworthy. Heh.)

Not only that, but the new SIM card didn't resolve the issue. Reverting to the stock firmware did. VoLTE is the only thing Ubuntu Touch doesn't support on that phone. So now I either stick on the stock firmware until that red x turns into a green checkmark or try to figure out if Lineage supports VoLTE on the Pixel 3a as a stop gap until I can go back to Ubuntu Touch.

Anyway, those are my stories. I'd love to hear more such painful interactions with "normies" who don't understand why you wouldn't use Facebook or smart kitchen knives that won't work without WIFI or what have you.

I have been working on an Android App quite a while now, starting from a simple idea.

A messenger where messages travel directly between phones with no servers in between. Using direct WebRTC encrypted connections (SRTP/DTLS), there are no servers that stores, reads, or relays content. Group chats use a gossip protocol where members relay to other members.

The only infrastructure the app touches is a signalling relay to set up the connection (no message content), a push notification to wake up a sleeping phone (also no content), and a TURN relay for restricted networks (encrypted packets only).

I wrote a detailed white paper explaining the full architecture: https://www.mindtheclub.com/white-paper.html

The app is in Open Testing on Google Play (1,000 tester cap): https://www.mindtheclub.com/beta-signup.html

I’m interested in this community's perspective on whether the architecture holds up.

Enkrypted.Chat

This is intended to introduce a new paradigm in client-side managed secure cryptography. We can avoid registration of any sort. A fairly unique offering in the cybersecurity space.

No need for things like phone numbers or registering to any app stores. There are no databases to be hacked. Allowing users to send E2EE messages and files; no cloud, no trace.

Features:

• PWA
• P2P
• End to end encryption
• Signal protocol
• Post-Quantum cryptography
• Multimedia
• File transfer
• Video calls
• Local-first
• No registration
• No installation
• No database
• TURN server

I started off with some open source versions of the core concepts.

• Chat
  • Code: https://github.com/positive-intentions/chat
  • Demo: https://chat.positive-intentions.com/
• File
  • Code: https://github.com/positive-intentions/dim/blob/staging/src/stories/05-Hooks-useFS.stories.js
  • Demo: https://dim.positive-intentions.com/?path=%2Fdocs%2Fusefs--docs
• Crypto
  • Code: https://github.com/positive-intentions/cryptography
  • Demo: https://cryptography.positive-intentions.com/

Open source isnt sustainable. So im taking the Enkrypted.Chat project in a different direction.

To get started, you can take a look here: https://positive-intentions.com/docs/projects/enkrypted-chat/getting-started

To learn more or you want to do a deep-dive: https://positive-intentions.com/blog/introducing-enkrypted-chat

If you really want something to chew on, these are the bleeding-edge docs: https://positive-intentions.com/docs/technical

The docs may answer some questions, but feel free to reach out for clarity instead of reading all that slop.

IMPORTANT: Caution should be used for any unfamiliar project, especially this. I'd like to be clear that I am Al-slop-maxxing at scale. If youre looking for good code, clear docs or best-practices; you should look away now. While this is aiming to provide secure experience, it isnt audited or reviewed. I'm sharing for testing, feedback and demo purposes only. This is a technical demo of a unique concept. Please use responsibly.

(Note: Im actively in the process of rebranding from "positive-intentions" to "Enkrypted Chat". The wording may be inconsistent throughout the docs.)

Bruno reached out to me mid-April with a suggestion to check out his privacy-first search engine tool Uruky. Uruky works on a subscription model, but one of my kids and I were able to test it out for free for a couple of months.
I normally do not test privacy tools on request, but rather focus on describing tools I've discovered myself and already use in daily life. Yet the email conversation between us evolved into quite a warm exchange about his projects, my blog, networks and privacy tools in general. Bruno, being a software engineer, helped me better understand how local networks work, which led to my article about running a Monero node.

Disclosure up front: I built this. Posting here because c/privacy is the audience this app is actually for — people who've stopped trusting "no-logs" promises from VPN companies that operate the entire path.

The threat model behind every commercial VPN is: you have to trust them. They run the servers, they see your traffic, you're taking their word on what they log and what they don't. Audits help, jurisdictions matter, but at the end of the day you're handing your DNS and your packets to a third party.

I wanted the opposite: no backend, BYO server, no logging story to trust. You bring your own server (Outline, WireGuard, Shadowsocks, or Trojan — a $5/mo VPS works fine). The client runs on your device, the server runs on your VPS, and I'm not in between. I literally don't have your traffic, your DNS, or your configs. There's no account to create, no email, no telemetry beacon home. The thing I can't see, I can't be compelled to hand over.

The other piece is the smart split-tunnel routing, which matters for privacy too: most clients are one big on/off switch, so the moment you connect, everything — including your bank app and local services — exits from another country, which breaks them and also paints a weird fingerprint. This routes per destination automatically. The apps that need your server go through it; everything else stays direct. Region-aware profiles (US↔JP, US↔CN, etc.) keep the right traffic on the right path without you babysitting it.

Apple platforms only for now — iPhone, iPad, and Mac as a single Universal Purchase. Configs sync via iCloud (end-to-end encrypted if you have Advanced Data Protection enabled; otherwise inherits standard iCloud protection — wanted to be precise about that rather than wave it away).

$2.99 one-time, no subscription, ever. Happy to answer anything about the threat model, the routing engine (it's sing-box under the hood), or what is and isn't on my side.

A new study on workplace monitoring tools found that all nine examined shared worker data with third parties.

The abstract of the study itself:

Abstract

This report investigates the data collection practices of nine widely used workplace monitoring platforms to determine the extent to which they track and analyze employee activity, behavior, or performance during work, including how these platforms transmit worker information and to which third-parties. This report finds that (1) nine out of nine workplace monitoring platforms studied directly shared identifying worker data to third parties, (2) nine out of nine workplace monitoring platforms studied shared information about workers’ online activities with third parties, and (3) three out of nine workplace monitoring platforms studied utilize features to track workers’ precise location. This report contextualizes the practice of workplace monitoring within the broader data policy landscape to argue that workers face similar privacy vulnerabilities and lack of protections already seen in consumer landscapes. This report concludes with recommendations for regulators, policy and lawmakers, and researchers and investigative journalists.

I am also someone who searches daily for apps that focus on privacy... At the moment, I have come across Firedragon.

It is yet another derivative of Firefox. But is it truly privacy-oriented? I hope I can discuss this with you.

What I have discovered is that Firedragon is actually a derivative of Floorp. Floorp is another browser that, as they claim, is privacy-oriented. But is that really the case? I also discovered that Firedragon originates from India. And I find that quite suspicious. I don't want to immediately say that every person from India who creates something is immediately suspicious. But things do often go wrong there when we talk about scamming. Anyway, let's leave that aside for now.

I would like to know your opinion and knowledge regarding this new browser.

Update notes:

• Founder: Librewish?
• Firedragon is open Open Source (MPL-2.0) and claims to be privacy focussed.
• Firedragon is by: Garuda
• Origin: India or maybe not?

cross-posted from: https://programming.dev/post/50697138

Hi,

I wanted to contact the owner/administrator of a website. Unfortunately, they didn't provide any means of contact ( email, phone number, online form, simpleX whatsoever).

So the only alternative that I had thought was to create a Mastodon account and publish an open communication with them tagged. ( who know with a bit of luck. )

Unfortunately, to create a Mastodon account, you have to provide an email 📧 address 😞 The problem with email address is that it can be correlated to track you down and more.. there are so many examples online, I will not cover this here.

So the workaround is to create a new email address dedicated just for that usage or service. But it's becoming merely impossible to create a free email account somewhere without giving up your identity. (phone number, ISP[^1] email address, paying online with Fiat[^2] , Cloudflare or whatever trick )

I've seen already few posts about this subject on lemmy and other platforms

• https://linux.community/post/388196
• https://lemmy.world/post/42242662
• https://lemmy.world/post/15049454

some quote from those links

Like it or not, email is a critical part of our digital lives. It’s how we sign up for accounts, get notifications, and communicate with a wide range of entities online. Critics of email rightfully point out that email suffers from a significant number of flaws that make it less than ideal, but that doesn’t change the current reality. In light of that reality, I believe that an encrypted email provider is a must-have for everyone in today’s age of rampant data breaches, insider threats, warrantless police access, and targeted advertising.

All the providers listed around the WWW are wrong ! Either they ask to identify yourself, or if you use Tor, you are blocked, or you cannot use it to register to any service online (third party).

See the table below \

Do not hesitate to propose any other, or maybe you have another solution ? Like self hosting email service ? I already dig up a little bit, but I found this and it looks scary. Thank you GAFAM...

So maybe it doesn't look like much? But actually, it's blocking me more and more. I cannot move/interact on internet or in real life ! because I get often "You have to register online" and that registration come with mandatory email..

Where I live, you better stay anonymous. Because what you say can definitely strike back to you. There is no freedom of speech. Please help to make internet free again.

Because we need it in our daily life and social interactions...

Thanks

mailbox•org 🤔

• not free, ~~only accept Fiat~~
• last check: 2026-05-21

Which payment methods can I use?

Cash by post (By letter and EURO banknotes only - no cheques)

Cash deposit into our bank account

disroot•com ❌

• Require a identification email address

gmx•com ❌

• various blocking methods ( depending on IP )

• last check: 2026-05-20

mailo•com ❌

• Do not accept 3th-party registration email for an unknown period

• currently down

• last check: 2026-05-20

proton•me ❌

• Do not accept 3th-party registration email
• last check: 2026-05-20

tuta•com ❌

• IP blocking

• TOR forbidden

• last check: 2026-05-20

[^1]: Internet Service Provider [^2]: https://en.wikipedia.org/wiki/Fiat_money

Section 702 surveillance powers are still limping along, mostly unimpeded, despite on-again/off-again objections by federal politicians. More active recently have been several GOP politicians. These representatives are newly opposed to clean reauthorization of Section 702 powers. This isn't because they've come to realize the threat to Americans' rights that warrantless access by the FBI (and…

We've talked a lot about how Americans have somehow accepted the fact that our voice networks are now saturated with scammers, fraudsters, and robocallers (no, that's not something that happens in well run, functionally regulated countries). I've also explained for years how the U.S. government solutions to the problems are usually ineffective because they're endlessly…

ONYX v1.5-beta: Emergency PIN with a full decoy environment

Released v1.5-beta of ONYX, and one of the things we added is Emergency PIN support.

A secondary PIN opens a completely separate decoy environment instead of your real account. You configure what's in it — chats, avatars, display names — so it looks like a normal, lived-in account. There's no visual indicator that it's a decoy.

The use case is straightforward: situations where you're pressured into unlocking your messenger. The Emergency PIN is kept entirely separate from your main PIN and can be changed at any time.

• GitHub: https://github.com/wardcore-dev/onyx/releases/tag/v1.5-beta
• Website: https://onyx.wardcore.com/

Happy to answer questions.

Introduction (to this post)

A week ago there was a discussion on Lemmy shitpost community mentioning Obscura.
It acts as first hop to Mullvad. Fairly limited number of its servers.
As someone mentioned, it only supports macOS, iOS, and whatever does Wireguard.

So I tried to pay for it.
First, I am displeased that there's no way to just upload public key, but instead it generates entire config along with private key in browser.
Second, I can't see list of servers and ports like on Mullvad's site, and the reason is...
Third, only one combination of entry + exit node per config is possible. It seems to just assign a port on selected entry node to forward it to specified Mullvad exit node.

And there's just 3 slots!!!!!!!!!!

I can use same key with other config's combination, but if I remove the config, that port gets closed. So yeah, I can't just have many configs saved for different servers with the same private key.

But then I thought, is the public key allowed on all Mullvad servers? Yes it is.

After all, it should be just a hop through them.

Setting up Mullvad VPN client for Obscura

First, once you have Mullvad VPN installed, open the GUI, and create an account. Perhaps this step can be skipped, but that's a simple way to get the config created.

Next, quit the GUI and stop mullvad-daemon:

sudo systemctl stop mullvad-daemon

Now, open your Obscura Wireguard config in some text editor that you can copy from.
Next, open /etc/mullvad-vpn/device.json as root. E.g.:

sudo vim /etc/mullvad-vpn/device.json

Remove the account number, private key, IPv4, and IPv6 field values. I also removed the "id", though I don't know if that one would have caused issues.
If you keep the account number, you will just get expiration message.

Next, replace the private key, IPv4 and IPv6 with those from Obscura Wireguard config.

Here's an example of how that may look (data in example is invalid):
WG config:

# Exit: Mullvad ca-tor-wg-002 in Toronto, CA

[Interface]
PrivateKey = eNZ0Lr3jpE18o/KSVISHCi/wDWW5DgD6VCCEduKgkFI=
Address = 10.0.0.1/32, fc00:bbbb:bbbb:0:0:0:0:1/128
DNS = 10.64.0.1

[Peer]
PublicKey = iqZSgVlU9H67x/uYE5xsnzLCDXf7FL9iMfyKfl6WsV8=
AllowedIPs = 0.0.0.0/0, ::0/0
Endpoint = 95.173.193.232:46906
PersistentKeepalive = 15

Mullvad device.json:

{
  "logged_in": {
    "account_number": "",
    "device": {
      "id": "",
      "name": "obscura key",
      "wg_data": {
        "private_key": "eNZ0Lr3jpE18o/KSVISHCi/wDWW5DgD6VCCEduKgkFI=",
        "addresses": {
          "ipv4_address": "10.0.0.1/32",
          "ipv6_address": "fc00:bbbb:bbbb:0:0:0:0:1/128"
        },
        "created": "1970-01-01T00:00:00.000000000Z"
      },
      "hijack_dns": false,
      "created": "1970-01-01T00:00:00Z"
    }
  }
}

The name has no effect in this case, it's just what you see in the app. If the other fields matter, I don't know. I left them as they were.

Now you can once again start mullvad-daemon.

sudo systemctl start mullvad-daemon

You should now be able to connect to servers just as usual. But we have yet to add the Obscura server. The account page won't work, as there's no account.

Following the example above, we add an IP override for our exit node:

mullvad relay override set ipv4 ca-tor-wg-002 95.173.193.232

Lastly, we need to use the correct port. As per our example, in Mullvad app go to Settings -> VPN Settings -> Anti-censorship -> Wireguard port -> Custom -> enter 46906

Thankfully, these ports are also valid for Mullvad, so no extra switching will be needed.
You should now be able to connect to the Mullvad exit node via Obscura server, with Obscura account.

Multi-hop within Mullvad (a 3rd hop)

As the port for Obscura's server matters, we can only use it as an entry node. But yes, you can do that too.

Hopping madness

There's no point, but it's possible.
The Mullvad SOCKS5 will allow for, yes, a 4th hop.

And you can add TOR, for 7 hops (to regular sites)

What does that do? From this:

All the way to network quality of your teammates:

cross-posted from: https://lemmy.today/post/52903710

Since Microsoft owns Github, Gitlab is Corp owned now since 2022, why are so many who preach privacy or using Linux, etc, still using a MS product?

Genuine questions. I'm assumming either familiarity & simplicity with GH or difficulty migrating elsewhere?

Surveillance creep is once again striking in the age verification debate. This is happening at the FCC this time.