Yura Filatov

The lawsuit isn't really about WhatsApp. It's about a design where a company can read your messages - which means employees can, contractors can, and eventually a court can. "Employee access" isn't a scandal. It is not a bug, it's a feature. People should assume it happens with anyone whose keys are managed by a server. I build Occulta on the opposite assumption: no company should be technically capable of reading your data, ever. Keys are exchanged in person and live in your phone's Secure Enclave. There is no employee with access because there is no server, no account, and no company in the loop. You can't leak, sell, or subpoena what was never collected. Open source: https://t.co/JTYck4Yggp AppStore: https://t.co/IvDmkGNxg0

Governments are right to ditch Signal/WhatsApp over jurisdiction + metadata. Individuals and companies should demand the exact same level of key sovereignty. Occulta (iOS) delivers fully serverless E2EE with zero infrastructure: • Keys exchanged only in physical proximity (UWB + Diceware verification) • Private keys bound to the device’s Secure Enclave — non-extractable, non-subpoenable • No accounts, no phone numbers, no servers, no metadata Encrypted baskets can be shared over any channel (AirDrop, email, iMessage…) or delivered P2P via upcoming Wi-Fi Aware. True control, no ops burden. You are the identity custodian. App Store: https://t.co/IvDmkGNxg0 GitHub: https://t.co/lNgMMibqGm

Occulta update - version 1.7.0 1. Shamir Secret Sharing - Split encryption keys into shards that get delivered to custodians. You can set trustees to hold key shards on your behalf. When combined, shards reconstruct the original key used to encrypt a vault entry. 2. Vault backup. Setup shards for your vault backup encryption key, choose trustees and threshold (minimum number of shards needed to reconstruct the key). Trustees should not have access to the encrypted vault content. Store it in a secure location. Available in AppStore: https://t.co/IvDmkGNxg0 #privacy #identity #backup #encryption

Meta just turned off Instagram DMs encryption. Today. Their reason: “not enough people used it.” They hid the feature, then killed it for being hidden. Your Instagram DMs are now readable by Meta, trainable by their AI, and subpoenable by any government that asks. If you sent anything sensitive over Instagram — encrypt it first, then send. An Occulta file is unreadable by Meta, regardless of what they do to the transport. The channel changes. The lock doesn’t. Open source : https://t.co/JTYck4Yggp AppStore: https://t.co/IvDmkGNxg0

This is huge and confirms that the notion that the Saudis were quietly backing the US war on Iran was a complete myth. It never made sense to start with: given the eminently predictable devastating consequences the war has had on Saudi Arabia, why on earth would they have signed up for it? It also confirms that the Saudis - and, I suspect, many other actors in the region - no longer see US military presence on their soil as a a security guarantee, but instead as a vector of insecurity. Which is another way in which Iran is winning strategically. Many people were wondering what possible strategic calculus Iran could have in "mindlessly bombing all their neighbors," as many were putting it. Well, the whole point was precisely so those neighbors would do exactly what the Saudis just did. Q.E.D.

⚠️ Microsoft Edge Stores All Saved Passwords in Cleartext Process Memory at Launch Source: https://t.co/ROEbnQ9syu Microsoft Edge decrypts every stored password into process memory the moment the browser launches and keeps them there as cleartext, regardless of whether the user ever visits those sites. A researcher who systematically tested every major Chromium-based browser for credential memory handling behavior. Edge was the only browser that exhibited this behavior, loading the entire password vault into plaintext process memory at startup and retaining it for the duration of the session. In a published proof-of-concept video accompanying the disclosure, a compromised administrator account was used to successfully extract stored credentials. #cybersecuritynews

Signal’s encryption is solid. Always has been. But their identity model has a credential: a verification code + phone number. That can be phished. And it was. It’s time to drop your reliance on the weak server based identity. Build your own identity store. Occulta has no credential to phish. Your key lives in the Secure Enclave of your device. No server holds it. No support account can ask for it. No code to steal. Even full account takeover on any channel doesn’t help the attacker. They see .occ files. Can’t open them. Can’t forge new ones. The key was never in the channel. It’s collected by you in person, stored in the Secure Enclave. Encrypt messages before dropping them into chat, verify identity of people you communicate with. Open source: https://t.co/lNgMMibqGm AppStore: https://t.co/IvDmkGNxg0 “Your identity. Your hardware. Your rules.”

Strong thread on the real attack surfaces — phone numbers, server-side keys, iCloud backups, and default non-E2EE chats are all valid problems. For anyone who needs to send **sensitive files, photos, videos or documents** (not just chat), there’s a fundamentally different model: Occulta - Zero servers, , zero downtime, zero phone numbers, zero intermediaries. In-person key exchange only (UWB + Nearby Interaction + Diceware verification words). - Identity verification on suspicions of account takeover. - True forward secrecy: ephemeral prekeys generated & stored exclusively in the Secure Enclave. - Post-quantum hybrid by default on iOS 26+: ECDH P-256 + ML-KEM-1024 (NIST Level 5), both SE-backed. Protects against harvest-now-decrypt-later even if quantum breaks classical ECDH. - Encrypt once, share anywhere (AirDrop, email, iMessage, whatever). The recipient’s device does the work — no platform can read it. Built by a security & privacy dev who got tired of trusting anyone else’s infrastructure. Local SwiftData is also encrypted with device-bound hybrid keys. If you care about owning your keys end-to-end with no trust in any service, this is the paranoid-grade solution for documents. What’s your take on truly serverless, proximity-verified E2EE for files? 👀 Open source: https://t.co/lNgMMibYvU AppStore: https://t.co/IvDmkGO55y #privacy