• 3 Posts
  • 95 Comments
Joined 1Y ago
cake
Cake day: May 28, 2020

help-circle
rss

Good news, indeed. I was taking part in Google’s AMP workshop once and we made an AMP version of our mobile site and it was slower! They were not pleased by our presentation :D We never implemented AMP on the site.


What is the best way for the consumer internet to interact with businesses?

Consumer identifies a need, they search for businesses that offer product or service that addresses the need; go to their page and make a trade. Simple. No ads. Just make sure your service can be found and that you provide enough information for consumer to make a choice.

This is in contrast to today: the business identifies a need, they find vulnerable people who they can potentially convince that they have the need that this business addresses already and sell it to them.



It won’t solve all of our problems but it would be a good step in the right direction… this stuff is out of control and harmful on so many levels.


Fortune teller: Give me your “cohort ID” and I will tell you your future!


Mandrake, Slackware and then Gentoo. KDE was the best! Also compiling my own kernels :D Running 2 CRT and one LCD screen with 3 VGA cards was fun. IMs were actually in better shape as you had plugins for every network and could use one native client (Kopete or Pidgin were a thing) to communicate with everyone. Konqueror was totally usable as a browser as sites did not relay on JS, and well integrated in KDE. Plenty of media content shared between friends on disk caddies.


Since the W3C is based on a system of consensus, even a single “no” vote was enough to veto the proposal.

WTF? So like you have a supervillain of privacy on your board and use “system of consensus”… good luck! :D


If your threat model is “corporations spying on me and profiting from my private data” then it is good option IMHO. If your threat model is “a three letter agency is after me” then don’t use e-mail.


I was one of these people until I started looking into how Google makes money… Given all this is rather technical I can’t expect most people to understand this.

I don’t understand many things like food safety and somehow if I buy stuff in the market I don’t get poisoned, so it can be done.


This is horrible. Any “solution” for “people are not accepting cookies” will just reinforce Google’s dominance over private data. This “sandbox” solutions is more of a Google’s jail for your private data that they will let some people who pay them to get a pass.

What about just delegalize any company that does forced tracking including Google and Facebook instead of pretending something is being done here about this…


OMG, this is so stupid… on one hand they say “subversion of user choice is wrong” but then when users are given a choice then they say ““quite a significant proportion of people” are not accepting cookies when prompted online” … “Where we are at the moment is not ideal,”".

So they want users to not have a choice but make them feel as if they have? WTF is wrong with this people. Can this companies realize that nobody wants them and just stop refusing to die already!?


Roll your own CDN with Varnish + Hitch and some DNS provider that can do geo/latency based routing. Set up few servers on different continents and configure request throttling and some user agent classification. Add something for log analysis so you can spot bots and block them with Varnish ACLs or even on ip tables (ipset) level. Connect the servers with Wireguard VPN or tunnel the traffic to the origin server with stunnel.


Yeah, so from other info it looks like the scope of the license in much wider than of AGPL and includes other (not well defined) supporting software where in AGPL it only includes the software licensed. Also AGPL kicks in on modification of the software where the SSPL on mere use of it.

So just the fact you install and run some program with SSPL would mean that you suddenly need to licenses who know what else. No other license does that.



Yeah, same like with Intel Management Engine. Now included in all Intel CPUs and you can’t turn it off without some major hacks (e.g. coreboot, me_cleaner). Something to keep an eye on for now.


Intel 11th Gen Intel Core vPro CPUs with support for the Hardware Shield and TDT features will be able to detect ransomware attacks at the hardware level, many layers below antivirus software. …


OK, it is not pointless entirely (you are still protecting the files that are not in RAM), but it is not perfect; so if you believe it is perfect and you get you secrets “stolen” (e.g. browser TLS encryption keys, your password manager content, tor keys, GPG agent, Signal, Telegram… there is just so much that would need to cooperate with this system) and you get arrested that would not be good for you. My worry here is that it may be misleading and if a system were to be implemented and used there needs to be a warning that this is the case.

So if the goal was to ensure ALL your data is safe when you lock your screen this is clearly not achievable this way.

This is not LUSK flaw - LUKS is a disk encryption system and not RAM encryption/scrubbing. So it does cover you disk if you scrub the key, works as designed. But disk is not the only place your data lives when your system is running.

If you were to close you apps the content of memory may not be zeroed (I think Linux keeps a pool of zeroed memory pages to give to processes when they ask for more memory but I am not sure it zeroes it all the moment it is returned (process terminated)). Also if you need to close you app then what is the point of this? Would it not be better to just shut it down and be sure nothing is left unencrypted?

The comment about ACL is not related to the issue of security. It is just noticing how ACL system actively goes against this sort of use case and how its features need to be worked around to get this working. Also noticing that Lennart wants it to work like an object-capability system instead. And this is fine, it can be solved and I would like to see more object-capability based security in Linux.


BTW: Google does the same for Andorid (get your data dump and see for yourself) - every application start and stop is recorded, metadata from your e-mail, etc…;

NOT surveillance, this is to help optimize technology use. /s


This is just “telemetry”. We have that in all Windows (including server) for years now… nothing to worry. This is NOT surveillance. /s


Or maybe what Lennart is doing is the only way for Linux to evolve:

  1. badly hack around existing system to get the features that you want,
  2. get people to realize that this features are in fact needed,
  3. try to reduce hacks later by redesigning system around this new features until you land with better overall system design.

What I am saying is that if you have access to RAM (e.g. via https://en.wikipedia.org/wiki/IEEE_1394#Security_issues or in general https://en.wikipedia.org/wiki/DMA_attack) then not all content of your files is secure unless you “scrub” the entire content of RAM.

So if you were to scrub page cache, loaded programs will still have some or all parts of the files loaded in RAM. E.g. my vim process will have some of my source code loaded. My SSH agent will have my keys loaded in RAM, my browser will have the very text you are reading loaded in RAM.

So scrubbing keys from RAM will protect most of your data but not all of your data - false sense of security. So you better understand that trade-off before using such proposed system. It is still better than having you disk wide open but it will never be perfect.



Website as a document vs an application and the risks related to running the latter on your device…