This is also more than just travel or other personal situations, but also for private networks like hospitals and warehouses (think of industrial IoT deployments). These things are convenient, but there's no guardrails yet.
link to paper: www.usenix.org/system/files...
Screenshot from paper: This system is analogous to new car dealerships that purchase cars directly from the manufacturer and sell to consumers. In the case of a car dealership, the car manufacturer has a serious stake in ensuring that dealerships operate according to strict policies and procedures to avoid tarnishing the brand reputation. In the case of eSIM reselling, users are unlikely to give any consideration to who is managing and operating the eSIM profile they have just downloaded to their mobile device. MNOs and MVNOs appear to be willing to allow any party the opportunity to re-sell access to their networks. The opportunity exists for virtually anyone to establish their own online presence, selling cellular data plans to anyone with an internet connection. This scenario has serious implications for user data privacy.
Alongside possibility of data interception and location tracking and opaque ownership hierarchy of what are essentially white-label resellers, it also looks at the workflow of deploying eSIMs and weak points attackers could hit
The paper itself is not that China heavy, but it lists a lot of observed traffic routed to different, unexpected countries, including "proactive communication", the phoning-home aspect (tho it also links to a 2021 article discussing this with physical SIMs).
The article goes hard on the China angle, and for sure: who knew Irish eSIM brand Holafly is actually a subsidiary of the state-owned enterprise China Mobile? The installer runs from their servers, and wherever the phone is, it even has a public IP address in China.
New security risk unlocked, eSIMs edition, and especially the kind you pick up prepping for an international trip
www.itnews.com.au/news/travel-...
Photo- and videojournalists now have until Aug 8 to brush up on Filezilla or Cyberduck, or ask an old head
wetransfer.com/explore/lega...
Rewrite the quote βDo not cite the Deep Magic to me, Witch. I was there when it was writtenβ in the voice of Pauly Shoreβs character Stoney in Encino Man saying, βIf you're edged 'cause I'm weazin all your grindage, just chill. 'Cause if I had the whole brady bunch thing happenin' at my pad, I'd go grind over there, so dont tax my gig so hard-core cruster.β ChatGPT said: Sure! Hereβs that quote reimagined in the voice and style of Pauly Shoreβs Stoney from Encino Man: "Yo, donβt be throwin' down the Deep Magic vibes at me, buuuddy. I was totally chillinβ when they laid it down, saw the whole scroll sesh go down, major OG incantation action, ya know? So donβt harsh my mystical mellow, crusty sorceress." Let me know if you want it even more surfer-stoner or pulled back a bit!
Continue nudging the feed
And plug: I mentioned Lockdown Mode and Advanced Protection Program in a tip sheet I cowrote with @bostonjoan.bsky.social for @criticalinternet.bsky.social. If you fit the profile, these are really good and really easy things to switch on to be safer
For a comprehensive and straightforward explanation of all the things that Advanced Protection does on mobiles, @androidauthority.com has an excellent overview
Android users now have an analog to iPhone's Lockdown Mode, so now basically everyone can opt in to a more secure phone/tablet. It's part of Google's Advanced Protection Program, which if you use Gmail and work/move in a space where you're more likely to be targeted, is a great thing to enroll in
Please next Peep-flavored prawn crackers
I've been traveling so forgive me for not posting this yesterday, but: That Signal clone app for archiving messages that Mike Waltz has been using, TeleMessage? It's unlicensed. Signal was unaware of its existence until they saw it in that Reuters photo. There's no known security vetting.
Ugh. If this is pattern behavior (or policy?), then maybe links to CBS News stories should be to free archive link versions instead
Great account of what networked incitement looks like in the year 2025. Kudos to @nedmparker1.bsky.social, @mikespector.bsky.social, @bypetereisler.bsky.social, @lindasoreports.bsky.social & @nateraymond.bsky.social
Chart describing Air Quality Index (AQI) values. Read the whole thing at https://www.lung.org/clean-air/outdoors/air-quality-index
Heat map chart of AQI in Shanghai, showing 19 days at 100 or more in January 2018.
I did this in Shanghai circa 2018, when the AQI was horrendous (second pic). Above 100 was common, and an occasional spike above 400. Airnow.gov has Barnegat at 63 and forecast for 100
For my NJ people who would want to know this, really good air filters don't have to be expensive. Literally talking ~$30. In front of a strong fan, stack an activated carbon filter on top of a HEPA filter and that will screen out both the things you want, volatile organic compounds (VOCs) and PM2.5
a bundle of leeks π
Also a possible new unit of measurement. Would be nice if it's a round number, too; he's currently 1 Truss, 4 Scaramuccis in
you guys watching Office Space?
test II
Awww. But credit goes to an unnamed group chat (not that one but also that one)
Snitches gets kittehs
The Drake Hotline Bling meme template (the rapper Drake wearing a bright orange puffy coat against a yellow background, turning away and holding up his hand in the top photo, smiling and pointing βyesβ in the bottom photo): the top text reads βOPSECβ and the bottom text reads βOOPSECβ
The U.S. IC (at least the leadership)
Just popping in to say Spolsky theme is the best dark theme for vim or emacs
No-goodnik was always in Mad magazines of the 1970s.
Also, this is probably a good place to mention the Russian term 'vatnik'. Good word, much usable
Excerpt: If you can get a separate phone, you maywant to run that stripped down to essentials, with a minimal contact list and only necessary communication apps, potentially with separate accounts. This isn't a burner phone; if you think you need to go to that level, you'll have to actively do a lot more planning and care for the steps you take. Watch a 3-part series from Black Hills Information Security titled "How to Live like a Criminal - Privacy Tips for the Non-Criminal". It covers a lot more ground on planning to purchase and activate a bumer and the risks to safely maintain it, as well as awareness of how much information on you from data brokers would be available β whether to law enforcement, other investigators, or criminals.
Lotta talk now about burner phones (and nerds saying what isn't). You don't need to go super cloak and dagger for decent risk reduction. But if you want to, listen to @eanmeyer.bsky.social and @strandjs.bsky.social from @bhinfosecurity.bsky.social
www.youtube.com/playlist?lis...
Excerpt: Protester If you're going to attend a protest and feel uncertain about your communications, the most basic thing you could do is leave your phone at home, or turn it off completely while at the protest site. Make sure that you have a good passcode set to unlock your phone or laptop, as fingerprints or FacelD can be bypassed easily by force or coercion. Disable unlocking by fingerprint or facial recognition. If you have an iPhone, also consider turning on Lockdown Mode. This would disable 2G, an older form of cellular connection, which is commonly used as a fallback. Android users can explicitly disable 2G in settings too. These connections aren't encrypted and are susceptible to interception, such as from IMSI-catchers, sometimes called by a brand name Stingray.
One of the risk profiles is protesters. For them, and for more users and reasons, iPhone users should turn on Lockdown Mode. In this context, it's about IMSI catchers, which intercept calls. @eff.org just released a tool for this, and it's worth reading about, and using
www.eff.org/deeplinks/20...
Multifactor Authentication Again, any is better than none, but here the differences are significant. The simplest of these are getting codes sent by email, phone call or text message. A level up rould be using an app that generates codes. Another level up is an app that prompts /ou to accept or deny the login, and the highest security would come from a physical object, whether that's a piece of hardware in a USB key or from the built-in security chip that's made for this embedded in your phone or computer. A great chart and rundown of these are written in this blog post by security researcher Daniel Miessler.
Spoiler: One of the 5 things is using MFA. It's been a decade since learning this one thing could've prevented John Podesta from losing control of his Gmail. @danielmiessler.bsky.social wrote a great breakdown of options, so this section doesn't reinvent the wheel
danielmiessler.com/blog/not-all...
