The FBI produced this nice chart comparing what kinds of privacy leaks the various messaging apps have.
Our first build of Conscrypt which includes the next version of #TLS known as #ECH (Encrypted ClientHello) is now available for Android and Java:
implementation 'info.guardianproject.conscrypt:conscrypt-android:2.6.alpha1638179154.job1828169525'
https://github.com/google/conscrypt/issues/730
Yet another of the many ways that #Cloudflare breaks the open #internet: connecting without a User Agent gives 403 Forbidden with an obscure "error code 1010". My #TLS #ECH test suite works fine on all the other sites, only Cloudflare does this.
One of the hazards of #TLS #ECH is that a deployment could end up leaking as much information as a non-ECH TLS connection if the ECH Config in DNS is only associated with a given domain. https://blog.cloudflare.com/handshake-encryption-endgame-an-ech-update/#focusing-on-deployability
#Android apps can track users based on their wallpaper: https://lwn.net/Articles/873921/ https://fingerprintjs.com/blog/how-android-wallpaper-images-threaten-privacy/
#CalyxOS is leading the charge to deliver a truly #private mobile device, it is also #FreeSoftware. Since it is based on #AOSP, you can port it to lots of devices, even if they do not support a locked bootloader.
#Debian created an ecosystem where the software available there is reviewed and trusted, so the system can prioritize flexibility over security. In #Google Play, there are many apps we feel forced to use, despite knowing they are unethical or are tracking us. Google responds by locking down #Android to reduce data leaks, which also reduces the system's flexibility. #FreeSoftware puts the user in control so we can build user-friendly systems without being forced into bad decisions.
I'd love to see data on what verified boot actually stops. The ideal malware implants itself at the lowest level possible. Is there good public data on these kinds of exploits on #Android #Debian #Windows #iOS etc? Does standard spyware do that? Writing to /system requires a root exploit, lots of malware never gets root. How often there are vulns in #VerifiedBoot itself. Here's a real world full #exploit of verified boot:
https://threatpost.com/multiple-vulnerabilities-found-in-nvidia-qualcomm-huawei-bootloaders/127833/
Does anyone know how to query the system for information about Trichrome Libraries https://chromium.googlesource.com/chromium/src.git/+/refs/heads/main/docs/android_native_libraries.md#Trichrome? They seem to be installed as APKs, but the regular way of querying for app metadata does not work. For example, is there a separate concept of "Version Code" for Trichrome libraries?
EU-Commissioner Johannes Hahn on 'Public Money? Public Code!' https://peertube.social/videos/watch/20512955-f554-428e-a563-abc74dc806c8
Anyone know what #google ULR is?
"Suppose a user has disabled permissions to, say, Google Maps for Mobile (GMM). With client-side location, GMM will not get location, as the user intended However, they can still get a place card (e.g. Riddler) via ULR-->████-->GMM server--> GMM client. (URL has GmsCore's location permissions, not GMM's). This seems like a bypass to Android's permissions model."
https://www.azag.gov/sites/default/files/2021-05/Berlin_Exhibit_236.pdf
NetCipher v2.2.0-alpha released! Supports the new TorServices app; adds new libraries for enabling Tor/proxying with Conscrypt and WebViews. Get them on Maven Central:
'info.guardianproject.netcipher:netcipher:2.2.0-alpha'
'info.guardianproject.netcipher-conscrypt:netcipher:2.2.0-alpha'
'info.guardianproject.netcipher:netcipher-webkit:2.2.0-alpha'
If anyone is looking for a #ReproducibleBuilds #Java / #Android project to hack around with, jtorctl now builds with #Gradle (from gradle.org or #Debian), #Maven, and #Bazel with sketches of Ant. The idea is that if all the build tools make the same JAR, no need to trust the build tool.
https://GitLab.com/eighthave/jtorctl or https://GitHub.com/eighthave/jtorctl
RT @ReclaimYourFace@twitter.com
New AI law proposal agrees with the risks and harms of biometric mass surveillance but *fails* to properly ban it.
Companies and authorities aren't prohibited from these practices and the law enforcement ban has way too many exceptions. 🤦
Our thoughts: https://reclaimyourface.eu/european-commission-proposal-new-ai-regulation-fighting-ban-biometric-mass-surveillance/
🐦🔗: https://twitter.com/ReclaimYourFace/status/1384903986260725760
RT @ReclaimYourFace@twitter.com
🎉BREAKING!
61 MEPs from different political groups just asked the EU to ban biometric mass surveillance, days before @EU_Commission@twitter.com proposes new laws on AI.
https://reclaimyourface.eu/61-meps-urge-eu-ban-biometric-mass-surveillance/
#ReclaimYourFace #BanThisBS #ArtificialIntelligence #Biometrics #MassSurveillance
🐦🔗: https://twitter.com/ReclaimYourFace/status/1383024311192186880
We need 1 million signatures to force the European Commission to listen - will yours be the next one? Join us #ReclaimYourFace
https://privacyinternational.org/call-action/4414/sign-ban-biometric-mass-surveillance
Instead of adding Google apps on top of that, @e_mydata
added open-source alternative Nextcloud instead of, for example, Google Drive.
@Mrwhosetheboss shares interesting tips on how to stay in full control of your data, watch the video!
Weak privacy bills are being pushed by tech companies across the country, and in some cases have even become law. "Setting up these weak foundations is really damaging and really puts us in a worse direction on privacy in the U.S.," says EFF's @htsuka https://themarkup.org/privacy/2021/04/15/big-tech-is-pushing-states-to-pass-privacy-laws-and-yes-you-should-be-suspicious
Mexico’s Senate has passed a law mandating registration for cell phone users that links SIM cards to biometric data. This is an unnecessary and disproportionate measure as Mexican NGO @R3Dmx has shown - and it poses major risks of abuse and leaks. https://r3d.mx/wp-content/uploads/Ficha-PUTM-Senado.pdf
Two-factor authentication is a simple, powerful way to add a new layer of protection to your online accounts. Which type is right for you? https://www.eff.org/deeplinks/2017/09/guide-common-types-two-factor-authentication-web
People, apps and code you can trust