Although I don’t like Flock, I’m a bit skeptical of the claims in the article. Most screenshots appear to be client-side JavaScript snippets, not API responses from this key.

In the bug bounty community, Google Maps API key leaks are a common false positive, because they are only used for billing purposes and don’t actually control access to any data. The article doesn’t really prove ArcGIS is any different.

Security for maps is basically impossible. Maps tend to have to be widely shared within government and engineering, and if you know what you're looking for, it's remarkably straightforward to find ways to access layers you would normally have to pay for. It's a consequence of the need to share data widely for a variety of purposes -- everything from zoning debates within a local county to maps for broadband funding across an entire country create a public need to share mapping information. Keys don't get revoked once projects end as that would result in all the previously published links becoming stale, which makes life harder for everyone doing research and planning new projects.

Moreover, university students in programs like architecture are given access to many map layers as part of the school's agreements with the organizations publishing the data. Without that access, students wouldn't be able to pick up the skills needed to do the work they will eventually be hired for. And if students can get data, then it's pretty much public.

Privacy is becoming (or already is) nearly impossible in the 21st century.

privacy isnt impossible

privacy while engaging with the digital world is

it isn't hard to be private. you just can't live in or go near cities/towns as much.

Or go outside on a semi-clear day. The photos we got from satellites in the 60s were incredible. 65 years later they’re all but magic.

Chase issues cards on both the Visa and Mastercard network (i.e. certain cobrands and the Freedom Flex), so I doubt this was a serious consideration.

Even in mainland China, where iOS does have a large amount of changes to comply with local regulations, Apple does not pre-install any apps from anyone.

China doesn't require pre-installed apps but the Chinese government require all data processing and storage to be conducted within China with complete source code access.

India chose to back off on data sovereignty [0] because it would have had a side effect of making Indian IT Offshoring less competitive plus to help make negotiating a US-India BTA easier [1].

[0] - https://verfassungsblog.de/cross-border-data-flows-and-india...

[1] - https://www.bloomberg.com/news/articles/2025-04-25/us-seeks-...

> making Indian IT Offshoring less competitive

So does a security backdoor in every mobile device used by said Indian offshoring staff.

I don't think there is any reason to assume they would allow forced code execution just because they allow data residency for mainland accounts. And unfortunately, China is likely a much larger and more profitable consumer market than India - presumably they can still export phones produced inside India without this.

Most people in China install Wechat by choice, anyway

This is an interesting point. Is there anyone in mainland china that does do not install WeChat plus AliPay installed? It is hard to live without it! Literally, you can buy a kilo of veg from a wet market stall and pay with AliPay.

>Even in mainland China [..] Apple does not pre-install any apps from anyone.

That's because China has no regulation obliging them to do so.

China takes the other, more comprehensive, route to privacy invasion. Sucking up every bit of data at the router.

The GFW is certainly looking for traffic to block, but it is not really going to invade much privacy, as it cannot decrypt anything using HTTPS/TLS.

GFW does indeed have man in the middle capabilities per the recent leaks of Geedge tech used in it. Your laptop might throw a warning for the fake signed cert, but devices in China that trust Chinese root CAs would not.

It’s great that you have coverage across multiple countries. I’ve noticed most budget apps cannot handle multiple currencies at all, much less automated sync across multiple countries.

that's indeed the idea! it started with me finding out that I'm missing on a lot of great personal finance apps because bank sync is mostly catered towards the US, and mostly use a single provider, so wanted to change that :)

Aren’t they both hardware backed, just changing the X in “trust X”?

Not an expert but my understanding is that active authentication only occurs after the basic “I can see the MRZ data” authentication passes first. You can’t skip proving you can read the MRZ in any scenario.

Good-faith security research[0] is the only way this industry will move forward, for better or worse. It is clear that most companies do not want to invest in anything further like VDPs.

[0] https://www.justice.gov/archives/opa/pr/department-justice-a...

Actual legal threats are uncommon but I have seen some companies try to offer a bribe disguised as a retroactive bug bounty program, in exchange for not publishing. Obviously it is important to decline that.

Decline because it'd mean you were profiting off of a crime? Or that the opportunity of publishing has higher value than the bribe?

Decline because the public deserves to know the company has that approach to security.

Take the Money and have someone else publish it

Thanks, its cool to hear attitudes have changed.

Clicking on “ARM” only seems to show Raspberry Pi’s and not the other ARM boards listed on the site.

I've noticed a couple of issues with the search and filtering this evening, I'll have to look at it tomorrow. In the meantime, https://sbc.compare/arm (there's also /risc-v and /x86) may help a little here!

That’s a nice list, thanks!

Many cards in the US do not charge any foreign transaction fees, and Alipay/WeChat waive their fees on small ticket items as well.