Spyke

Back with an update on Elusive: heard you on closed source

Posted here two days ago about the encrypted email thing I'm building, closed source at the time, said it'd open at 300 users. A bunch of you called that an immediate trust killer, and one comment stuck with me: "GPL will give you the best input into holes." Fair. Didn't wait for the number, opened it now.

Whole thing's public: server, browser crypto, storage layout, AGPL-3.0.

The part I'd actually pay attention to over "source is up somewhere": every build is signed by GitHub Actions itself, not by me by hand, no private key of mine sitting around for anyone to leak. The signature lands in a public log. There's a widget on the site that checks the live server against it, so you don't have to take my word that what's running matches what's in the repo.

Also since last time: forward secrecy per message, each one sealed to a key that's gone the second you read it. Outbound mail auto-encrypts too now if the recipient has a published key, used to be inbound only. And the columns that were still plaintext, username, aliases, read state, are ciphertext now.

Go find what's still broken. https://elusivemail.xyz/security https://github.com/elusivecloud/elusivemail

View original on lemmy.world
7

YSK about Deflock, an An open-source project mapping license plate readers.

ALPRs are a serious risk to your privacy and civil liberties. These systems continuously record your movements without a warrant, probable cause, or even reasonable suspicion. Your driving history is rarely confined to the town or city where the cameras are installed. It's typically shared with thousands of other agencies nationwide (secretly). Once the data is out of your community, you have no control over how it's used or what rules apply, leading to instances of misuse.

YSK about Deflock, an An open-source project mapping license plate readers.https://deflock.org/Open linkView original on discuss.online
201

Should intelligence agencies be allowed to train AI on citizens' data?

A recent watchdog report from the Netherlands has reignited a broader privacy debate: where should the line be drawn when intelligence agencies use AI? The concerns aren't just about surveillance, but also about whether bulk datasets containing ordinary citizens' information can be used to train AI models, how long that data is retained, and what meaningful oversight exists.

Should intelligence agencies be allowed to train AI on citizens' data?https://thecybersecguru.com/news/aivd-mivd-ai-training-citizen-data/Open linkView original on lemmy.world
37
privacy·PrivacybyXLE

Trump administration’s $46 billion 'smart wall' races ahead on the US-Mexico border

The wall is under heavy scrutiny for the billions of dollars being dedicated to it when border crossings are at their lowest in decades. Critics say the U.S. is militarizing the border as it increasingly deploys sophisticated surveillance technology to the area, impacting local communities.

Trump administration’s $46 billion 'smart wall' races ahead on the US-Mexico borderhttps://abcnews.com/Technology/wireStory/trump-administrations-46-billion-smart-wall-races-ahead-134404339Open linkView original on piefed.social
23

Hackers Weaponize Balochistan Police Portal in Multi-Group Espionage Campaigns

"At Balochistan Police, the compromised assets included servers hosting web applications that manage police and citizen data, such as criminal and biometric records," Aleksandar Milenkoski, principal threat researcher at SentinelOne SentinelLABS, said in a report published this week.

Hackers Weaponize Balochistan Police Portal in Multi-Group Espionage Campaignshttps://thehackernews.com/2026/07/hackers-weaponize-balochistan-police.htmlOpen linkView original on mander.xyz
18

Which messaging app do you trust most for privacy in 2026?

Secure messaging is about much more than end-to-end encryption. Metadata collection, open-source transparency, independent audits, default encryption, account requirements, backups, and jurisdiction all influence how private a messaging platform actually is. This comparison examines the major privacy-focused messaging apps and discusses the trade-offs each one makes instead of trying to crown a single "best" option.

Which messaging app do you trust most for privacy in 2026?https://thecybersecguru.com/online-privacy/most-secure-messaging-apps-2026/Open linkView original on lemmy.world
50
privacy·PrivacybyXLE

Madison Square Garden database tracks hundreds. Labels "LGBTQIA," & low/high "risk."

An MSG database tracked and categorized hundreds of celebs, famous Knicks superfans, and even some of Taylor Swift’s wedding guests. Labels included “LGBTQIA,” “DO NOT HOST,” and low to high “risk.”

Un-paywalled at https://archive.ph/fEVKk

Related: Madison Square Garden compiled a list of activists against facial recognition
(un-paywalled)

Madison Square Garden database tracks hundreds. Labels "LGBTQIA," & low/high "risk."https://www.wired.com/story/madison-square-garden-celebrity-database-surveillance/Open linkView original on piefed.social
74
privacy·PrivacybyCubitOom

Procedural trick before summer break: EU Parliament reactivates Chat Control 1.0

cross-posted from: https://feddit.uk/post/52022085

After a long dispute, the EU Parliament has voted in an expedited procedure to extend the controversial exception rule for the indiscriminate scanning of chats.

On the last day of session before the parliamentary summer break, the EU Parliament narrowly voted to extend the long-controversial legal basis for Chat Control 1.0 for another approximately two years. Amendments that would have completely rejected an initiative by the Council of Ministers did not find the required absolute majority at the very beginning of the vote. Later, only two correction proposals managed to overcome this hurdle, stipulating that the scanning of private chat messages should not occur with end-to-end encryption.

The plan is exclusively for “special technology for the sole purpose of detecting and removing known online material of child sexual abuse.” Photos or videos not previously captured would therefore not be searched for. Ultimately, 276 representatives voted against the member states' motion to reactivate Chat Control, 286 voted in favor, and 30 abstained.

The result paves the way to quickly reinstate a transitional regulation that expired in April. This exception regulation allows tech giants like Meta, Google, or Microsoft to voluntarily search private chats, emails, and messenger services for material related to child sexual abuse without specific suspicion.

The development had already become apparent on Tuesday. With a narrow majority of 331 to 304 votes with eleven abstentions, MEPs voted for an urgency motion that enabled Thursday's vote. Tug-of-war in the background

Behind the scenes of the decision was an unprecedented political tug-of-war that has caused consternation among civil rights advocates and opposition politicians alike. As recently as March, MEPs had, after tough negotiations in the Council of the EU, let an extension of the interim regulation fail, thus sealing the temporary end of Chat Control 1.0. That the same text was quickly brought back onto the agenda just before the summer break is thanks to a strategic maneuver by the Christian Democratic EPP group around President Roberta Metsola, supported by the Council and the EU Commission.

Critics speak of a democratic foul play. Although the majority of MEPs actually present in the chamber voted against the proposal, it passed. Fierce resistance against the procedure also emerged within the liberal Renew group until the very end. MEP Irena Joveva emphasized that the House cannot simply wave through mass surveillance of the population. It is about protecting both children and citizens' privacy. Rapporteur Birgit Sippel (SPD) also condemned the short-notice expedited procedure without the involvement of the responsible committee, calling it unfair maneuvering.

The vote has direct consequences for the approximately 450 million EU citizens. According to critics, large US tech corporations, which lobbied heavily for the exception rule in the run-up, are now once again receiving a legal free pass to automatically scan private digital mailboxes billions of times. While the amendment successfully introduced by the Greens ensures that fully encrypted communication should formally remain protected, it does little to change the fundamental problem of the dossier. No acute protection gap

An evaluation report by the EU Commission gives the previous practice of Chat Control a very poor assessment. The Brussels government institution itself admits that after years of application, no proof of the proportionality of the measures can be provided. Only a tiny fraction of the messages scanned worldwide – just 0.00000077 percent in the EU – actually contained illegal material.

On the other hand, there is immense susceptibility to errors: the false positive rates of the filter technologies used are up to 20 percent, leading to mass suspicion of serious crimes for innocent citizens. The Commission could not demonstrate a clear link between automated reports and real convictions or the rescue of abused children. For civil rights advocate Patrick Breyer, it is clear: “Suspicionless chat control is as unacceptable as randomly opening all letters.”

The role of the German government also raises questions. While it was always stated in Berlin that suspicionless chat controls are an absolute taboo in a state governed by the rule of law, the coalition buckled in the Brussels bodies and paved the way for the current expedited procedure. The argument often made by proponents that the expiry of the regulation in April would have led to an acute legal gap is refuted by new figures: the Federal Criminal Police Office did not record any drop in suspicious activity reports after its expiry in spring. “Black day for civil rights”

The reactivation of Chat Control 1.0 also casts a shadow over the parallel negotiations on Chat Control 2.0. This is intended to create a permanent and mandatory legal basis for all providers. EU MEP Erik Marquardt (Greens) speaks of a black day for civil rights: the political horse-trading is blocking targeted, effective measures such as an EU child protection center and the strengthening of law enforcement agencies. Green Party MP Jeanne Dillschneider also demands: “We finally need effective child protection in the digital space. This important concern must not be played off against the fundamental rights of all.”

The temporary exception provision now restricts the confidentiality of digital communication for another 24 months. It overrides core areas of the European e-Privacy Directive.

Procedural trick before summer break: EU Parliament reactivates Chat Control 1.0https://www.heise.de/en/news/Procedural-trick-before-summer-break-EU-Parliament-reactivates-Chat-Control-1-0-11359605.htmlOpen linkView original on infosec.pub
63

I built encrypted email that shows exactly what it can and can't see. Closed source today, opening at 300 users. Tear it apart

Full disclosure: I am the maker. I am not here to tell you it is perfect. I am here because this community is best at finding the holes, and I would rather you find them now.

Elusive (elusivemail.xyz) is encrypted email. The thing I care about is honesty over claims. The landing page has a two-sided ledger showing what is sealed to your key versus what the server can see. Most services bury the second half. I put it front and center.

Sealed to your key: message bodies, subject lines, attachments, the sender and recipient of every stored message, and in keyfile mode the key itself. Visible to the server: who a message is from and to at the moment it passes through, your account details, and incoming mail the instant it arrives, before it is encrypted to your key.

The crypto: keys are generated in your browser (OpenPGP.js, curve25519, Argon2id). Your password never leaves your device, the server only stores a hash, so it cannot derive your key. End-to-end by default, plus a keyfile mode where nothing stored can decrypt your mail.

Where I will not blow smoke: incoming external mail is plaintext at receipt, the envelope is visible at delivery time to route mail (no logs), and it is closed source right now.

The whole plan is public and numbered on the roadmap (elusivemail.xyz): open source everything at 300 users, then a public API, native apps, our own hardware in Switzerland, a multi-server split so no single machine holds everything, an independent audit at 4,000, and eventually an encrypted communicator and drive. If a number slips, the page says so. Watch the roadmap, not my word.

It is free, no ads, I make no money. What would make you trust it, or not? What did I get wrong?

View original on lemmy.world
-25
privacy·PrivacybyCubitOom

California Cops Tracked Protesters Using Orange County Sheriff's Flock System

cross-posted from: https://infosec.pub/post/49158153

[Orange County] - Cops across the Golden State accessed the Orange County Sheriff’s Department’s (OCSD) Flock Safety automated license plate reader (ALPR) system at least 145 times to track protesters within the span of a year and seven months, newly obtained data shows. Eleven California police agencies, one as far as Daly City, located almost 400 miles away, searched for protesters using OCSD’s Flock data, which contains license plate numbers, timestamps, locations, and photos of vehicles and their surroundings. The majority of the dates that police searched for people landed directly on or around dates when protests against ICE were held. The data was shared with Inadvertent by a local anti-ALPR organizer, who obtained it through a public records request with the help of Oakland Privacy. The data, officially called a network audit, is a log spanning approximately 19 months that shows other agencies’ individual queries of OCSD’s Flock. The records provide a snapshot of how police have been using Flock’s powerful mass surveillance system on the public — without the public’s consent.

On and around June 14 last year, officers from Anaheim Police Department (APD), San Bernardino County Sheriff’s Department, Riverside police and sheriff’s agencies, Daly City Police Department, Salinas Police Department, and the California Highway Patrol looked for people who were involved in protests using Flock’s powerful search features, such as license plate lookups or a freeform-AI-powered search. The features enable anyone with access to the Flock system to look for people who are in view of Flock’s pervasive camera systems. Flock’s AI-powered system allows cops to search for specific identifiers on vehicles or people.

The reasons for the searches, cited by officers, are contained in the log. They are unspecific and include “protest”, “ICE PROTEST”, “gene autry protest” and other vague terms. Cops are required by state law to list the reason for searching through the Flock system, but the data shows that even beyond tracking people engaged in First Amendment activity, police have been logging their reasons using vague one-word responses. The most specific search for protesters read “Hit and run protest,” logged by the Riverside Police Department.

...

Outside of the mid-June 2025 searches, officers continued to provide little details about their reasons for scouring the Flock system for protesters. One agency, Escondido Police Department, queried the Flock system at least 28 times on February 2 last year for “Protest ATI Vehicle” and “Immigration Protest.” These searches line up with several arrests that followed a protest against ICE terror in Escondido on that date.

“Protest is a common one. Protests, protesters,” said Ed Vogel, a member of DeFlock who researches ALPR usage across the country, when asked about police using ALPRs to search for protestors.

“It’s another example as to how surveillance like ALPR, not just ALPR, but surveillance is a symptom of a crisis of democracy,” Vogel added.

...

The revelation of OCSD’s Flock network having been used to surveil protestors comes after President Trump issued National Security Presidential Memorandum-7 (NSPM-7), a directive that criminalizes dissent in the United States. Recently, anti-ICE protestors in Texas were handed lengthy prison sentences for their participation in a noise demonstration outside of an ICE detention center in Prairieland, Texas. One individual, who was not even at the protest, was sentenced to thirty years for moving a box of zines.

“Surveillance shows a crisis of democracy by, one, how these technologies are procured. Oftentimes it’s done behind closed doors, oftentimes it’s done without fully disclosing information to the public or to elected officials,” said Vogel, “There’s very little public engagement around whether we should enter into a contract, no real democratic process around the signing of the contract, or asking around, ‘Is this the community we want to build? Is this public safety?’”

California Cops Tracked Protesters Using Orange County Sheriff's Flock Systemhttps://www.inadvertent.news/p/cops-tracked-protesters-using-flockOpen linkView original on infosec.pub
68