It is not clear that this is the app that will be used for the new watches. I imagine it will support the new RePebble watches, but I believe that app was intended for the original Pebble watches.

The thing that makes it so unclear to me is that this is a repo owned by the Rebble team, not the RePebble team. I do not know how much overlap there is between the two teams, but the RePebble team does not have any open source repos that I could find. Any mention of open source software by RePebble (including the OS) are links to repos owned by other teams, which is a little concerning.

I understand that the watch operating system is open source. However, it seems that the watch will connect to a companion smartphone app. Do you know if the app is a requirement and/or if the app will be open source?

There is no one-size-fits-all solution and there likely isn’t a solution that works for everyone even in specific situations due to different threat models. Purchasing and using a custom domain is often listed as a good practice for maintaining a person’s privacy. However, it can be even more detrimental to a person’s privacy than just using a trusted email masking/forwarding service and trusted email provider. For example:

• The domain is purchased without WHOIS protection (or without using non-personal information) or the WHOIS protection is not renewed
• The email server is hosted on hardware that can be linked to other services that identify the individual (eg: the email is self hosted using a home IP address)
• A self hosted email server is configured in a way that leaks information or is configured insecurely
• The email domain is used by only one person, which enables agencies to link each individual, unique email address back to that individual and create an aggregated profile across various accounts/services
• If the domain/DNS is not configured properly (or if the domain is not renewed), then the domain (and thus the email accounts) can be hijacked, which could lead to any additional accounts/services that are still using the domain vulnerable to a take over attack
• The email server is hosted by a privacy invasive company/service
• The person assumes that all emails are private since they use a custom domain on a trusted email provider (or self hosted email server), but continue to send emails containing sensitive information to email accounts running privacy invasive email services (eg: Gmail)

Please note that I am not saying that this is not a good option, but I just wanted to note some of the things that should be considered if a person decides to use a custom email domain to improve their digital privacy.

My beef with them is that they’re either pushed by scammer to empty honest but gullible people’s bank accounts, or they’re used to pay for illegal activities because they’re totally opaque and unregulated.

Scammers also use gift cards, checks, wires, cash, bank accounts, investment funds, and many other means to accomplish this. Several of them are tightly regulated and it does not seem to deter or prevent the scams from occurring.

My other beef is that they’re really securities and they’re not subject to the rules on securities for a reason that totally escapes me.

Admittedly, I am not well versed in this area. Do you foresee a way to properly subject cryptocurrencies to the same/similar regulations as other securities while still providing many/all of cryptocurrencies’ benefits, including anonymity? Are the legitimate cryptocurrency exchanges (eg: Coinbase) not subject to those regulations? How different is this from individuals being taxed on gains/losses from cryptocurrencies?

I don’t do cryptocurrencies both out of self-financial preservation, and also because I refuse to participate - and thus promote - stuff that’s generally bad for society as a whole.

The first part is in relation to investing in cryptocurrency moreso than using cryptocurrency.

What makes cryptocurrency generally bad for society as a whole? While I am not familiar enough with the current estimates, I know there are environmental concerns (eg: water/electricity usage, required hardware, etc.). I concede that the environmental impacts may be (and likely are) worse than traditional fist currencies, I am unaware of other reasons that make cryptocurrency generally bad for society as a whole.

Trump loves em

Many privacy advocates also love cryptocurrency. Two different people or groups of people (no matter how similar or different) can have one or more shared interests, even if the reasons or motivations are drastically different. It is likely best to avoid politics on this topic.

• Edward Snowden Says Use Crypto, Don’t Invest In It
• Edward Snowden Calls Bitcoin Most Significant Monetary Advance Since The Creation Of Coinage

Cryptocurrency

Hard no. I don’t partake in scams, even for the sake of privacy.

Is this in relation to the monetary value of cryptocurrency or the anonymity of cryptocurrency?

The list included cryptocurrency as a channel for anonymous payments, not an investment opportunity. The two cryptocurrencies listed are two of the more well established cryptocurrencies that are more widely accepted than many other cryptocurrencies (granted, one or both of them are still not accepted by a large number of merchants). Additionally, the list also mentions some of the considerations necessary to help ensure the cryptocurrency is obtained anonymously.

If the list only included insert_newly_created_obscure_cryptocurrencies then this would definitely be more concerning.

However, if the cryptocurrency is both obtained and used “properly” where the person is ultimately anonymously exchanging cryptocurrency for a desired good(s) or service(s), is it truly a scam?

In terms of privacy, you are giving your identity provider insight to each of the third party services that you use. It may seem that there isn’t too much of a difference between using Google’s SSO vs using your Gmail address to register your third party account. However, one big distinction is that Google would be able to see often and when you use each of your third party services.

Also, it may be impossible to restrict the sharing of certain information from your identity provider with the third party service. For example, maybe you don’t want to share a picture of yourself with a service, but that service uses user profile pictures or avatars. That service may ask (and require) that you give it access to your Google account’s profile picture in order to authenticate using Google’s SSO. You may be able to overwrite that picture, but you also may not be able to revoke the service’s ability to retrieve it. If you used a “regular” local account, that Google profile picture would never be shared with the third party service if you did not upload it directly. The same is true for other information like email, first/last/full name, birthday, etc.

There are other security and operational concerns with using SSO options. With the variety of password managers available, introduction of passkeys, and increased adoption of multi-factor authentication, many of the security benefits associated with SSO aren’t as prevalent as they were 10 years ago. The biggest benefit is likely the convenience that SSO still brings compared to other authentication methods.

Ultimately it’s up to you to determine if these concerns are worth the benefits of using SSO (or the third party service provider at all if they require SSO). I have a feeling the common advise will be to avoid SSO unless its an identity provider that you trust (or even better - one that you host yourself) - especially if you’re using unique emails/usernames along with strong and unique passwords with multi-factor authentication and/or passkeys.

Alerts, notifications, person recognition, object recognition, motion detection, two way audio, automated lights, event based video storage, 24/7 video storage, automated deletion of stale recorded video, and more can all be accomplished 100% locally.

Granted, much of this functionality is not easily accomplished without some technical knowledge and additional hardware. However, these posts typically are made by people who state to at least have an interest in making that a reality (as this one does).

What security benefits does a cloud service provide?

Your options will depend on how much effort you are willing to put in and what other services you have access to (or are willing to run).

For example, do you have a Network Video Recorder (NVR) or something like Home Assistant that can consume a Real-Time Messaging Protocol (RTMP) or Real Time Streaming Protocol (RTSP) video feed? Can you modify your network to block all internet traffic to/from the doorbell? Are you comfortable using a closed source, proprietary app to setup the doorbell? Is creating your own doorbell feasible?

I’m not aware of a doorbell that you can buy which meets all of your requirements without at least one of the items I mentioned above. Additionally, I believe the only doorbell that meets all your requirements is building your own doorbell. However, some other brands that will get close to meeting your requirements are Reolink and Amcrest.

This is a “simple” question, but unfortunately the answer isn’t as simple. Much of this isn’t necessarily Google “individually and directly attacking people”, but instead Google providing others with the (otherwise unavailable) means to do so.

Regardless, is this an example that you were looking for? https://www.nbcnews.com/news/us-news/google-tracked-his-bike-ride-past-burglarized-home-made-him-n1151761

Sorry, just want to make sure others read this properly. I think you meant

The clients aren’t closed open source.

They are closed source forks of Element’s desktop/mobile/web apps.

I believe the features you’re referring to (Raise Wrist and/or Shake Wake within the Wake Up settings) don’t keep the watch screen on. Instead, I think they just trigger the watch screen to turn on and it stays on for however long the Display timeout setting is set to.

The only way I’m aware of to extend the Display timeout is to touch the watch screen while its on, a notification to come through, or certain apps like the stopwatch to be active. I also experienced issues with apps closing due to notifications coming through so relying on an app to keep the screen on may not be reliable.

If the screen turns off (even for a split second to allow one of the Wake Up settings to trigger the display back on), the watch will stop recording the heart rate and take another 5+ seconds to start recording the heart rate again.

The only way to suppress the Wake Up settings is to either manually disable them or turn on the “night mode” you mentioned.

Sorry if I’m wrong in any of this. I’m not certain how it all works. This has just been my experience with it.

There are a few recommendations for the PineTime in this thread. It is a great privacy focused smartwatch, but I don’t think you would be happy with it based on your requirements. It is not a device that allows you to go for a run and keep your phone at home.

The storage on the device is extremely limited, which prevents you from playing any audio (eg songs, podcasts, etc) directly. The device does not have any wireless connectivity (outside of Bluetooth) so it cannot stream any audio either. I’m not certain if you can even connect it to wireless headphones. It does not have any speakers either.

The watch has some apps, but there are no apps that are well suited for fitness. It does count steps well, but it does not directly calculate distance, pace, etc. It also does heart rate, but, currently, the watch screen must be on for it to record the heart rate. I think the longest the watch screen will stay on for is 30 minutes without any interaction, which may be too short for long runs or bike rides. Additionally, I’m not aware of any GPS/location tracking functionality.

Lastly, since the apps are limited and there is no advanced wireless functionality, you can’t use it for things that you may be used to for on the go activities. For example, you won’t be able to use it to pay for a drink half way through a run or call someone if you hurt your ankle a few miles from your destination.

With all that said, I still highly recommend the PineTime as a privacy focused, FLOSS, smartphone companion, smart watch. I don’t think you’ll find these features in any other device, particularly at this price point. However, you will be extremely disappointed with it if you’re getting it so you can take it on runs while leaving your phone at home.

I’m not sure if it changed, but, on PC, Signal could only be used through the Signal desktop application. This application would only act as a bridge to another device (ie - the desktop app would connect to the phone app). If this is still true, then your friend could not use Signal on her PC without another device.

However, if she has an Android tablet or iPad, she may be able to setup Signal on the tablet and use the tablet as a bridge device with her PC. I’m not certain this is possible, but it may be worth looking into.

I’m not aware of any great FOSS/FLOSS Tasker alternatives. There are a few options, but they will be less capable, functional, extensible, user friendly, or modern.

More direct alternatives

• Automation - Gitea repo / F-Droid
• Easer - Github repo / F-Droid

Requires a server to run automations/dcripts

• Home Assistant - Github repo / F-Droid

Requires scripts and may require a server and/or additional add-on apps

• Termux - Github repo / F-Droid
  • Termux:API - Github repo / F-Droid

Thanks for confirming.

XMPP really needs better clients - even the good ones feel dated. Hopefully the timeline was not pushed back too much, if at all, and that this redesign can be the start of modernizing XMPP clients.

Didn’t know about this. That’s interesting!

Are you referring to this c3 branch? If so, there havent been any commits or pull requests for a few months now. Is there a timeline posted anywhere for the “soon-ish” release of the redesign?

How do you access the live demo? I don’t see it anywhere in this thread nor on the Github repo.

I know the project may still be in its infancy, but are there any current/prospective screenshots or design files for this initiative? Even better - is a live demo available?

Someone already mentioned Hacked on here, but some others are:

• Hacking Humans
• Malicious Life
• Modem Mischief
• What the Shell?

Some additional security related ones include:

• Caveat
• CSO Perspectives
• CyberWire Daily
• Paul’s Security Weekly
• Research Saturday
• Risky Business
• Security Now

The best way that I’ve seen to discover interesting Mastodon accounts is to join Mastodon instance(s) that are most appealing to you and scrolling through the local timeline. Additionally, searching for and following hashtags that appeal to you should make it easier to find Mastodon accounts that toot about topics that interest you.

If that’s not what you want then this will likely depend on the client you are using, the type of Fediverse account you are using (eg - Mastodon, Lemmy, Pixelfed, etc.), and the instance/server you are using.

You could look through the public posts of the Mastodon instances (for instances that support publicly exploring the server without an account on that instance) that you are interested in. Once you discover the accounts you want to follow, you would need to manually search for those accounts using the full address of those accounts on the client of your choice (if you weren’t already using it to begin with).

You could also look for lists of Mastodon accounts that people recommend on websites or throughout the Fediverse.