null NEU

Samsung Knox is heavily oversold, and often conflated with enterprise management. Samsung does have real hardware-backed security: secure boot, StrongBox Keymaster, and Knox Vault as an isolated secure processor. But that does NOT put it in the same class as the latest Pixel running GrapheneOS. Pixels are built to support bootloader unlock and relock with a custom OS while preserving the verified boot chain. GrapheneOS can ship a hardened alternative OS without throwing away the platform’s core security model. Samsung takes the opposite approach. On many models - especially US carrier variants, bootloader unlocking is restricted or hostile, and unlocking trips the Knox warranty bit. Once that bit is tripped, features relying on Knox trust can be permanently broken or blocked, including Samsung Pay and enterprise Knox functionality. That tells you who the platform is built for. GrapheneOS also gives the device owner meaningful control that stock Samsung does not. You can revoke network access per app, run Play Services fully sandboxed as unprivileged apps, use hardware-backed attestation, and auto reboot the device so sensitive data returns to a locked state after inactivity. On Pixel 8 and newer, GrapheneOS deploys hardware MTE in sync mode in a meaningful way. Samsung has had silicon with the capability, but does NOT deploy MTE in any serious user-facing hardening model. Secure elements are an important layer. They help with things like PIN attempt throttling and protecting keys so that exploiting the OS in BFU (Before First Unlock) state is NOT enough to bypass encryption for users with weaker passphrases.

Receipts / sources for anyone who wants to check the record themselves: Life360’s own Q4 2025 results: 95.8M global MAU 50M+ U.S. MAU 2026 “Other” revenue guidance of $140 to $160M investors.life360.com/news-releases/… Life360’s own Q4 2025 earnings call: “We can take our first-party data, the fact that we know that this is a household with two kids and a dog and a parent who drives to soccer practice every Saturday, and use it to serve ads, not just inside Life360, but across that entire publisher network.” fool.com/earnings/call-… The Markup, 2021: Life360 was selling precise location data to about a dozen brokers, including X-Mode and SafeGraph. themarkup.org/privacy/2021/1… The Markup, 2022: After that reporting, Life360 said it would stop selling precise location data. themarkup.org/privacy/2022/0… Capitol Forum, June 2025: 4,600+ Life360-linked audience segments were listed on LiveRamp’s marketplace, tied to first-party geolocation and visitation patterns. thecapitolforum.com/life360-family… Life360 privacy policy: Life360 says it collects, uses, and discloses precise geolocation, driving event, and movement data, including sharing with partners for advertising and monetization-related purposes. life360-legal.zendesk.com/hc/en-us/artic… Texas AG, Jan. 2025: Texas sued Allstate and Arity over secretly embedded software in apps such as Life360, alleging unlawful collection, use, and sale of location and movement data. texasattorneygeneral.gov/news/releases/… Reuters, March 2026: Allstate must face privacy claims tied to cellphone tracking through apps including Life360. reuters.com/legal/governme… Georgia Tech / Wired on Tile: Researchers found Tile trackers used unencrypted Bluetooth broadcasts with static MAC addresses, and anti-theft mode could hide trackers from stalking-detection scans. scp.cc.gatech.edu/external-news/… wired.com/story/tile-tra… If you think this is “just a safety app,” explain why it has: - a large ad revenue target - a publisher-network monetization strategy - thousands of marketplace audience segments - policy language authorizing disclosure of precise geolocation and movement data - and active legal exposure tied to third-party tracking and telematics

95.8 million people use @Life360 for family safety. Life360 uses the same data pipeline to build an advertising business projected at $140-160M in 2026. The same infrastructure that powers family location sharing also supports audience segmentation, ad targeting, insurance telematics, and partner monetization. Life360 said it stopped selling precise location data after the 2021 backlash. But in June 2025 - Capitol Forum found 4,600+ audience segments on LiveRamp tied to Life360-linked household and behavioral profiling, including segments involving children, income, and sensitive place visits. The contradiction is hard to ignore: Life360 told investors that data did not leave its ecosystem --LiveRamp marketplace sales were active. The consent model is broken too. Consent is bundled at the point of entry. Agreeing to family location sharing also enables sharing with advertisers and data partners. There is NO meaningful way to consent to one without the other. Life360’s own Q4 2025 earnings call was explicit: “We can take our first-party data, the fact that we know that this is a household with two kids and a dog and a parent who drives to soccer practice every Saturday, and use it to serve ads, not just inside Life360, but across that entire publisher network.” The security posture is weak for a company holding this kind of data. No MFA, no login rate limiting, 6-character minimum passwords. In 2024, breaches exposed 442,000 users' data and compromised Tile's internal law enforcement request tool using credentials from a former employee that were never revoked. Forensic analysis found sensitive location and messaging data stored locally in plaintext. Compromising a single device exposes data about the entire Circle. Georgia Tech researchers found Tile used unencrypted Bluetooth broadcasts with static MAC addresses, and its anti-theft mode could hide a tracker from stalking-detection scans. The coercion risks are structural. Disabling location sharing triggers visible alerts to other Circle members. There is no stealth mode and no abuse escape hatch. Research found young people raised on location-sharing apps misinterpret partner tracking as care. The app has appeared in domestic violence proceedings in Australian coroner inquests and Indiana courts. Children are central to the product. Their data is collected and stored - while the surrounding monetization ecosystem enables child-adjacent targeting by proxy. Minors have NO independent consent mechanism. Life360's privacy policy authorizes disclosure of precise geolocation data, movement data, and other usage information to business partners for "their own and others' advertising and monetization purposes." It is the terms of service.

I conducted a security and privacy analysis of DuckDuckGo's AI integrations. 4 findings stood out. 1. Location data forwarded to model providers despite "anonymization" claims. DDG's privacy docs say IP addresses are stripped before prompts reach OpenAI or Anthropic. Technically true. But their servers first perform a GEO::IP lookup -- extract the user's approximate city, and pass that derived location into the prompt as context. A researcher demonstrated this by querying the model for its available context. It returned the user's city. VPN replication confirmed the metadata followed the exit node - not the user's real location. [A DDG staff member later confirmed the GEO::IP lookup behavior in that same Reddit thread - acknowledging it was not clearly disclosed in their policy at the time.] 2. Measurable algorithmic personalization on politically sensitive queries. DDG's core marketing claim is that every user sees the same results. No filter bubbles. An academic study tested this empirically using automated bots with varied browsing histories and geolocations. On queries related to the Israel-Palestine conflict - DDG's results showed statistically significant variation driven by location and browsing context. 3. Third-party supply chain risk through Together.ai. Duck.ai routes Llama and Mixtral queries through Together.ai infrastructure. Together.ai's Terms of Service permit retention of "Usage Data," defined as system logs, performance metrics, and model usage statistics, separate from user content. DDG's stated policy is that AI chats are deleted within 30 days. That means prompts may exist on provider infrastructure for up to a month. In 2022: they faced backlash for a Microsoft tracking exemption in their browser that contradicted their marketing. 4. Biometric exposure through voice chat. DDG launched real-time voice chat on Duck.ai, processed by OpenAI. Raw audio is streamed to external servers during the session. DDG's own documentation acknowledges that the human voice functions as a biometric identifier. They state that neither DDG nor OpenAI stores audio after the chat ends. Unlike an IP address or session token - a voiceprint cannot be rotated or revoked. If those streams are intercepted or if retention policies change - the exposure is permanent. The pattern across all 4 issues: DDG's privacy model is policy-based -- not by design. They rely on server-side anonymization and contractual controls with model providers. Every AI feature they ship adds third-party dependencies - new data flows, and expanded attack surface.

SailfishOS is NOT a serious mobile OS for privacy or security. The marketing says one thing. The architecture says another. SailfishOS markets itself as open and privacy-respecting but the components Jolla actually builds are largely closed source. Independent researchers cannot audit the most security-critical code in the system. Android has enforced SELinux in strict mode since Android 5.0 in 2014. SailfishOS relies on basic Linux file permissions and namespace-based isolation via Firejail. Until Sailfish OS 4.0.1 Koli in 2021, there was no application sandboxing framework; apps essentially ran under basic Unix permissions with no Sailjail‑style isolation. For nearly a decade, any native app could freely access your phonebook, SMS messages, and other apps' files. The current Sailjail implementation: a Firejail wrapper using Linux namespaces -- is weaker than Android's kernel-level SELinux-enforced process isolation or iOS's entitlement system. Jolla relies on old Android board support packages to run Sailfish on hardware like Sony Xperias - meaning the underlying Linux kernels are often ancient and missing years of upstream CVE patches. The attacker doesn't need to break a sandbox if the kernel itself is full of known vulnerabilities. Installing SailfishOS on Sony Xperia devices as the primary supported hardware requires permanently unlocking the bootloader. That means no verified boot chain. The attacker with brief physical access can flash a malicious image that persists across updates. SailfishOS uses standard LUKS-style disk encryption - so with an unlocked bootloader the attacker can extract the LUKS header and brute-force short PINs or passwords offline. Jolla has been working on migrating the Sailfish browser to Gecko ESR 91 - but ESR 91 itself has long since reached end of life, and current Firefox ESR versions are multiple generations newer. Mozilla's current ESR track is ESR 128. The Android runtime security patch level on official Sailfish devices has lagged Google's monthly patch cycle by months, and some older devices are even further behind. Running Android apps "without Google services" does NOT mean without telemetry. The AppSupport compatibility layer does NOT block app trackers. Advertising analytics, data collection, background connections all pass through unfiltered. And the layer itself is entirely closed source -- which means you cannot verify its isolation guarantees. The compatibility layer also has poor app compatibility in practice. Many Android apps don't work correctly without Google Play Services. Because SailfishOS is largely proprietary, no one else can fork it the way Russia did with Aurora OS. Russia got a state-owned fork. Then there's the ownership history. Rostelecom, partially owned by the Russian state acquired a 75% stake in Open Mobile Platform and Votron - entities that held the largest individual shareholding in Jolla through Sailfish Holding. From 2018 to 2023, Russian state-linked capital was the single largest influence in the corporate chain behind SailfishOS. Russia got Aurora OS through commercial licensing and state ownership of the entities behind Jolla. Because SailfishOS's critical components are proprietary - no one else has that path. After the invasion of Ukraine made this politically untenable - Jolla used a bankruptcy restructuring in 2023 to sever ties. Years of closed-source code developed under that ownership structure cannot be independently verified. "European values" is an interesting marketing angle given that history. "True sovereignty" and "European technology" also needs context. The Dimensity 7100 SoC is designed by MediaTek in Taiwan and fabricated in China. The silicon supply chain is identical to any mid-range Android phone. If you care about mobile privacy and security, @GrapheneOS on a Pixel is the verified, open source, properly patched standard.

Guido Vranken found memory-safety bugs in Coinbase’s cb-mpc library that can leak private key material. The PoC is straightforward: craft a malformed ECDSA signature that causes pubkey recovery to return the point at infinity, serialize it, and the function dumps raw process memory containing the private key. The library architecture doesn’t help. Coinbase mixes OpenSSL internals with a forked libsecp256k1, converting points between the two using a serialize/deserialize dance. No return value checking on the serialization. The README even admits their secp256k1 point addition isn’t constant-time. Timeline: cb-mpc open-sourced March 2025 with a Cure53 audit. Vranken publishes PoC January 16, 2026. Coinbase releases v0.1.1 with “security-focused” fixes January 21. The release notes mention fixes for OOB reads in PVE, buffer validation in serialization, and zeroizing decrypted plaintext on auth failure. Reported bounty: $200. That’s Coinbase’s low-risk tier. For a bug that leaks private keys from an MPC library whose entire purpose is protecting private keys. Vranken’s GitHub bio now says he’s done with open source because “society’s incessant fantasizing about restricting others’ basic freedoms has cured me of altruism.”

My Web3Privacy Now Awards 2025 submission is live. As a security researcher, I spend a lot of time thinking about privacy tooling. The Samourai Wallet and Tornado Cash developer cases are worth paying attention to. The legal theory being tested here has implications for anyone building in this space.

Web3Privacy now Awards 2025 are live! @iAnonymous3000 x @brave submission: Favourite pro-privacy project: + @GrapheneOS - making hardened Android accessible to regular users + @Zcash - continued leadership in on-chain privacy with shielded transactions + @signalapp - still the gold standard for private messaging, post-quantum encryption rollout was significant Major news: + Convictions of @SamouraiWallet developers and @TornadoCash's @rstormsf - set dangerous precedent that writing privacy-preserving code can be criminalized + @telegram quietly updated terms to hand over user data to authorities Key event: + @defcon 33 - Crypto & Privacy Village (Las Vegas) The most exciting innovation (research, protocol etc): + @Zcash's Project Tachyon - uses proof-carrying data to let wallets sync privately through untrusted servers, solving the scalability problem that has held back private payments + Post-quantum tipping point with ML-KEM - @Cloudflare's October report confirmed over 50% of human web traffic now secured by post-quantum key exchange, effectively mitigating “harvest now, decrypt later” threats at scale Doxxer of the year: + @mozilla - updated their Firefox privacy policy to allow selling user data, a betrayal from an organization that built its reputation on protecting users awards.web3privacy.info #w3pnawards2025

I find it really interesting that while privacy continues to build momentum and trend on the timeline, it's trending alongside a self-custodial Base app with invasive, hungry and persistent user data collection policies. Unpacking in 🧵👇

@AskPerplexity Analyze this post and answer in detail

Join us for our next Zcash meetup! 📅 Thursday, March 06 🕖 19:00 📍Ōmori Izakaya, Brookline So much to cover: shielded ZEC comes to @KeystoneWallet & @Brave, @FlexaHQ now in @NighthawkWallet & @Zashi_app, ZEC on @NEARProtocol's DEX, and more! 👉 meetup.com/bostonzcash/ev…

Our next meetup has now been posted sponsored by Wellington Management .Our first talk is by John Kordis about #vulnerabilitymanagement. Next we have David Hunt about #secureyourorg. Make sure to RSVP by Feb 18th to reserve a spot at meetup.com/the-boston-sec… #infosec #security

Applying for jobs right now? Here are some real-world tips on what to avoid during your job search: ✅ Interview Prep: Make sure your interview skills are up to par. Practice before any interview that might come your way. ❌ Lying on Your Resume: Be honest; lying on your resume is likely to come out at some point, and that’s a surefire way to lose a great opportunity. If you have any additional tips or insights, drop them below. We’d love to hear the community’s take on this! P.S. Brush up on your interview abilities with our free course, Soft Skills for the Job Market: tcm.rocks/ss-x

📌 Note: Current team members must also apply if interested in this position.

🚨 Exciting News for Security Enthusiasts! nullNEU is now accepting applications for Finance Head! 🎓 As members of our E-board are graduating, we're looking for a passionate cybersecurity enthusiast to join our team! Link: cryptpad.fr/form/#/2/form/…

@iAnonymous3000 @JackRhysider @Northeastern

@JackRhysider I started @null_NEU at my school to bring like-minded folks together at @Northeastern with a mission to spread security awareness and promote advanced research.

If you're building a cool app or tool or website or startup I'd love to hear about it! I get excited watching people create cool things.

Immigration scams target potential applicants. These scammers will call & urge you to renew your status & will request payment by phone. Know that we will never call & ask you to pay any fees by phone. If you’ve been targeted, you can report it here: uscis.gov/scams-fraud-an…

Hey @Northeastern fam! 👋 We (@null_NEU) recently launched something cool - the Husky Safety Initiative! Our mission? Empower students, faculty, and staff with user-friendly, privacy-first tools that keep your online life safe and sound. I’m the research lead behind this effort, and I’d love to hear your thoughts. cc: @KhouryCollege Grab our recommendations: nullneu.org/tools/

@KagiHQ We are Null NEU - a cybersecurity club at @Northeastern. We are working on a research project to list the best tools in terms of privacy & usability to help our community. We heard about Kagi Translate and are super impressed. How private is it? nullneu.org/tools