Update: https://darkmentor.com/blog/esp32_non-backdoor/

cross-posted from: https://programming.dev/post/26664400

Tarlogic developed a new C-based USB Bluetooth driver that is hardware-independent and cross-platform, allowing direct access to the hardware without relying on OS-specific APIs.

Armed with this new tool, which enables raw access to Bluetooth traffic, Tarlogic discovered hidden vendor-specific commands (Opcode 0x3F) in the ESP32 Bluetooth firmware that allow low-level control over Bluetooth functions.

In total, they found 29 undocumented commands, collectively characterized as a "backdoor," that could be used for memory manipulation (read/write RAM and Flash), MAC address spoofing (device impersonation), and LMP/LLCP packet injection.

Espressif has not publicly documented these commands, so either they weren't meant to be accessible, or they were left in by mistake. The issue is now tracked under CVE-2025-27840.

I know Whatsapp several tenants of privacy, but outside of North America, everybody has Whatsapp. We need to unify to spread the message of Signal as an alternative, not SimpleX.

Anyways, I've noticed a pattern as I do have Whatsapp, when I get random texts that looks suspicious, I use the app "Open In WhatsApp" and enter the phone number from the text to start a chat in Whatsapp, and 99% of the time it says that phone number is not registered for Whatsapp, thereby showing it is most likely spam. Of course that is not 100% of the case, as some people don't use Whatsapp, some businesses do use Whatsapp, but it can be a safe bet if the text number is not on Whatspp, it's very very likely spam and best to block without replying

I saw a post on here months of someone posted their reply to a text that said something like "Hi, my name is Sharon, who will you most likely vote for in the next election?" with a list of options. and they boastfully got suckered to take the bait and fell into the trap. By replying, they showed it was a live and valid number to now sell their phone number to other spammers. Never ever reply to a random message until you can guarantee who that came from.

cross-posted from: https://lemmy.bestiver.se/post/265273

Comments

Any way to semi achieve the image search like pinterest without using it? I've tried using google, technically it should give the same or better results but how the hell pinterest gives better search results. Also pinterest removes the context behind the image and is a privacy nightmare. I want to move away from it.

------\\------- Anyone wondering what did I end up with? Here's what I am doing. I have deactivated my pinterest account and if I specifically want results from pinterest and pinterest only then I use services such as binterest (actually that the only one working right now) and if I instant like something I take a pic of it and save in my proton drive (cloud) and if I need more recommendations out of it then I just use the google image search on that image and there's a camera like icon if you click on it, it shows more closely related images and I think that works the best instead of the general related stuff that come up upon selecting the image (the sidebar) and I keep doing that on every next image I click on.

I use Qwant as my default search engine because I thought it was more respectful of my privacy than Google or Bing and DuckDuckGo is not giving so good results in my country (for localization related searches).

I noticed that the engine was removed from the default engines for URL bar in latest IronFox version. So I searched a bit about why so, and found this issue in their tracker : https://gitlab.com/ironfox-oss/IronFox/-/issues/47.

What to think about this ? The message from ironfox dev seems clear but qwant seems to claim that the shared data are anonymized.

Hello everyone,

I'm reaching out to the community to see if anyone is aware of a resource or webpage that tracks and lists VPN providers' servers, particularly focusing on their status in relation to being targeted or banned by major services like Cloudflare, Google, etc.

As privacy advocates, we understand the importance of staying informed about the effectiveness and reliability of VPN services, especially in the face of increasing scrutiny and restrictions. Having access to a centralized and up-to-date list would be incredibly beneficial for users looking to make informed decisions about their privacy tools.

If such a resource exists, please share the link or any relevant information. If not, giving a the idea to the community. Your insights and contributions are greatly appreciated!

Thank you for your time and assistance.

YouTube won't let me watch this video with my VPN on. Is this a new thing?

Using Mullvad on Linux Mint, I see a number of settings and have no idea what they are for. DAITA, Multihop, Local Network Sharing, API Access. I would like to keep Mullvad VPN on all the time, but still be able to use Freetube and Grayjay. Also not break too many websites, although that seems to be more of a Librewolf setting issue. Can anyone recommend settings for Mullvad that I should be using?

https://positive-intentions.com/

A webapp for P2P E2EE messaging and file transfer. its a fairly unique approach to secure messaging.

the project isnt ready to replace any existing apps or services, but given the competative market for this kind of project, id like to push it out to get feedback.

i made an attempt to create documentation on the website, but otherwise feel free to reach out with questions about how it works.

Like, there's a lot of people freaking out about Apple ending End to End encryption in iCloud in UK. I'm just like: So What? It was probably backdoored from the beginning

So is Big Tech's E2E actually not backdoored? Or is that just a PR stunt to trick people into trusting iCloud, and this is a secret honeypot? 🤔

What are your thoughts?

I think those websites are over using trackers in their websites for extra profit with no care for the privacy of their users, I highly recommend avoiding them.

• The Guardian.
• The Verge.
• Wired.

For comparsion:

• Associated Press(AP).
• Al Jazeera.
• ABC.
• BBC.
• CBC.
• DW.
• France24.
• Sky News.
• The Register.
• Tech Policy Press.

Update: added Wired and more websites for comparison.

Hi guys!

I'm looking for a Proton alternative. So far I've seen these two recommended. I was wondering what are the pros/cons of each? Seems Tutanota offers more bang for the buck in mailbox size etc, but I'm not sure. I'd also like to have a better integration with Android, because Proton's email/calendar apps suck big time.

Thanks!

Firewalls are a great way to tell if new apps are secrely installed

Btw what is the key verifier thing?

cross-posted from: https://feddit.nl/post/29675306

I am not the author.

I found this blog to have both a short summary of the reasons as well as a pretty complete overview of the options for protecting against this specific threat model. I can just send this to people and they'll understand the why and the how.

TL;DR: I'm writing a program that could be used by a malicious user to track people. Do I license it under GPLv3 to guarantee user freedom, or do I use a more restrictive license to prevent abuse?

Introduction

Hello! I'm a software developer with quite a bit of experience in automotive electronics, and I've run into a bit of an ethical dilemma, and I'd like to get some input from people who care about the same issues I do.

ALPR

If you already know what ALPR is, you can skip to the next section.

As a brief background for those who aren't familiar, automated license plate recognition (ALPR) is a rapidly growing technology that detects, records, and logs license plates, typically on public roads. This technology is almost always pushed as a safety measure to protect the populations under surveillance. The argument generally goes that people should be willing to give up some privacy if it means helping police identify stolen vehicles, AMBER alerts, and more. If you're a member of this Lemmy community, I don't think I need to explain why I think this is a terrible idea.

V0LT Predator

Predator is my attempt to take on this industry with a highly private alternative to traditional ALPR. In short, Predator is completely open source, runs entirely locally (with no telemetry/data mining), and uses independent hot-lists to decide what plates to alert to. The idea is that instead of a government agency setting up thousands of cameras to track hundreds of thousands of vehicles, individual users can set up cameras in their own vehicles, and help track down relevant vehicles (like AMBER alerts with associated license plates) indepdently. I figure this bottom-up approach can reduce the severity of mass surveillance and data centralization without entirely giving up the advantages of ALPR.

The danger with ALPR is when someone has access to so much centralized data that they can form a map of everywhere a specific vehicle has been. This is not something that's realistically possible on the scale of an individual user operating independently.

I realize many people will probably be entirely opposed to the idea of building an ALPR platform in the first place, but I hope you can understand my motivation.

Growth

Predator started as a brief personal challenge, but rapidly turned into one of my most advanced products. As far as I can tell, it is currently the only active open source ALPR ecosystem, and is the most popular alternative to SaaS ALPR platforms like Rekor and Flock Safety.

The issue is that this growth came with surging demand for many of the features supported by traditional ALPR services. I've had to walk a very fine line with making Predator valuable enough as a product to replace traditional mass-surveillance without turning it into a mass-surveillance product in itself. My decision making when considering new features has primarily been based on these two features:

1. Is this feature useful to individual private users? (people with Predator dash-cams, home security systems, etc)
2. Would this feature make it easier for a state agency or company to conduct mass surveillance?

As I'm sure you can image, this is an extremely gray area, but I think I've managed to walk the line pretty effectively so far.

The Problem

That leads us to the latest problem. There's been a lot of interest in some kind of product to organize and centralize license plate data collected by individual Predator instances. For example, a university police department running parking enforcement might want to identify plates that haven't purchased a parking pass. I think this use-case is fair, since all vehicles being monitored implicitly consent by purchasing a pass, and vehicles are not followed off-campus. That being said, this is one of those products I've been hesitant to add, since it would absolutely make it possible to use Predator as a mass surveillance tool.

The other day, I started developing a system like this internally, and it was a bit terrifying how effectively it worked. With a $80 off-the-shelf camera system, I was able to track dozens of vehicles after driving around for ~15 minutes.

The Dilemma

Here's the dilemma. If I hosted this service as an online-only product (which is the current plan), I could pretty effectively prevent it from being used for mass surveillance. For example, I plan to limit accounts to a few hundred unique vehicles unless they apply for an override. Customers with legitimate use cases can be granted overrides with geofenced areas to fill their use-case (i.e. the university campus from the previous example). However, this significantly compromises user control, since they would have to go through my services to use the product.

Typically, I would prefer to make the software entirely open source and self-hostable under the AGPLv3. However, this would make it trivially easy for a government agency or business to set up a mass scale surveillance system.

I'm struggle to decide how to approach this issue. Have I backed myself into a corner with this one? I'd love to hear everyone's thoughts on this dilemma, and the Predator ecosystem as a whole.

Joan Westenberg mentioned this in her "Trump-proof tech stack" post; anyone have any experience with this? It says it's open source, self-hostable, and based in France.

Unfortunate Andy Yen comments aside, a big plus is that cozy actually has a Linux desktop client (!), unlike Proton.

YouTube link: https://youtu.be/wVyu7NB7W6Y

Invidious link: https://inv.nadeko.net/watch?v=wVyu7NB7W6Y

Sorry for the formatting... Tried to remove the URL for better readability, but there seems some kind of bug.

TLDW

• hack phones remotely just knowing it's phone number
• Intercept 2FA sms
• Intercept phone calls
• Reroute phone calls
• Geolocation of a target

I dunno if it has already been posted/discussed here but this kinda blew my mind ! Sorry there's a lot of clickbait but the general subject is interesting...

I never heard of SS7 and have actually no idea how the whole phone system communication works but that's kinda scary...

Yes we are probably not the first target with this "hack" nor is it as easy as exposed in this video and nor do we have 14k $ to spend on this, but that's not out of reach for some people. I mean it's not as expensive as Pegasus and people with the mean and some good stable income can probably misuse this system for targeting specific vulnerable people (example in the video).

Had never heard of this before today. Anyone tried it?

EDIT: "Being a fork of Mozilla Thunderbird, the software collects some data about the user, less than the original Mozilla Thunderbird, as outlined in Thunderbird's privacy statement. No data is submitted to Betterbird, some data may be submitted to Mozilla. No telemetry and no crash reports are submitted, however, add-on updates and blocklists are downloaded from Mozilla sites. Betterbird offers a product Start Page which processes access data as described above."