An Analysis of GrapheneOS's Server Infrastructure

https://write.as/hcbg2iz91vzqh

GrapheneOS maintains a highly secure mobile operating system, yet its supporting server infrastructure reveals significant inconsistencies with the project's stated privacy values.

Despite claims of a transition in leadership, evidence suggests that Daniel Micay remains the central figure, as he is listed as the sole funding recipient and continues to be identified in corporate records as a director.

The project's server infrastructure relies on Arch Linux, a rolling-release distribution that lacks the immutability and verified boot features prioritized in the phone's security model.

Contrary to the project's philosophy of minimizing attack surfaces, GrapheneOS servers are configured with full software suites, including unnecessary tools like compilers and package managers.

GrapheneOS built a global DNS network to ensure independence, yet public configuration files reveal that all queries are forwarded to Cloudflare, exposing user traffic to third-party monitoring.

The project migrated its hosting from France to the United States to avoid EU surveillance legislation, despite the U.S. having an expansive surveillance apparatus and legal frameworks like FISA.

The project suffers from a low 'bus factor,' as critical infrastructure and update signing keys appear to be controlled by a single individual rather than a distributed organization.

There is a notable discrepancy between the rigorous adversarial security of the GrapheneOS mobile OS and the pragmatic, less secure approach taken toward its server scaffolding.

While GrapheneOS provides robust mobile security through features like the Titan chip and memory hardening, its community infrastructure lacks demonstrated redundancy or succession planning.

GrapheneOS functions more as an individual's project serving 400,000 users rather than the collective, board-governed organization suggested by its public framing.

Proton Mail now allows you to connect Gmail accounts directly to its platform.

https://proton.me/blog/proton-mail-connect-gmail

Proton Mail, the renowned service focused on email privacy has enabled a feature that makes it easy for users to link their Gmail accounts directly within the Proton service.

This allows users to manage messages, send emails using their Gmail address, and automatically receive new messages from that account directly in their Proton Mail inbox.

This option is particularly appealing to those who wish to start using a more privacy-respecting service without abruptly abandoning their Gmail address—whether out of necessity or for any other reason.

Incoming emails are stripped of trackers, ads, and spam; furthermore, when sent to other Proton users, they remain protected against external access.

Additionally, this feature allows users to centralize everything in a single location while transitioning services gradually.

The connection process is initiated via the account settings menu, and the feature is currently being rolled out gradually to all users.

While this offers an interesting transitional solution for some users, it is worth noting that Google continues to scan emails arriving at the original Gmail account; consequently, this feature does not eliminate the inherent privacy concerns associated with that service.

Proton previously allowed users to link or import emails from Gmail using its migration tools; however, those tools only retrieved existing messages either manually or in batches. Now, users can also send emails using their Gmail address directly from the Proton interface.

DO NOT use Telegram in sensitive applications

Telegram's MTProto: Assessing Deanonymization Potential for a Network Attacker blackGNMX-01

https://symbolic.software/pdf/gnmx-01.pdf

Telegram's MTProto protocol transmits the auth_key_id, a persistent 64-bit device identifier, in cleartext or trivially obfuscated form.

Both Telegram for Android and Telegram Desktop transmit MTProto over unencrypted TCP connections, despite the availability of secure transport alternatives.

The auth_key_id remains constant across application restarts, network changes, and extended periods, enabling long-term device tracking by any passive network observer.

The vulnerability exists at the transport layer, meaning it affects all Telegram users, including those utilizing end-to-end encrypted Secret Chats or Perfect Forward Secrecy.

Perfect Forward Secrecy does not prevent tracking because temporary authorization keys are observable and linkable across key rotations through timing and session correlation.

The use of port 443 by Telegram Desktop creates a deceptive appearance of security, as it does not implement actual TLS encryption, potentially misleading users and automated security tools.

Passive network observers, such as ISPs, network administrators, and state-level actors, can extract these identifiers without needing active attacks or protocol manipulation.

The persistence of the auth_key_id undermines anonymity tools like VPNs, as the identifier remains constant even when routing through such services.

Telegram is architecturally responsible for this vulnerability due to its decision to forgo mandatory transport-layer encryption, a standard practice for other messaging platforms.

The recommended technical solution is for Telegram to implement mandatory TLS for all MTProto connections, which would effectively eliminate the tracking capability with minimal impact.

The Trump T1 Phone

The Trumped googled and facebooked spyware phone scam

Based on the specs the T1 is a rehoused T-Mobile REVVL 7 Pro 5G (a 2024 model, which retails on Amazon $126). Wingtech/Luxshare makes it in Jiaxing, Wuxi, or Kunming China. It's not American made

It was supposed to be shipped last September. Then November. Then this year. It's now May 2026, and the phone is finally moving. I suppose "eventually shipped" counts as shipping.

T1 Phone runs on a Qualcomm Snapdragon 7 series chipset, features a 5,000mAh battery, and offers 512GB of storage with microSD support up to 1TB. Those are mid-range specs. The Snapdragon 7 series in 2026 competes against phones costing $250–$350. At $499, the T1 Phone is priced at a meaningful premium over its hardware tier, and the gold exterior and American flag back design account for much of that gap.

Trump's T1 phone will finally ship after 'final assembly' in Florida
https://www.pnj.com/story/news/2026/05/13/trump-t1-phone-ship-release-florida-assembly/90051169007/

Trump Mobile $499 Phones To Finally Ship And They're As Tacky As Ever | HuffPost Latest News
https://www.huffpost.com/entry/trump-mobile-phone-shipping_n_6a05e962e4b0ee716970765f

The Trump T1 Phone Is Finally Shipping; Here's What $499 Gets You
https://www.gizchina.com/phones/the-trump-t1-phone-is-finally-shipping-heres-what-499-gets-you

Age Assurance on the Web: Identity, Privacy & Limits of Verification

https://sphericalcowconsulting.com/2026/04/14/age-assurance/

Age assurance is an umbrella term encompassing both age verification, which uses authoritative credentials like government IDs, and age estimation, which uses probabilistic techniques such as facial recognition.

Legislative bodies globally are increasingly mandating age checks for online platforms, yet there is no unified technical standard or consensus on how to implement these requirements effectively.

Current age-restriction mechanisms, often relying on self-reported birth dates, are frequently ineffective and easily bypassed by minors.

The deployment of robust age verification systems risks creating centralized databases of sensitive identity information, which could become high-value targets for data breaches and identity theft.

Privacy advocates warn that poorly designed age assurance infrastructure may introduce new surveillance risks rather than solving the underlying harms they intend to mitigate.

Cryptographic credentials and zero-knowledge proofs offer a promising path forward by allowing users to prove age eligibility without disclosing unnecessary personal details like names or addresses.

The effectiveness of age assurance is constrained by the 'privacy paradox,' where the need for stringent verification conflicts with the goal of minimizing personal data collection.

Technical standards such as IEEE 2089 and ETSI TS 119 461 are emerging to govern identity proofing and biometric security, though they must address the ongoing arms race against synthetic media and deepfakes.

Age assurance is a multifaceted social and governance challenge that cannot be solved by technology alone; it requires coordination between families, educators, platforms, and regulators.

Infrastructure built for age verification has the potential for 'proofing creep,' where systems designed for one specific purpose are eventually repurposed for broader, unintended identity tracking across the web.

https://t.me/kazanireads

Oksigenia SOS

When you are alone in the mountains, technology is your last line of defense. Most safety apps rely on internet connection, proprietary servers, or paid subscriptions. Oksigenia SOS is different.

It is an autonomous bio-telemetry system designed to detect life-threatening situations (severe falls or prolonged unconsciousness) and automatically trigger a rescue protocol using pure SMS.

No Servers: Your data never leaves your phone.
No Internet: Works via GSM/SMS (2G/3G/4G/5G).
No Accounts: Install, configure, and you are protected.

https://github.com/OksigeniaSL/oksigenia-sos

https://apt.izzysoft.de/packages/com.oksigenia.oksigenia_sos
https://github.com/OksigeniaSL/oksigenia-sos/releases

https://labs.oksigenia.com/productos/sos

https://t.me/kazanireads

Neruppu

Neruppu (Tamil for Fire) is a modern, high-security Android application that turns your device into a sophisticated physical monitoring system. Built on the legacy of "Haven," Neruppu is redesigned from scratch using the latest Android technologies to provide an air-gapped, privacy-first security solution.

Key Features:

Intelligent Guarding: Monitor your environment using the camera, microphone, and motion sensors simultaneously.

Visual Evidence: High-speed motion analysis using CameraX captures photos when movement is detected.

Acoustic Bursts: Real-time microphone tracking automatically records audio clips when sudden noise occurs.

Matrix and telegram Alerts: Receive real-time alerts on any device using the Matrix or telegram protocol (configurable in settings).

Privacy First: Strictly offline-first architecture with encrypted configuration storage.

Smart Storage Management: Clear your security logs and physically wipe associated media files from storage with a single confirmation.

Unified UI/UX: A modern, Jetpack Compose interface with a consistent design language across all screens.

Persistent Monitoring: Robust Foreground Service ensures continuous protection even when the app is in the background.

https://github.com/thamizh-root/neruppu

https://t.me/kazanireads

Mullvad VPN doesn't pick your outgoing (exit) IP address randomly every time you connect. Instead, it uses a fixed, predictable math formula based on your WireGuard connection key

Because of a quirk in how their random number generator works, the IPs you get on different servers always follow very similar patterns

The researcher tested thousands of keys and found only 284 unique IP combinations reeee - creates an easy "fingerprint" that can link your different connections or accounts together

https://tmctmt.com/posts/mullvad-exit-ips-as-a-fingerprinting-vector/

https://t.me/kazanireads

Before Hantavirus makes its way to your country, start taking Zinc Ionophores, Zinc with Copper, and Vitamin D3 now. These are worth having in your routine regardless.

"Hantavirus, a silent weapon of war"

A clip from an X-files episode that aired over 20 years ago.

🚨🇪🇺 The European Commission is about to steal your search history in one of the largest forced data grabs in the history of the open internet, and almost nobody is talking about it.

The scope is staggering:
🔴 Every query you type
🔴 Every voice and photo search
🔴 Every autocomplete you accept
🔴 Your language, your device
🔴 Your country pinned to a ~3km² grid
🔴 Every result you saw, every link you hovered
🔴 Every click and scroll
🔴 The full chronological order of your search sessions

Meaning the European Union now knows your:
🔴 Health symptoms
🔴 Pregnancy
🔴 Sexual orientation
🔴 Political views
🔴 Religious beliefs
🔴 Financial distress
🔴 Legal trouble
🔴 Addictions
🔴 Affairs

Under the proposed measures for DMA Article 6(11), Google would be ordered to ship the daily search behaviour of hundreds of millions of Europeans to multiple third parties through a daily API feed. Any approved "online search engine," AI chatbots included, would get five years of access.

The things people only ever type when they think no one is watching. All of it now scheduled to flow daily into an open-ended list of third parties scattered across the European Union.

Brussels promises "anonymisation." The reality is a thin technical veneer that has been broken in academic literature again and again for over a decade. Search behaviour is a fingerprint. Stripping a name does not change that.

Mass data leaks become inevitable. Every new beneficiary is a new attack surface, and every annual audit is a year of silent exposure between checks. The 2025 Discord vendor breach already showed how fast 70,000 government IDs can leak through a single weak link. Now imagine that link holding Europe's search history.

Surveillance without consent becomes the default. Hundreds of millions of EU citizens never agreed to have their queries packaged and shipped to companies they have never heard of. The legal fiction of "anonymisation" cannot manufacture consent that was never given.

Behavioural search data is a goldmine for phishing, blackmail, social engineering, and corporate espionage.

Foreign intelligence services get a back door without effort. They do not need to breach Google. They only need to compromise the weakest name on the beneficiary list. One insolvent startup. One compromised contractor. One approved entity quietly acquired by a hostile state.

In the name of "competition," the EU is about to manufacture a permanent, distributed, daily-refreshed copy of Europe's collective search history. A surveillance dataset Brussels itself would never approve if any other government tried to build it.

The public consultation closes Friday, May 1, 2026 at 23:59 CEST. The final binding decision lands July 27, 2026.

After that, the door does not close again.

Tag your MEPs! File a response! Make noise!

https://x.com/i/status/2048694775520387443