That’s the point of digitally signing the app, to ensure its authenticity and integrity. TM and others wouldn’t be able to resign the modified app with the Signal Foundation signature.

EDIT: Yeah after thinking more about it it’s not a trivial problem, as you need to assume that the endpoint is inherently untrusted.

At the moment you can’t. The only realistic way I could see that happening is the the server would check the app digital signature and refuse the app from communicating with the official infrastructure if it didn’t match.

I had Tchap in mind.

At least they kinda get the implications, with their own Matrix derivative at the government level.

AI trends

Yeah that part kinda sucks, but it’s not all bad. For example, there’s the offline translation engine that relies on a trained model that runs entirely locally, which is kinda neat and great privacy-wise.

I think you mostly just need to block incoming.telemetry.mozilla.org

I’m surprised DOGE themselves aren’t using it to skirt FOIA.

Service-specific link shorteners are alright, like youtu.be, a.co and goo.gl/maps. At least know roughly where you’re going.

For anything else, I rather see the full URLs, and if I need to share a link on a paper medium, I also make it available in a QRcode form.

Yeah I’m not saying Bridgefy is better, just that it’s available on both major mobile platforms while Briar isn’t. I do prefer Briar on technical and privacy levels.

Bridgefy was used more during protests since it’s available on both iOS and Android, while Briar is Android only.

Not really, especially if there an MDM pushed through Apple Business Manager, which will be forced upon it at first boot.

These CEOs really don’t want the average people to like them.

Delete it, then embrace the fediverse through Pixelfed and Loops.

I use as as I don’t even want to bother hosting a PiHole, and honestly it works quite well. Set it as a DoT on Android and you have it outside from home without having to think about it.

The DNT flag amounted to the equivalent of a digital pinky swear from website operators. Oh they still tracked you? That’s too bad… South Park’s rubbing nipples meme

On the other hand, it makes it easy to find which apps aren’t to be trusted with your data.

I can see the interest where it may be easier to extract your own data through that frontend in some cases.

tor.defcon.org is considered a guard node, and your browser likely chose to prefer that one to bootstrap itself.

For more details https://browser.mt/

Strange, my Yubikey allows me to authenticate using Passkeys just fine by entering the PIN that protects my stored credentials.

I guess you’re better off buying a physical security key, which offers some guarantee that the keys cannot be exflitrated from the device.

The firmware is indeed closed-source, so it’s hard to audit. But they’re popular, and a security flaw wouldn’t go unnoticed for long.

There are other vendors such as NitroKey offers an alternative that offers both open source and audited hardware and software.

This helps protect our community revenue.

https://www.traccar.org/ could be a good starting point.

And thank you, I wasn’t aware of that option :)

Direct link to the page in question

https://accountscenter.facebook.com/info_and_permissions/off_facebook_activity/

That what I use, the key itself is formatted using ExFAT for compatibility with all major OSes, and using Cryptomator to encrypt the files.

Unless you are in control of the encryption keys (E2EE), assume that everything stored there can be read and accessing by Google.

Always consider what you say on Discord as potentially public, since there is no E2EE.

https://techcrunch.com/2024/05/08/encrypted-services-apple-proton-and-wire-helped-spanish-police-identify-activist/

Can’t protect someone from bad OPsec.

Acronym for Know Your Customer, requiring some kind of identity verification before enabling service.

And some TOTP apps don’t interpret the algorithm parameter correctly, which makes it safer to go with the default SHA-1.

Lemmy in fact was using SHA-256 for its earlier TOTP implementation and reverted back to SHA-1 since some people locked themselves out due to poor support in some TOTP app (among other issues, another was that the activation workflow never asked you to confirm the code you enrolled was working and generating the correct code…).

Oh yes, one example is Naomi Wu.

I suppose they all use the same challenge-response key?

A strong and unique passphrase is indeed really important here, but you need to keep in mind that once the kdbx file is in the attacker’s hand, that’s the only thing that keep them out.

There’s no 2FA, and no throttling on the bruteforce process. So it’s really important to use a strong password there to avoid it being the weakest link.

One trick is that you can enroll your TOTP codes on more than one device, the only thing the device need is the clock to be synced to provide the correct code.

You can store your TOTP codes in many places:

• A mobile app like Aegis (Android) or 2FAS (Android, iOS). Those even offer a way of backing up your TOTP codes, but you need to take the proper measure to store them safely.
• A password manager that can handle TOTP like Bitwarden (with a premium subcription) or KeePassXC.
• A security key like the Yubikey 5 can safely store TOTP keys (up to 32) and generate them through the Yubikey Authenticator app.

That way you don’t get caught your pants down if one of your device dies, get stolen, etc. Also, keep the recovery keys / backup keys in a safe place just in case of a worst case scenario.

Keep in mind that your TOTP backup and Password Manager files like KeePassXC can be the weakest link in your OPsec if you’re not careful.

I more dissapointed that Pebble was unable to find a viable financial path forward :(

Initially the software wasn’t very stable, but that was fixed over time. Overall I liked it a lot, and the available “apps” for it all filled a niche I looked for.

I switched because I wanted to go back to a more classic watch I can simply wear and forget about. I don’t have all the bells and whistles from the BangleJS2, but now I have a watch to see my notifications and step counter that I don’t need to recharge every week, the battery (CR2032) is said to last about 2 years in the GBD-200.

I would suggest to look at the models supported by Gadgetbridge and pick one from there. I know I can trust Gadgetbridge not to leak my data since it doesn’t ask for network permission.

https://gadgetbridge.org/gadgets/

I used it for several years, through multiple gadgets (in chronological order)

• Pebble
• Pebble Steel
• Pebble Time Steel
• Mi Band 4
• Amazfit Bip
• Bangle JS2
• Casio GBD-200