I have moved to @cooperq@masto.hackers.town if you were following me here go there instead.

The collective that writes my code will be speaking at Hackers on Planet Earth this weekend in NYC! And check out their new project, the ICE Detention Map https://lockdown.systems/cyd-at-hackers-on-planet-earth-the-ice-detention-map-and-the-lockdown-systems-collective/

@chrislewislee I love this!

Hey everyone!

I'm available for more work.

If interested, please see my website for more examples of my work: https://www.chrislewislee.com/

I’m going to be migrating this account to hackers.town soon. I was always more of a hacker than an Infosec guy anyway. Information wants to be free!

@oopsbagel @soatok no worries that’s how the con always goes. This looks like a rad project congratulations!

@oopsbagel @soatok I’m also sad we didn’t see each other this year soatok

@cooperq and I gave a talk at #defcon33 covering @eff 's Rayhunter project: a tool for detecting cell site simulators (fake/malicious cell towers) on commodity hotspots, viewable here: https://spectra.video/w/jt9rZHCU51Rh58cBD8oiP3

We go into detail on how cell site simulators work and how *you*, dear reader, can get involved in the project, as well as how we had fun with #rust .

I want to shout out EFF's Will Greenberg, @untitaker , and @sasha as they have put in massive amounts of work on this project as well.

Val Broeksmit was an FBI informant who tried to entrap me and frame me as Phineas Fisher. Along the way, he tried to hack and inform on his enemies, journalists and Epstein.

This is his story.

https://emma.best/2025/08/08/val-broeksmit-a-comically-tragic-spy/

@DarthAnrchy @eff @404mediaco I mean I think David Graeber explains this pretty well right, "surely one must pay their debts." In their minds I'm sure this is a perfectly morally acceptable thing to do.

While most vendors ship timely patches for vulnerabilities reported by Project Zero, they don’t always reach users. Today, we’re announcing Reporting Transparency, a new policy to encourage downstream fixes

https://googleprojectzero.blogspot.com/2025/07/reporting-transparency.html

@HeliosPi I just don't find this to be that compelling of an argument. It's true, but, if your threat model is that someone will know you downloaded an app then you shouldn't download apps? I also don't think it's super likely that such a warrant would happen.

@HeliosPi @eff @404mediaco I mention this in my thread on the process. https://infosec.exchange/@cooperq/114858766329523441

@sterophonick I agree it desperately needs translation and an architecture change to work on android if the developer actually wants the most effected communities to use it.

@tilde this is the first post https://infosec.exchange/@cooperq/114858766329523441

On the issue of why there isn't an android app it seems like the main issue is the apps tight integration with icloud. If the developer can switch to a more agnostic solution an android app should be easy to write and could deliver notifications just as anonymously as the iphone app does.

It's also possible that a judge could attempt to compel apple to disclose the list of accounts that have installed ICEBlock but I think that pressure to get iceblock delisted is more likely than that, I also think that its possible ICE agents will start specifically looking for iceblock on the devices of people they have detained and using that as a pretext for further punishment. Both of those are more concerning to me than a list of everyone who installed the app.

@Zoarial94 @MisuseCase @zackwhittaker I think it's more that the app is so deeply tied to apple cloud infrastructure (using cloud kit and cloud query) that its not possible to do a straight port unless the developer rewrites the entire thing to be cloud neutral, which is on his roadmap.

So I reverse engineered the IceBlock app - https://www.404media.co/immigration-raid-tracking-app-ice-block-keeps-your-data-private-researcher-finds/ here's a thread on what I found.

The TL;DR is that I didn't find anything suspicious, the app doesn't talk to any third parties, and it doesn't send your location to the developer. Neither your phone ID or iCloud account are associated with the requests the app sends to the apple cloud servers to run.

The app is written in Swift and mainly uses the MapKit and CloudKit libraries. When you send a report that report contains the location of the report, this is not necessarily your location but the location at which you saw something. It also contains any free form text you choose to enter.

And that's all that is contained in the report, no device ids or iCloud accounts are associated with the report. Could a judge issue a tap and trace order to Apple to get the IP addresses of people submitting reports? Possibly. But that doesn't seem to be how ICE is operating right now.

And more importantly that would just give IPs which are going to be DHCP leases from a cellular network not device IDs or any other actual user identifier, so it would be harder to trace these back to real people.

The developer assures me that the reports are deleted from the database after a short time so such a theoretical order would also not get any past reports, only future reports. I can't think of a way for the app to defend against this but if its your threat model maybe use a VPN.

One argument I've seen against this app is that if you use it Apple will have access to your location, and yea that's probably true. But Apple always has access to your location if you have location services turned on. If that's your threat model turn off location services!

My main concern was about false reports. The dev has done a decent job of preventing mass spamming, you are rate limited in how many reports you can upload and you can only make a report within 5 miles of your location.

I think more likely is that people will make reports that are inaccurate because they saw an FPS vehicle or a DHS vehicle that isn't ice, or just some cops even. I'm not really sure how to solve this problem. I'm a bit concerned that this could spread fear and uncertainty.

The developers take on this issue is that there may be some false reports but if a true report keeps one person from going to that location for a few hours and saves them from getting deported that's a win, I find it hard to argue against that.

Anyway at the end of the day it will be up to the communities most at risk of ICE abduction to decide whether this app is useful for them. That isn't my area of expertise and I can only say what I found from a technical perspective.

At the end of the day, even if this doesn't turn out to be an effective tool for people to protect themselves from ICE its still a great piece of agitprop or propaganda by the deed. It gives people a way to feel power against ICE and pisses off the administration. In conclusion: Fuck ICE!

Psst! Hey you! EFF is hiring a staff technologist and *you* should apply! https://www.paycomonline.net/v4/ats/web.php/jobs/ViewJobDetails?job=262470&clientkey=28620672D234BF368306CEB4A2746667