Jae's Blog

Over the past half year, I’ve had the pleasure of Collaborating with Bellingcat as a contributor to their OSINT (Open-Source Intelligence) challenge platform.

For those who aren’t aware, Bellingcat is an independent investigative journalism group based in the Netherlands that publishes investigations using OSINT about war, human rights abuses and the criminal underground (this description is shamelessly stolen from the Wikipedia article as they describe it well).

This all started back in March 2025, when I published this challenge in their Discord community. The premises are simple: find where that scan was taken.
Just a few minutes later, already three people managed to find the location; a few days later even more. This challenge seemed well-received, and I was contacted by the Producer of Bellingcat to create a few more challenges for their Open-Source Challenges Platform.

All the challenges took half a year to collect, design; and over 6000 km of travel was needed within Europe.
Though I’m a bit sad some scans didn’t make the final cut (some of the ones I originally planned turned out worse than I imagined), the challenges turned good overall.

I want to thank Bellingcat for this opportunity to collaborate, and I encourage anyone to check out the Open-Source Challenge platform, and even donate to them. The challenge scans will be made available within Resonite in 6 months time from now.

Almost one year after hinting to a return, Solokeys is still dead, as shown by their repos, issues, and discussions never being answered.

Funnily enough, they are still selling those on their website, but that goes without saying you shouldn’t even touch those given the great lack of care they’ve shown in the project.

If you haven’t been keeping up with the news lately, after the whole Signal fiasco, it appeared that USA government officials are using some fork called “Telemessage”.

That app claims to offer backup solutions for popular messengers including Signal, to comply with government directives. Funnily enough, their website got completely wiped, a large change from what it was a few months ago.

Putting aside all the issues that using a Signal fork exposes you to, it appears that despite their marketing, they could access plaintext messages.

Even better, according to 404 Media, the entire thing is now under investigation thanks to their reporting on the matter.

Edit: a senator asked for an investigation, my bad.

If you’re interested, I’ve archived the source code of both the Android and iOS apps on my GitLab instance (tho those aren’t rare):

• https://g.j4.lc/backups/TM-SGNL-iOS
• https://g.j4.lc/backups/TM-SGNL-Android

Overall, it’s quite fun to look at this from the outside, but also a bit worrying.

And remember, if you switch to Signal, use the official version and don’t add random journalists to your convos.

Previously, I’ve shared about EUVD, the European Vulnerability Database.

Turns out in the wake of the whole CVE debacle, a bunch of other initiatives were also announced!

• OWASP’s unified framework, this one aims to be a bit more decentralized from what I’ve seen in the article
• GCVE (Global CVE Allocation System), this one as well seems to be a bit more decentralized than before

As more alternatives pile up, this paints a good outlook for the future, shall CVE go definitely down the drain.

I’ve recently discovered that the EU has their own vulnerability database: EUVD.

As noted by the message on top of the page:

This website is currently in its beta phase. We appreciate your collaboration in reporting any inaccurate or incomplete information via the link below “Provide feedback”.

The site is still in a really early stage, but hopefully it gains a bit more traction as the future of other vulnerability databases is uncertain (for instance, with CVE almost dying abruptly due to a contract ending).

As of now, there also are no feeds (RSS more particularly) to watch this database, so hopefully this will be added soon.