Before today, mailbox.org's 2FA mechanism was unorthodox. In the login screen, you typed in the TOTP in the password field and then added a 4 digit static pin at the end. This got people confused, as it's different than the usual login+password then TOTP. Now it's just like that.

There's also other goodies, like separate passwords for IMAP and SMTP, WebDAV, CardDAV/CalDAV (one password for both), Exchange Sync. Before today, you'd be using your main mailbox.org password for all of the above. Looks like IMAP access is not even possible without creating a separate password https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa/

There doesn't seem to be support for the YubiKey TOTP anymore. No passkeys or hardware webauthn either for now.

mailbox.org is based on OpenXchange.

🛡️Privacy Means Safety - Privacy Guides🔏

@privacyguides

https://www.privacyguides.org/articles/2025/03/25/privacy-means-safety/

Encryption can’t protect you from adding the wrong person to a group chat. But there is also a setting to make sure you don’t.

You can add your own nickname to a Signal contact by clicking on the person’s profile picture in a chat with them then clicking “Nickname.” Signal says “Nicknames & notes are stored with Signal and end-to-end encrypted. They are only visible to you.” So, you can add a nickname to a Jason saying “co-founder,” or maybe “national security adviser,” and no one else is going to see it. Just you. When you’re trying to make a group chat, perhaps.

Signal could improve its user interface around groups and people with duplicate display names.

I may need to visit the United States briefly, therefore I want to offline backup my text messages and signal messages from my GrapheneOS phone. Once I return home I want to restore my data from the offline backup. Does anybody have experience and recommendations for this?

I really like the convenience of using fingerprint unlock for lockscreen and password manager. I do however don't like the thought of being forced to unlock both physically.

I use Android with GrapheneOS.

I have set up lockdown, but it takes some time to hold the power button and then click lockdown.

Any creative solutions?

I recently discovered this setting and thought it might be of interest to others::

This setting is intended to help our users in the European Economic Area (EEA), the United Kingdom and Switzerland control the use of their personal data to train, test, validate, and align our own Al models as well as third-party Al models

Fastbackgroundcheck. com says there's info on me on truthfinder, spokeo, peoplefinders and instantcheckmate. When I try going through all four of those sites takes a super long time, including a few times in the past when I tried getting reports on myself.

The progress bars reach 100% and reset continously. If these sites are legimate like some reddit users claim, then why or be upfront about wanting me to pay? Right now I'm convinced that these sites are snake oil, maybe they work if you pay but the behavior of the free options turn me off. They act 100% like typical scam websites, the kind that asks you to complete three surveys on external sites with fake progress bars.

Basic info like my full name, address, age, and siblings can be found with search engines easily but I feel like there's no point in trying to wipe it if there aren't methods that could definitely work.

I have a lot of friends and family that use SMS/RCS and I can't get them all to use Signal.

I have the option to send SMS from a simple FOSS SMS app, and then we can communicate back and forth.

I've heard something about RCS getting E2EE and find that appealing.

What is the future of RCS? What are my options, and should I just stick with SMS?

Edit: Stick with SMS when I have to, and use Signal etc when possible ofc.

A contractor for Immigration and Customs Enforcement (ICE) and many other U.S. government agencies has developed a tool that lets analysts more easily pull a target individual’s publicly available data from a wide array of sites, social networks, apps, and services across the web at once, including Bluesky, OnlyFans, and various Meta platforms, according to a leaked list of the sites obtained by 404 Media. In all the list names more than 200 sites that the contractor, called ShadowDragon, pulls data from and makes available to its government clients, allowing them to map out a person’s activity, movements, and relationships.

ShadowDragon says in marketing material its tools can be used to monitor protests, and claims it found protests around Union Station in Washington DC during a 2023 visit by Benjamin Netanyahu. Daniel Clemens, ShadowDragon’s CEO, previously said on a podcast that protesters should not “be surprised when people are going to investigate you because you made their life difficult.”

“The long list of sites and services that ShadowDragon’s SocialNet tool accesses is a reminder of just how much data is accessible and collected from and about us to provide surveillance services to the government and others,” Jeramie Scott, senior counsel and director the Electronic Privacy Information Center’s (EPIC) Project on Surveillance Oversight, told 404 Media in an email. “SocialNet is just one example of the unchecked surveillance ecosystem that lacks any meaningful transparency, oversight, or accountability that allows the government to circumvent Constitutional and statutory protections to access sensitive personal data,” he added.

The leaked list of targeted sites and services include ones from major tech companies such as Apple, Amazon, Meta, Microsoft, and TikTok. It also includes communication tools like Discord and WhatsApp; activity- or hobby-focused sites like AllTrails, BookCrossing, Chess.com, and cigar review site Cigar Dojo; payment services like Cash App, BuyMeACoffee, and PayPal; sex worker sites OnlyFans and JustForFans; and social networks Bluesky and Telegram. Even relatively obscure social networks are included in the list, such as BeReal.

I haven't played Minecraft since 2015, but I get the feeling I might again in the new few years as I wanna find new hobbies. I know that game has changed a whole lot but I don't have any official online data on it.

I've had this Microsoft account for over a decade and its probably full of personal information that I wanna let go of, I've already exported all my data. I would need to pay $30 for another copy of Minecraft, same price I paid in 2013. I just did a bunch of searching and its not possible to transfer my Minecraft license to another account.

Update:

https://darkmentor.com/blog/esp32_non-backdoor/

Apple reportedly filed an appeal in hopes of overturning a secret UK order requiring it to create a backdoor for government security officials to access encrypted data.

"The iPhone maker has made its appeal to the Investigatory Powers Tribunal, an independent judicial body that examines complaints against the UK security services, according to people familiar with the matter," the Financial Times reported today. The case "is believed to be the first time that provisions in the 2016 Investigatory Powers Act allowing UK authorities to break encryption have been tested before the court," the article said.

Although it wasn't previously reported, Apple's appeal was filed last month at about the time it withdrew ADP from the UK, the Financial Times wrote today.

"The case could be heard as soon as this month, although it is unclear whether there will be any public disclosure of the hearing," the FT wrote. "The government is likely to argue the case should be restricted on national security grounds."

At launch, access to Mullvad Leta was restricted to users with a paid Mullvad VPN account, but it is now free and open to all.

Mullvad Leta has been audited by Assured.

• FAQ
• Terms of Service

Just a heads up, some of the details in the FAQ and Terms of Service seem a bit outdated and might not be accurate anymore.

Some relevant information from their FAQ section is as follows:

What can I do with Leta?

Leta is a search engine. You can use it to return search results from many locations. We provide text search results, currently we do not offer image, news or any other types of search result. Leta acts as a proxy to Google and Brave search results. You can select which backend search engine you wish to use from the homepage of Leta.

Can I use Leta as my default search engine?

Yes, so long as your browser supports changing default search engines.

Navigate to https://leta.mullvad.net/ in your browser and right-click on the URL bar.

From there you should see Add “Mullvad Leta“ with the Mullvad VPN logo to the left.

If you do not see this, you can attempt to add a custom search engine to your browser with:

• The name set to: Leta
• The URL set to: https://leta.mullvad.net/?q=%25s

You can select which backend engine to use as follows:

• Google: https://leta.mullvad.net/?q=%25s&engine=google
• Brave: https://leta.mullvad.net/?q=%25s&engine=brave

Did you make your own search engine from scratch?

We did not, we made a front end to the Google and Brave Search APIs.

Our search engine performs the searches on behalf of our users. This means that rather than using Google or Brave Search directly, our Leta server makes the requests.

Searching by proxy in other words.

What is the point of Leta?

Leta aims to present a reliable and trustworthy way of searching privately on the internet.

However, Leta is useless as a service if you use the perfect non-logging VPN, a privacy focussed DNS service, a web browser that resists fingerprinting, and correlation attacks from global actors. Leta is also useless if your browser blocks all cookies, tracking pixels and other tracking technologies.

For most people Leta can be useful, as the above conditions cannot ever truly be met by systems that are available today.

What is a cached search?

We store every search in a RAM based cache storage (Redis), which is removed after it reaches over 30 days in age.

Cached searches are fetched from this storage, which means we return a result that can be from 0 to 30 days old. It may be the case that no other user has searched for something during the time that you search, which means you would be shown a stale result.

What happens to everything I search for?

Your searches are performed by proxy, it is the Leta server that makes calls to the Google or Brave Search API.

Each search that has not already been cached is saved in RAM for 30 days. The idea is that the more searches performed, the larger and more substantial the cached results become, therefore aiding with privacy.

All searches will be stored hashed with a secret in a cache. When you perform a search the cache will be checked first, before determining whether a direct call to Google or Brave Search should be made. Each time the Leta application is restarted (due to an upgrade, or new version) server side, a new secret hash is generated, meaning that all previous search queries are no longer visible to Leta

What could potentially be a unique search would become something that many other users would also search for.

What is running on the server side?

We run the Leta servers on STBooted RAM only servers, the same as our VPN servers. These servers run the latest Ubuntu LTS, with our own stripped down custom Mullvad VPN kernel which we tune in-house to remove anything unnecessary for the running system.

The cached search results are stored in an in-memory Redis key / value store.

The Leta service is a NodeJS based application that proxies requests to Google or Brave Search, or returns them from cache.

We gather metrics relating to the number of cached searches, vs direct searches, solely to understand the value of our service.

Additionally we gather information about CPU usage, RAM usage and other such information to keep the service running smoothly.

I am not the author.

I found this blog to have both a short summary of the reasons as well as a pretty complete overview of the options for protecting against this specific threat model. I can just send this to people and they'll understand the why and the how.