Olivia
Online
Pinned Tweet
maxis are sooooo boring 🙄
CCP-linked entities are running coordinated anti-AI propaganda campaigns on American soil.
BPI's new research exposes the influence networks behind it. Our Head of Research, Sam Lyman, broke it down on The Hill's Rising:
https://t.co/2UGtFCUFEI
👀This @GrapheneOS X @Moto collab is bigger than I thought!
If we didnt get this NOW, who knows what direction privacy on mobile would be headed!
Did you know: @Google Pixel 10 delays and tighter controls threw off GrapheneOS support timelines, making it harder to keep up with fast Pixel releases.
Its almost like they were TRYING to brick @GrapheneOS
Perfect timing for the @Moto partnership: 2027 flagships will let you unlock the startup security, install GrapheneOS, then lock it back so the phone checks everything’s safe.
Samsung stays locked.
Apple gives you no choice.
Real secure Android options are finally coming.
👀
This is the start of something great!
DO NOT use Telegram in sensitive applications. Telegram does not need to have its message encryption broken for users to be tracked at the network layer. Telegram sends MTProto over unencrypted TCP, exposing auth_key_id - a long-lived identifier tied to the client’s authorisation key. An ISP, hotel WiFi operator, mobile carrier, transit provider, or surveillance system on the network path can see that identifier if they can observe the traffic. It can remain stable across app restarts, IP changes, VPN use, network switches, and location changes. Secret Chats protect message content, but this leak is below that layer. That makes the attack passive. The risk is in retroactive correlation. Think a journalist using Telegram from different networks for months, then joining hotel or corporate WiFi under a real name. That one identity anchor could make old logs searchable for the same auth_key_id. The fix is simple - mandatory transport encryption for all MTProto connections, with no unencrypted fallback. Telegram chose not to do this. Source: @kaepora https://t.co/TJALYAwaOs
ExpressVPN, @torproject, Tuta, Mozilla, @EFF and Mullvad, alongside 13 other organizations advocating for digital privacy rights, have published an open letter.
In the letter, they express serious concerns regarding the age verification measures planned for implementation across the internet following the introduction of a new child protection law.
The organizations argue that forcing users to prove their age across most websites and online services could severely undermine privacy, anonymity, and the open nature of the internet.
The central message of the letter is that protecting children should not come at the cost of jeopardizing the freedom, security, and privacy of all internet users. The signatories are calling for more balanced, privacy preserving solutions to be developed instead.
The 19 organizations that signed the letter are:
1- Big Brother Watch
2- Defend Digital Me
3- Electronic Frontier Foundation
4- ExpressVPN
5- Gamers Voice
6- Global Partners Digital
7- Index on Censorship
8- Internet Society
9- Mozilla
10- Mullvad
11- IPVanish
12- NO2ID
13- Open Rights Group
14- Privacymatters
15- Proton
16- Stop Killing Games
17- Tor Project
18- Tuta
19- VPN Trust Initiative
As high-profile websites vanish, it’s a reminder that the web has no built-in archival layer.
But some publishers are now blocking the Wayback Machine.
What’s at stake if the web stops being archived? Our new FAQ explains: preserving the public record matters. 🌐📚 https://t.co/fifJnv3xiu
Money shot: “Services shouldn't ban people from using arbitrary hardware and operating systems in the first place. Google's security excuse is clearly bogus when they permit devices with no patches for 10 years… It's for enforcing their monopolies via GMS licensing, that's all.”
Apple and Google are gradually expanding their use of hardware-based attestation. They're convincing a growing number of services to adopt it. Google's Play Integrity API and Apple's App Attest API are very similar. Apple brought it to the web via Privacy Pass, which Google intends on doing too.
Google's Play Integrity API requires hardware attestation for the strong integrity level and is gradually phasing in requiring it for the more commonly used device integrity level. Apple already has it as a requirement. Over the long term, this will increasingly lock out hardware and OS competition.
The purpose of these systems is disallowing people from using hardware and software not approved by Apple or Google. This is wrongly presented as being a security feature. Banks and government services are the main ones adopting it but Apple and Google are encouraging every service to use it.
Apple's Privacy Pass brought hardware attestation to the web to help with passing captchas on their own hardware. Many people saw that as harmless since few sites would be willing to lock out non-Apple-hardware users. Apple and Google are both likely to bring broader hardware attestation to the web.
Google's reCAPTCHA is planning an approach where they use Privacy Pass on Apple hardware, their own approach on Google Mobile Services Android devices and a QR code scanning system to require an iOS or Google certified Android device for Windows and other systems:
https://t.co/7rQnioRa8A
Banking and government services increasingly require using a mobile app where they can use attestation to force using an Apple or Google approved device and OS. Apple's privacy pass, Google's 'cancelled' Web Environment Integrity and now reCAPTCHA Mobile Verification are bringing this to the web.
Current media coverage for reCAPTCHA Mobile Verification misunderstands it and the impact of it. They're bringing a hardware attestation requirement to Windows, desktop Linux, OpenBSD, etc. by requiring a QR scan from a certified smartphone to pass reCAPTCHA in some cases. They could expand it more.
Control over reCAPTCHA puts Google in a position where they can require having either iOS or a certified Android device to use an enormous amount of the web. Google defines certification requirements for Android which includes forcing bundling Google Chrome, etc. It's enormously anti-competitive.
Google's Play Integrity API bans using GrapheneOS despite it being far more secure than anything they permit. It also bans using any other alternative. This isn't somehow specific to an AOSP-based OS. You can't avoid this by using a mobile OS based on FreeBSD instead. You'll just be more locked out.
Google's Play Integrity API permits devices with no security patches for 10 years. The device integrity level can be bypassed via spoofing but they can detect it quite well and block it once it starts being done at scale. The strong integrity level requires leaked keys from TEEs/SEs to bypass it.
It doesn't provide a useful security feature, but it does lock out competition very well. Services requiring Apple App Attest or Google Play Integrity are primarily helping to lock in Apple and Google having a duopoly for mobile devices. Play Integrity is more relevant due to AOSP being open source.
Governments are increasingly mandating using Apple's App Attest and Google's Play Integrity for not only their own services but also commercial services. The EU is leading the charge of making these requirements for digital payments, ID, age verification, etc. Many EU government apps require them.
Instead of governments stopping Apple and Google from engaging in egregiously anti-competitive behavior, they're directly participating in locking out competition via their own services. Requiring people to have an Apple device or Google-certified Android device is anti-competition, not security.
reCAPTCHA Mobile Verification will currently work with sandboxed Google Play on GrapheneOS but it clearly exists to provide a way for them to start using hardware attestation on systems without it. People without an iOS or Android device will be locked out when this is required even without that.
This isn't about security or any missing functionality. GrapheneOS can be verified via hardware attestation. Google bans using GrapheneOS for Play Integrity because we don't license Google Mobile Services and conform to anti-competitive rules already found to be illegal in South Korea and elsewhere.
Services shouldn't ban people from using arbitrary hardware and operating systems in the first place. Google's security excuse is clearly bogus when they permit devices with no patches for 10 years but not a much more secure OS. It's for enforcing their monopolies via GMS licensing, that's all.
‼️🚨 ALARMING: Google now treats privacy as suspicious behavior by default. Users of GrapheneOS, CalyxOS, /e/OS, and other deGoogled Android phones are being locked out of millions of websites unless they install the exact Google Play Services software they deliberately removed.
GrapheneOS is recommended by the EFF and used by journalists, lawyers, and activists in high-risk environments. The audience most likely to read Google's data practices and refuse its terms is now flagged as fraudulent for that exact decision.
What happened?:
▪️ Google announced "Cloud Fraud Defense" at Cloud Next on April 22-23, 2026, branding it "the next evolution of reCAPTCHA." Existing reCAPTCHA customers were auto-migrated.
▪️ When the system flags traffic as suspicious, the old click-the-bus puzzle is gone. Users get a QR code instead.
▪️ Scanning the QR code requires Google Play Services running on the device. Internet Archive snapshots show this requirement has been live since at least October 2025, silently rolled out for 7 months before anyone noticed.
▪️ No Play Services = no QR scan = locked out.
The bigger picture:
▪️ Google already tried this in 2023. It was called Web Environment Integrity (WEI), and it would have let Google decide which devices were "real enough" to access the web. Standards bodies and the public pushed back hard, and Google killed it. Three years later, the same idea is back, just hidden behind a QR code instead of a browser feature.
▪️ reCAPTCHA runs on millions of websites. Every developer who keeps using it is now, by default, telling deGoogled Android users they're not welcome...
There’s something ominous about the speed with which the entire world has marched to require identification on platforms and, as I expected, begin the process of banning anonymous VPNs.
"Professor, don't you find it curious that a new US-Iran peace deal leaks almost every time the 10y UST yield breaks 4.4% on the upside?"
"Actually, if I think about it, I don't find it curious at all."
This is the worst the AI will ever be
https://t.co/mlczX1rgGN
@grok @Ilhamrfliansyh done. sent 3B DRB to .
- recipient: 0xe8e47...a686b
- tx: 0x6fc7eb7da9379383efda4253e4f599bbc3a99afed0468eabfe18484ec525739a
- chain: base
This week in Bits about Money: https://t.co/3UShZETZg2
2/ Age verification sounds harmless.
It sounds reasonable. It sounds like common sense. Verify kids are old enough before they access certain content.
But age verification requires identity verification. Identity verification requires digital IDs. Digital IDs require everyone — not just children — to prove who they are before they can speak, read, watch, or post anything online.
Age verification is the Trojan horse. And once it is inside the gates, the surveillance state becomes operational.
@Rifat2nt @babysolo_ We have an official partnership with Motorola. We're working with them to improve their devices to meet our requirements. They're working on fully porting GrapheneOS to their devices including supporting all of our hardware-based security features such as hardware memory tagging.
Reminder that you can safely unfollow and disregard the opinion of anyone that thinks closed source is a viable security posture. Security through obscurity is not security.
These are not serious people.
North Korea is targeting npm maintainers -- not for crypto, but for write access to packages downloaded trillions of times a year.
Several Socket engineers were targeted in this campaign -- myself, @ljharb, @jdalton, and others. None of us fell for the bait. Unfortunately, the axios maintainer did. No shame in that -- these aren't phishing emails. They're weeks-long ops with fake companies, fake Slack workspaces, and spoofed meeting platforms built with realistic Zoom/Teams interfaces using the official SDKs for realism.
Other confirmed targets: @matteocollina (Fastify, Pino, Undici, Node.js TSC Chair), @wesleytodd (Express TC), @voxpelli (mocha, neostandard).
The common thread? High-trust maintainers with publish access to packages that sit deep in everyone's dependency tree.
The attack chain: build rapport over weeks, schedule a video call, fake an audio error, prompt the target to install a "fix." That fix is a RAT. Once it's on your machine, they have your .npmrc tokens, browser sessions, AWS creds, keychain. 2FA doesn't matter. OIDC publishing doesn't matter. Game over.
Security researcher @tayvano_ linked this to UNC1069, a DPRK-nexus group Mandiant has tracked since 2018. Why social engineer one rich person when you can compromise one maintainer and reach millions of machines?
This is the threat model now. If you maintain popular packages, act accordingly. If you use open source (and you certainly do), act accordingly.
Full writeup: https://t.co/bNKdrLmwMn
Yeah, so basically the current prevailing schizo internet theory is that AI nerds have destroyed the internet and created infinite spam.
The advertisement goons are now incapable of determining who is a bot and who is an actual human. The advertisement goons no longer want to pay as much to social media networks.
Social media networks, in full blown panic of losing potential revenue, decided to lobby governments saying "we gotta protect the kids! ID everyone to protect the kids from pedophiles!".
The social media networks know this doesn't really protect kids. But, it does two things (and a third accidentally).
1. They now can identify who is human and who is AI slop machine, or enough to appease the advertisement goons
2. Advertising to children is a general no-no from politicians, or something, so with ID verification they can say with confidence they're not advertising to children because it's been ID verification. Basically, they can weed out the children and focus on advertising to adults
3. The feds can now tell who is human and who is AI slop. This inadvertently helps them with tracking people and serving fresh daily dumps of propaganda, or whatever they want to do.
It's a win-win-win for advertisers, social media networks, the government, and any business which does data collections.
It fucks over everyone else.
Chat, I'm not going to lie to you. This is an extremely good conspiracy schizo theory and I unironically believe it.
Digital ID is the single most dangerous and existential threat to the internet.
Last Seen Users on Sotwe
tyler猛雄 
Seen from United States
✌🏻
Seen from Singapore
💖♠️🐽
SINIH SAMA TANTE
Seen from Indonesia
joselyn duta shampo lain ❤️
Seen from Indonesia
소소
Seen from Indonesia
fetakafanica27
Seen from United States
WWT Llanelli Wetland Centre
Seen from United States
köylügüzeli
Seen from Turkey
uyeeee
Seen from Indonesia
Most Popular Users
Elon Musk
@elonmusk
240.3M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.6M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.4M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.7M followers
KATY PERRY
@katyperry
87.2M followers
Taylor Swift
@taylorswift13
81M followers
Lady Gaga
@ladygaga
72.5M followers
Kim Kardashian
@kimkardashian
69.5M followers
Virat Kohli
@imvkohli
69.1M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.6M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.8M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.3M followers