@troed @Viss It's not hard to tell you are personally invested in this service, that's OK. As I stated, this is not a Proton problem, but unfortunately the market they are operating in shouldn't exist in the first place, because the whole thing is built on illusions. As we say around here, they don't necessarily _lie_, they just don't elaborate on all aspects of truth...

There may be some users who fully understand the tradeoffs, but they would certainly not be a viable business if they were the majority customers.

Thanks for the Threat Model link, I read that a couple years ago, but I'll do a refresher sometime.

@obivan @floriann @Viss @bhhaskin Cool, so offering credit card as payment option is basically a footgun they provide.

@troed @Viss "hand out the contents of emails which Proton cannot" - OK let's not dive into if G should have obeyed a subponea... In both cases the accounts came under scrutiny because authorities _already knew_ email contents. Gmail would even have the benefit of not having payment info (also, cheaper).

(Btw. Proton can absolutely leak all your e-mails e.g. from the frontend they serve to you.)

"it's not victim blaming to point out bad OPSEC" - by this logic we shouldn't criticize charlatan doctors, because their patients should know medicine better?

@troed @Viss " Gmail just handing out everything because someone asked" This was a headline exactly because this was likely illegal. Let's assume that providers abide the law.

"unless the account owner made the choice to communicate with less secure providers" - which is exactly why the claimed e-mail privacy claimed by Proton et. al. is an oxymoron.

If you ask AI to rewrite the entirety of an open-source program, do you still need to abide by the original license? In philosophy, this problem is known as the Slop of Theseus

@troed @Viss Let's put it this way: the acc owner is in the same situation as if they used Gmail for free (if they were smart authorities would even have a harder time connecting the person to IPs and other metadata). This is speculation, but I'd bet that the relevant comms is already collected from the users or the recipients devices/e-mail accounts too.

So what is exactly the value Proton provided here that the user paid for?

@troed @Viss I disagree. Proton convinced US people that their comms will be safe at a foreign provider (them). Were users naive to believe this? Yes, but this is victim blaming.

I agree that Proton is not the only bad provider in the market. Actually, the whole market exists because all the providers communicate dishonestly.

@troed @Viss The ToS will obviously point out these caveats so they won't have troubles in court. What matters is the companies communication (marketing, PR aka. "oUr sERvErz aRe In SwiTZeRlAnd") because that is what people actually see and base their decisions on.

If you don’t build infrastructure to conduct indiscriminate and omnipresent mass surveillance, then your enemies can’t gain access to it.
https://edition.cnn.com/2026/03/05/politics/fbi-investigating-cyber-breach-critical-surveillance-network

@Viss @bhhaskin @floriann "subscriber information received from the Swiss Mutual Legal Assistance Treaty Unit" - so the FBI basically asked the Swiss police, that got the data and forwarded it back under the umbrella of a long standing treaty between the countries/authrities. This should not be surprising at all btw, but somehow for many VPN customers it is.

so if you want to subscribe to a vpn, and you were considering proton, maybe dont

https://infosec.exchange/@josephcox/116178496048136287

drumroll

iocaine 3.2.0

drumroll

Documentation & nixocaine/stable updated as well.

@aristot73 I can't seem to find the mentioned @bert_hubert post, could you provide a link plz?

So, the Dutch government tried to whitewash Amazon's sovereign cloud offering, only to be called out so hard that they had to withdraw the paper.
#digitalsovereignty
https://nltimes.nl/2026/03/05/dutch-govt-pulls-report-dangers-american-cloud-service-criticism

RE: https://fosstodon.org/@kdkorte/116180140578126363

"Bert Hubert posted a blog on his website criticizing the research. According to him, the report underestimates the risk governments face by using Amszon’s new cloud service. "

@bert_hubert holding the door :)

[RSS] Bypassing debug password protection on the RH850 family using fault injection

http://blog.quarkslab.com/bypassing-debug-password-protection-on-the-rh850-family-using-fault-injection.html

I've been seeing a lot of comments online about how browser telemetry is just a way to spy on users and we never actually use it, and it provides no value.

We can debate whether you think someone (Firefox or otherwise) overcollects telemetry, or doesn't collect it in a privacy-preserving enough way. And you should be able to turn it all off, for any reason.

But it's been instrumental for me, personally, to ship multiple security improvements to Firefox - and I'm just one of hundreds of developers. I wrote up some more here: https://ritter.vg/blog-telemetry.html

When looking at calculations of the environmental impact of LLM systems, consider carefully where the system boundary is drawn.

eg. Is the increased energy usage of the servers being scraped for source data included? Or the increased energy usage of every 3rd-party browser doing proof of work just to access the site? What about the network in between?

If I punch you in the face, and we want to measure the pain caused, we need to consider more than just how *my* hand feels afterwards.

I have just updated this old #IDA Plugin of mine: IDA Magic Strings.

https://github.com/joxeankoret/idamagicstrings

It now supports installation using hcli (https://hcli.docs.hex-rays.com/getting-started/installation/)

#IDAMagicStrings