Electronic Frontier Foundation
We haven’t found evidence of Stingrays being used at protests in the US yet, but if you’re going to a protest this weekend, why not bring Rayhunter to be sure? Don’t forget to charge and update it, then let us know what you find! https://efforg.github.io/rayhunter/support-feedback-community.html
Support, feedback, and community - Rayhunter - An IMSI Catcher Catcher

Mar 26 at 10:07pmTypefully
Show threadd@nny disc@ mc²18h ago

@eff if i may invoke idris elba as stringer bell: "is you taking notes on a criminal conspiracy?"

which is to say: ARE YOU SERIOUSLY PUTTING YOUR RELEASES OF STINGRAY SOFTWARE ON MICROSOFT FUCKING SERVERS?

Show threadd@nny disc@ mc²18h ago

@eff @cooperq i do respect the use of zip archives on https://github.com/EFForg/rayhunter/releases for the resistance to length extension but it is fundamentally unserious to be telling people explicitly to go to a protest after making a specific fingerprintable connection to a microsoft web site

(yes it's the same thread as bluesky. i'm trying to embarrass your employer. apologies the harsh tone)

Releases · EFForg/rayhunter

Rust tool to detect cell site simulators on an orbic mobile hotspot - EFForg/rayhunter

GitHub
Show threadd@nny disc@ mc²18h ago
@eff @cooperq they don't even give you Content-Length on their tarballs and we've found they even just casually change the content of our releases https://spack.readthedocs.io/en/latest/developer_guide.html#publishing-a-release-on-github there are alternatives here that do not directly endanger the target audience. codeberg literally has better uptime
Developer Guide - Spack 1.2.0.dev0 documentation

A comprehensive guide for developers working on Spack itself, covering the directory structure, code organization, and key concepts like specs and packages.

Show threadd@nny disc@ mc²18h ago

@eff @cooperq this page could be a great teaching opportunity about trust boundaries https://efforg.github.io/rayhunter/installation.html unfortunately you have to deal with cargo who (ed page, previously steve klabnik) refuses outright any way to make build scripts better or safer so it's still a toss up

i applied to NGI for a grant to work on literally this problem for cargo btw https://circumstances.run/@hipsterelectron/114610077000401178 if there is infrastructure work to do i can do it and make it reliable

Installation - Rayhunter - An IMSI Catcher Catcher

Show threadd@nny disc@ mc²18h ago

@eff @cooperq just find it to be kind of fucked up to have a "legal disclaimer" in the readme while your download urls are owned and controlled by the largest surveillance contractor in the world. giving them your download numbers alone is a massive risk

i also find it extremely strange to provide sha256 checksums alongside each file instead of signatures since the checksums don't offer any additional guarantees except against data corruption. maybe that's an automatic thing microsoft does. i would definitely recommend signatures (rpgp is well done and the author is wonderful)

...but that's a nitpick and does not put users in a direct line to be tracked during protests while executing your code

Show threadd@nny disc@ mc²18h ago
@eff @cooperq personally if i was pretending to care i would be acting way different so if there's an institutional inertia stopping this that's understandable. i just can't have this org saying "please go to protests after clicking this URL from microsoft". that exposes people to harm
Show threadd@nny disc@ mc²18h ago
@eff @cooperq i've worked so immensely hard on cargo and rust build and packaging i literally can help and it would radically improve trust. please consider this