142 Photos and videos
You remember your privacy? Well em.. How to say it.. RIP. It’s now a word from the past.
May 10
Apple and Google are gradually expanding their use of hardware-based attestation. They're convincing a growing number of services to adopt it. Google's Play Integrity API and Apple's App Attest API are very similar. Apple brought it to the web via Privacy Pass, which Google intends on doing too.
Google's Play Integrity API requires hardware attestation for the strong integrity level and is gradually phasing in requiring it for the more commonly used device integrity level. Apple already has it as a requirement. Over the long term, this will increasingly lock out hardware and OS competition.
The purpose of these systems is disallowing people from using hardware and software not approved by Apple or Google. This is wrongly presented as being a security feature. Banks and government services are the main ones adopting it but Apple and Google are encouraging every service to use it.
Apple's Privacy Pass brought hardware attestation to the web to help with passing captchas on their own hardware. Many people saw that as harmless since few sites would be willing to lock out non-Apple-hardware users. Apple and Google are both likely to bring broader hardware attestation to the web.
Google's reCAPTCHA is planning an approach where they use Privacy Pass on Apple hardware, their own approach on Google Mobile Services Android devices and a QR code scanning system to require an iOS or Google certified Android device for Windows and other systems:
support.google.com/recaptcha…
Banking and government services increasingly require using a mobile app where they can use attestation to force using an Apple or Google approved device and OS. Apple's privacy pass, Google's 'cancelled' Web Environment Integrity and now reCAPTCHA Mobile Verification are bringing this to the web.
Current media coverage for reCAPTCHA Mobile Verification misunderstands it and the impact of it. They're bringing a hardware attestation requirement to Windows, desktop Linux, OpenBSD, etc. by requiring a QR scan from a certified smartphone to pass reCAPTCHA in some cases. They could expand it more.
Control over reCAPTCHA puts Google in a position where they can require having either iOS or a certified Android device to use an enormous amount of the web. Google defines certification requirements for Android which includes forcing bundling Google Chrome, etc. It's enormously anti-competitive.
Google's Play Integrity API bans using GrapheneOS despite it being far more secure than anything they permit. It also bans using any other alternative. This isn't somehow specific to an AOSP-based OS. You can't avoid this by using a mobile OS based on FreeBSD instead. You'll just be more locked out.
Google's Play Integrity API permits devices with no security patches for 10 years. The device integrity level can be bypassed via spoofing but they can detect it quite well and block it once it starts being done at scale. The strong integrity level requires leaked keys from TEEs/SEs to bypass it.
It doesn't provide a useful security feature, but it does lock out competition very well. Services requiring Apple App Attest or Google Play Integrity are primarily helping to lock in Apple and Google having a duopoly for mobile devices. Play Integrity is more relevant due to AOSP being open source.
Governments are increasingly mandating using Apple's App Attest and Google's Play Integrity for not only their own services but also commercial services. The EU is leading the charge of making these requirements for digital payments, ID, age verification, etc. Many EU government apps require them.
Instead of governments stopping Apple and Google from engaging in egregiously anti-competitive behavior, they're directly participating in locking out competition via their own services. Requiring people to have an Apple device or Google-certified Android device is anti-competition, not security.
reCAPTCHA Mobile Verification will currently work with sandboxed Google Play on GrapheneOS but it clearly exists to provide a way for them to start using hardware attestation on systems without it. People without an iOS or Android device will be locked out when this is required even without that.
This isn't about security or any missing functionality. GrapheneOS can be verified via hardware attestation. Google bans using GrapheneOS for Play Integrity because we don't license Google Mobile Services and conform to anti-competitive rules already found to be illegal in South Korea and elsewhere.
Services shouldn't ban people from using arbitrary hardware and operating systems in the first place. Google's security excuse is clearly bogus when they permit devices with no patches for 10 years but not a much more secure OS. It's for enforcing their monopolies via GMS licensing, that's all.
1
158
o_be_one retweeted
Someone builds a project management tool with Claude Code over a weekend. Ships it. Tweets "just replaced Jira."
The app works. One user, happy path, localhost. Then two people edit the same record simultaneously, and the data is silently corrupted. They don't know what an optimistic lock is. They never needed to before.
The prototype is maybe 1% of what makes software actually work. The other 99% is what you find after real users show up: race conditions, failed transactions, sessions expiring at the wrong moment, a payment webhook that fires twice and charges someone double. AI didn't cover any of that. It built exactly what you asked for.
And the confidence is the worst part. "Just need to adjust a few things before we go live." The few things you need to adjust are the product. That's like laying a foundation and telling people you basically built the house.
Vibe coding works. For personal tools, throwaway scripts, and prototypes you'll never put in front of paying users, it's genuinely fast and good enough. I use it. But there's a hard ceiling, and it shows up the moment the stakes get real.
Agentic engineering is a different discipline. You're not prompting for code. You're decomposing problems, designing system boundaries, writing specs precise enough that the agent doesn't go sideways. You review everything it builds, because it will make mistakes that only look wrong if you know what correct looks like. You guide it. You catch what it misses.
If you don't know what a distributed transaction is, the agent won't save you. It'll generate something broken with complete confidence, and you won't know until production.
The hard part of software was never writing the first 200 lines.
It never was.
181
261
2,006
201,739
More and more experienced open source project with proven influence on all what we have today are updating their notice to protect them from « vibe coders » without non AI dev experience. Really interesting!
Jan 23
"We will ban you and ridicule you in public if you waste our time on crap reports." - cURL's team
194
Here why I follow and appreciate Privacy Guides so much! Always on point regarding privacy, strong community, complete selection process. This thread was about Proton. If you don’t know Pricacy Guides, have a check, they write good docs easy to understand 😎.
22 Dec 2025
We would probably want to look at what data is being handed over in these cases, rather than the absolute number of requests being complied with.
The point of recommending private *by design* services is that the information the service can hand over is highly limited.
We do not expect any service to not comply with legal requests, but we do expect services to collect as little data as possible in the first place, so that when they do comply with such requests they are not able to cause a significant impact.
Now that being said… Proton does have access to collect a lot of information about a user at any given time. Your data is mostly only protected by their encryption at rest.
If they are fighting back against requests to intercept and collect data, while “complying” with requests where their response is essentially “we cannot provide any details” then these numbers could be quite good.
If they are handing over sensitive information though, then obviously the numbers are worse. I don’t see evidence of that in this thread but I’ll put it on my list of things to look into further.
2
359
I’ve stopped since I’m 23. What’s the point to non stop fix issues for every personal stuff I want to do? It’s already my job and hobby. I want a peaceful space when I just chill. That’s why I appreciate Apple: it just works, nothing to customize or fix or setup. What about you?
21 Dec 2025
By age 40, a Linux user stops trying to install Arch on a toaster just to prove they can. They finally settle on Debian Stable or Mint because they realize they no longer have the "mental bandwidth" to spend 6 hours configuring stuff/fix broken systems just to check their email
1
181
Mozilla’s new CEO pushes AI in Firefox, but it’s losing users due to:
• High memory vs. Chrome
• Privacy worries from Google deal
• Annoying UI changes
AI bet: Short-term dip, but could it reclaim its market share… or flop?
blog.mozilla.org/en/mozilla/… #BrowserWars #Mozilla
107
🧵1/6 Hack story hits home—reminds me of early non-profit Minecraft days. 0 budget, no shop, no pay. Pure passion for safer spaces. Then: forum defaced via leaked admin pass. 😤
8 Dec 2025
Someone found an RCE on my website yesterday.
CVE-2025-55182.
React2Shell.
I don't have a bug bounty program.
I never asked for a security assessment.
I woke up to a DM: "Hey I found a critical vulnerability in your site. I only ran the exploit to verify it worked. Here's my PayPal for the bounty."
Bounty?
I checked my logs.
Forty-seven requests to my RSC endpoint.
Something, something ... Prototype pollution payloads.
They used the GitHub script.
The one with 2,000 stars.
The one that runs id automatically "for verification purposes."
They spawned a shell on my production server.
uid=1001(nextjs) gid=65533(nogroup)
They took a screenshot.
They posted it on Twitter.
"Popped a Shell on a Live Website 🚀💀 #BugBounty #CVE-2025-55182 #YOLO"
They got 84781 likes.
My customers' data was on that server.
I asked them to delete the screenshots.
They said "I removed the domain name, you should be thanking me."
Thanking them.
For unauthorized access to my production infrastructure.
For running arbitrary commands on systems I own.
For posting proof of exploitation for clout.
They called it "responsible disclosure."
I called my lawyer.
They called me "ungrateful."
I called the FBI.
Now they're in my DMs explaining that "this is how the industry works" and I "don't understand pen testing."
A pen what?
I understand it perfectly.
I understand that running react2shell-ultimate.py against random websites isn't research.
I understand that "I removed the identifying info" doesn't undo the unauthorized access.
I understand that #BugBounty doesn't apply when there's no bounty program.
I understand that finding my site on Shodan doesn't constitute authorization.
Their followers are defending them now.
"Presumption of innocence."
"You don't know if it was authorized."
"The screenshots were redacted."
Three hundred people are calling me a bootlicker for reporting a crime.
Someone said I should be grateful they didn't deploy a cryptominer.
The bar is underground.
I just wanted to run a small Next.js app.
I didn't ask to be someone's proof-of-concept.
I didn't consent to being their "first"
I didn't sign up for an unscheduled penetration test from a stranger with a GitHub account.
There is no safe harbor for spraying public exploits at random websites.
There is no legal protection for "I was just verifying the vulnerability."
There is no ethical framework where unauthorized prototype pollution is a favor.
But sure.
Thank you for your service.
You found a CVE that was already public.
Using a tool someone else wrote.
Against a target that never authorized you.
And you posted about it on main.
For likes.
Hero.
1
168
Modern problem: AI can ban you.
But you need an human from cut support team to solve false positive.
This is worrying, its happening on YouTube as well. Companies should be accountable for their experiments on users, it’s causing damage.
What you think?
9 Dec 2025
@Meta Can you please wake up?
2
1
160
Do you know other « Easter Eggs » like this?
2
121
Oh new day new story! SimpleX Chat is known for its great support to privacy. But their X business account got a security issue posting a scam. Netlify and other big companies retweeted it, affected by the issue too. X support and safety was requested to check.
1
400
o_be_one retweeted
6 Dec 2025
Valve explains why Steam Machine doesn’t have HDMI 2.1
videocardz.com/newz/valve-ex…
46
34
423
55,938
I somewhat agree with this take. Past history has shown how people were controlled using this network. On the other hand, I love to spend time here because there are people so interesting to me. From consumer tech specialists to deep computer science experts, they fascinate me.
6 Dec 2025
People keep calling X a “free speech” platform. It’s not.
It’s a propaganda delivery system.
Most of what you see isn’t debate - it’s disinformation and engineered noise designed to confuse and anger you.
2
175
C’est une très belle démonstration d’à quel point les « vibe coders » n’ont aucune idée de ce qu’ils font. La magie IA crée un faux sentiment de facilité et de productivité, qui coûtera cher aux usagers à la fin (vols de données, disparition du SaaS, etc.). Soyez prudents.
1
5
470