*sighs and adds another slide to the slide deck for her next keynote*
10.03.2026 23:55
👍 9
🔁 0
💬 1
📌 0
*sighs and adds another slide to the slide deck for her next keynote*
Your guide already highlights transparency and user trust; refining threat models, versioned documentation, user-centered examples, and layered information will make the advice more vivid and immediately actionable. All suggestions: Bruce Schneier, Eva Galperin
I know that bad news is coming when a co-worker messages me with "You're gonna be so mad..."
Grammarly has rolled out an AI-powered "expert review" feature where its simulacrum of me makes suggestions for your text. My real edits are usually along the lines of "Throw this into the sea."
New Signal ad campaign just dropped.
Attribution is hard. And there is a difference between getting a contractor on the record attributing the toolkit and a bunch of infosec dudes sitting around pontificating about how "everyone knows."
I haven't asked Proton to do anything. I point out that their marketing is at least partially responsible for misunderstandings about what they do and do not protect and that their marketing is unlikely to make changes that point these nuances out.
In this particular case, the issue is not privacy, it is anonymity. And they could have gotten it by paying Proton with cash, which Proton accepts. The deeper issue is that there is a lot of misunderstanding about what Proton protects, how, and against whom.
I am not, to use another example, asking Signal to start a marketing campaign that includes the language "All chats are e2ee no matter what, but if you add an editor from The Atlantic to your Bomb Yemen chat, there is nothing we can fucking do for you."
No worries. I have great respect for both your technical skills and your threat modeling.
1. Our mileage varies a great deal. 2. My point is that this misunderstanding exists and any suggestion I have for how Proton should clear that up will not be implemented because it does not help Proton sell their services, so why should I do this dance for you?
There are very threat models for which I recommend self-hosting an email server, precisely because it is costly, time-consuming, and hard to do securely and effectively.
I don't work in Proton's marketing department. I work in security/privacy education for vulnerable populations, so I encountered this misunderstanding very often. The things I would like Proton to do to make my job easier are not the things a marketing dept would do.
It is not different. My point is that a lot of people don't understand that and use or recommend Proton mail because they think it offers protections that it does not.
"The limitations of this approach are obvious when looking at this malware fleet. We observed an instance where a basic Go binary was deployed to steal browser credentials, but developers left a template placeholder where the command and control URL should have been."
I've been expecting to see this shift for a while and it is interesting to see it actually starting to happen.
I think that a lot of people misunderstand what Proton will and will not do to protect their data/metadata/accounts and that at least some of that misunderstanding is because of the language Proton uses to market itself and describe its services.
It is true that Proton is located in Switzerland and responded to a legal request from the Swiss authorities. But it is also true that most people do not know what an MLAT is and there is a widespread misunderstanding that using Proton will protect your account from US govt requests.
Some companies do fight court orders. I don't remember who described Twitter's lawyers back in the day by saying "they'd fight God." But if I was expecting a court order, I would not count on my email provider to defend me.
You may look at a problem and think "Aha! The solution is to run my own email server." Now you have two problems, Google is marking all of your email as spam, an unknown number of threat actors using your server to spread malware because you forgot to patch something, and a small pile of subpoenas.
As a person who has spent a lot of time as the admin of an email server, I would not recommend this to the vast majority of people.
This is not a situation in which using Tor would have preserved the account owner's anonymity.
There are people who use Proton Mail who are not aware that this is a risk and it is good for them to know.
If you pay Proton Mail for a service, they may hand over the payment data in response to a court order: www.404media.co/proton-mail-...
This is an issue I care about a lot and I keep a close eye on it.
It is more important than ever to find ways to rein in these companies and it is harder than ever because more states want to reserve the right to use their tools instead of rolling their own.
"For the first time since we began tracking zero-day exploitation, we attributed more zero-days to commercial surveillance vendors than to traditional state-sponsored cyber espionage groups."
Love to see the stats backing up my hunch.
cloud.google.com/blog/topics/...
Do you work in fundraising? Do you want a job that isn't evil? Signal is hiring a director of major gifts: jobs.lever.co/signal/68f75...
I aspire to one day have a fraction of the confidence of a mediocre white man sitting down to do an interview with Isaac Chotiner.
The data from your Meta Ray Bans is used to train Meta's AI, which most people don't understand means that humans are looking at the most intimate details of their lives. www.svd.se/a/K8nrV4/met...
I'm reading a bunch of Coruna reports after dinner because I am a cool person who knows how to party. Of particular interest: not only does Coruna not work against iOS in lockdown mode, but if it even detects lockdown mode running, it bails. This is why I talk about lockdown mode so damn much.
New from 404 Media: CBP tapped into the online advertising ecosystem to track peoples' movements, according to an internal DHS document. Shows for the first time DHS tracked phones via process for putting ads in ordinary apps—video games, fitness apps, many more www.404media.co/cbp-tapped-i...