• 15 Posts
  • 136 Comments
Joined 2Y ago
cake
Cake day: Jul 25, 2020

help-circle
rss

Thats a good question that I would like to understand better. On first glimpse, FF provides protection “against fingerprinting by blocking third-party requests to companies that are known to participate in fingerprinting”.

Maybe that targeted approach is as good or better than heuristics but will take a closer look later.


Very interesting … sort of surprised to see digitalocean leading on an onion service:

DigitalOcean provides Onion Routed Cloud as an application in its marketplace. All you need to do is click ‘Deploy’ and the script will automatically configure ORC on a Ubuntu 18.04 server.


It is such a simple, quiet extension it was not clear to me if it did anything. Was surprised to see how much design went into it.


Pretty good list.

In terms recommending Privacy Badger, I was recently reading privacy possum’s analysis of it (he says he worked on PB at eff for 6 months) and how it drops the ball somewhat on fingerprinting

Here is a link: https://github.com/cowlicks/privacypossum

and a main point is this:

Privacy Badger’s fingerprinting blocking has a large deficiency, when fingerprinting is detected, the origin is marked as tracking (not the URL). So everything from that origin is blocked in a 3rd party context. This is a problem because it can lead you to block everything from a cdn. To get around this, Privacy Badger adds CDN’s to the “cookieblock list”. This prevents cookies from being sent to origin’s on the list. However, it then prevents fingerprinting scripts from being blocked, thus allowing fingerprinting.

I’d be curious to hear about other addons like decentraleyes, etc.


While it would be enjoyable to see someone take down this idea that egregious wealth consolidation at the top is OK so long as the rest of the world is equally serfish, I agree with this:

Unfortunately, much gloomier forecasts seem more plausible. The trade and technology war between China and the United States, while perhaps understandable from a narrow U.S. strategic point of view, is fundamentally pernicious from the global point of view. It will prevent the spread of technology and hamper improvements in living standards across large swaths of the world.


And then sites that will not serve users who are not using technocracy approved browsers like this new Chrome with built-in forbid lists, tracking, and compulsory advertising.


It is a little sad/ironic that decentralised spaces rely on centralised services to reach audiences, a bit like bitcoin largely depending on fiat. One of my problems with something like peertube or ipfs is not being able to find much content — which is traditionally solved by centralised indexing.

Perhaps this is an opportunity to improve discoverability issues.

“fediverse” apps (groups of interconnected servers used for web publishing) from the Play Store


Not sure about always. Wouldn’t an attention seeking troll posting something controversial enjoy tons of comments instead of downvotes? I guess a protocol is to upvote your favourite dissent instead of commenting?


Without a downvote button on an open, largely user moderated forum, you may very well start seeing more users appeal to mods. For example: “mods, can you remove/ban any Delete Facebook comments? OP is clearly asking how best to use it privately, not delete it”


What’s next? Facebook starts crying foul when ios 14 shows apps secretly accessing the microphone?


there were some 700,000 young mink on fur farms in the Netherlands, national statistics agency CBS said last week.

ug


Great point. Flashing back to hours spent scouring hkey local_machine…_run, services.msci, add/remove What a nightmare windows is.


Fair enough … in some places the habitat “comes alive” around March 21 and seems like a start of something new as opposed to everything frozen solid in Jan, but advocating for marking the rebirth of the sun has been working great for millennia.


Especially if this is true:

Facebook’s stock jumped more than 5% on the news. Wedbush analyst Michael Pachter said the market sees Apple’s new rule as likely to shift demand toward Facebook’s own targeting system.

http://www.dailyjournal.net/2020/08/26/us-facebook-apple-revenue/


I noticed you left Facebook out of that forbid list. It would be funny if they took React proprietary.


Zuck and Cook should settle this the old fashioned way

“Ink-a-dink, a bottle of ink," I recited as I pointed back and forth between the two boys, “the cork fell out, and you stink.”


I would go so far as to say that earth based calendars might benefit from starting at an equinox instead of the height of (winter or summer), months should start at new moon, and days should start around sunrise instead of the middle of night. Space travellers will need a more universal calender.

Permanent, year-round standard time is the best choice to most closely match our circadian sleep-wake cycle


That note about plaintext email trended on another site and I thought it smelled like turd. This fact about it originating from a MS employee puts it in a proper light.

The author of the criticism, and sr.ht site operator, has some interesting commentary. His comments after mozilla layoffs were pretty blunt.

IMO, MS has embraced not just github and npm but node js itself and seems a threat to embrace extend extinguish javascript engines and committee standards.

Today, I discovered this article, “Relying on plain-text email is a ‘barrier to entry’ for kernel development, says Linux Foundation board member”, a title which conveniently chooses to refer to Sarah Novotny by her role as a Linux Foundation board member, rather than by her full title, “Sarah Novotny, Microsoft employee, transitive owner of GitHub, and patroness saint of conflicts of interests.”


In version 3, users are no longer clicking on school buses and crosswalks but rather the google script silently observes our regular page interactions in the background, making a determination of the user (or bot) based on behaviour fed into algorithms derived from machine learning. That is a scary aspect of it, we don’t know when we are being observed.


I know many people love HBO, but it would be nice to see some other alternative arise to this entity owned by the AT&T beast.

On October 22, 2016, AT&T announced an offer to acquire Time Warner for $108.7 billion (including assumed Time Warner debt). The proposed merger was confirmed on June 12, 2018,after AT&T won an antitrust lawsuit that the U.S. Justice Department filed in 2017 to attempt to block the acquisition.[9] The merger closed two days later, with the company becoming a subsidiary of AT&T. (https://en.wikipedia.org/wiki/WarnerMedia)

Example EFF suit against ATT: https://www.eff.org/document/scott-v-att-geolocation-complaint

EFF is now suing AT&T for selling this data without users’ consent and for misleading the public about its privacy practices


According to its [Google's ReCaptcha 3 blog post](https://webmasters.googleblog.com/2018/10/introducing-recaptcha-v3-new-way-to.html) this service "runs adaptive risk analysis in the background to alert you of suspicious traffic while letting your human users enjoy a frictionless experience on your site" [Eff coverage](https://www.eff.org/wp/behind-the-one-way-mirror#Part2) outlines how this benefits Google: > ReCAPTCHA scripts don’t send raw interaction data back to Google. Rather, they generate something akin to a behavioural fingerprint, which summarizes the way a user has interacted with a page. Google feeds this into a machine-learning model to estimate how likely the user is to be human, then returns that score to the first-party website. > In addition to making things more convenient for users, this newer system benefits Google in two ways. 1. it makes CAPTCHAS invisible to most users, which may make them less aware that Google (or anyone) is collecting data about them. 2. it leverages Google’s huge set of behavioural data to cement its dominance in the CAPTCHA market, and ensures that any future competitors will need their own tranches of interaction data in order to build tools that work in a similar way.

Earlier this year, a plan was announced on the Chromium blog to make third party cookies obsolete ... > we are confident that with continued iteration and feedback, privacy-preserving and open-standard mechanisms like the Privacy Sandbox can sustain a healthy, ad-supported web in a way that will render third-party cookies obsolete. Once these approaches have addressed the needs of users, publishers, and advertisers, and we have developed the tools to mitigate workarounds, we plan to phase out support for third-party cookies in Chrome. Our intention is to do this within two years.

Building unique, persistent user profiles in a post GDPR world
The following is a summary and highlights from an article appearing on adweek, provided by an identity resolution technology supplier. The claims may be exaggerated for sales purposes, but it is interesting to see one idea for getting around GDPR and other regulations. The disturbing idea that GDPR and other privacy regulations creates the role of brands as protectors of its users profile shows how business doubles down on privacy challenges. Nothing short of Wall St selling shares of companies violating privacy laws will change the privacy landscape. --- Europe's GDPR battle has made clear the writing on the wall as changes including: - over 60 countries announcing data privacy laws - several US states commencing consumer privacy protection - tech giants becoming involved in privacy regulation - Google introducing "anti-fingerprinting" in Chrome - Facebook Pixel disconnecting from user histories demonstrate that plans for content creation, targeting and attribution models will need to adapt to life without tracking pixels, cookies, and fingerprints. However, a Salesforce survey indicated that over 75 percent of consumers expect brands to provide customized experiences. Therefore, enter "Identity Resolution", the fabric which enables a clear and accurate picture of a consumer's "omnichannel journey". > By integrating identifiers across available touch-points and devices with behaviour, transaction and contextual information, a cohesive and addressable consumer profile can be constructed for marketing analysis, orchestration and delivery. User profiles may be developed in this way and pseudonymous IDs like mobile ad IDs (MAIDs) and cookies help construct cross-device identities. Identity covers three areas: 1. online and offline data collection 2. resolution of partial profiles into persistent, unique profiles 3. maintenance of the identity over time as factors change. > technology that collects and matches disparate data sets in a privacy-compliant manner are key to creating the persistent identity at the heart of customer-centric omnichannel marketing. Consolidating partial profiles into single, persistent sources of truth improves the consumer's omnichannel experience and helps safeguard his or her privacy requests. Identity resolution is a win-win. > As consumers move through various marketing channels, they give consent for technology to collect and analyze information such as cookies, email addresses, device IDs, site visits and past purchases. Identity is a symbiotic relationship. ## References 1. GDPR-Era Privacy Laws Demand a New Approach to Identity: https://www.adweek.com/partner-articles/gdpr-era-privacy-laws-demand-a-new-approach-to-identity/

Tracking Users with TLS Session Resumption
Researchers showed it is possible as of Oct 2018 to track users via TLS Session Resumption. Zdnet covers it with an article ( https://www.zdnet.com/article/advertisers-can-track-users-across-the-internet-via-tls-session-resumption/ ) though the linked paper is fairly readable. Among interesting observations, they note: > Google and Facebook, two of the world's largest advertising firms, used abnormally large TLS Session Resumption lifespans of 28 hours and 48 hours, respectively Countermeasures: > The recommended upper limit of the session resumption lifetime in TLS 1.3 of seven days should be reduced to hinder tracking based on this mechanism. We propose an upper lifetime limit of ten minutes based on our empirical observations. > We note, that more than 80% of the Alexa Top Million Sites restrict the session resumption lifetime to less or equal to ten minutes by their own choice and 27, 7% of all revisits of a site occur during this period. Furthermore, the average visit duration of popular websites is of the order of ten minutes, thus this lifetime limit hinders the correlation of multiple page visits by the same user. Browser vendors should address the issue of third-party tracking via TLS session resumption, either by deactivating session resumption for third-parties or by allowing only session resumptions to third-parties if the first party site is identical. There was an issue that mentioned this in ghacks-userjs issues list (https://github.com/ghacksuserjs/ghacks-user.js/issues/643) > Picture this: You do a google search and get a SSL Session ID, then you change VPNs, and return to google and search for something else. The SSL Session ID absolutely tracks you 100%, whereas disabling it, only makes you part of a very very small group (if used for tracking: and it is server side). > Also consider that Firefox keeps this for up to 24 hours, which is outrageous IMO. Other browsers are much quickly at releasing them Furthermore, for firefox it is suggested here (https://www.ssl.com/article/tracking-users-with-tls/) that this behavior can be avoided by setting the following preference to true: "security.ssl.disable_session_identifiers" EDIT: As mentioned in https://bugzilla.mozilla.org/show_bug.cgi?id=967977, this preference is not included by default and must be set manually. Some pre-configured user.js for firefox include it.

An analysis of DRM in Linux kernel.

Council of the Plebs
Rise of the Council of Plebs in Rome, 500 BCE > Tensions between the two classes continued to grow, especially since the poorer residents of the city provided the bulk of the army. They asked themselves why they should fight in a war if all of the profits go to the wealthy. Finally, in 494 BCE the plebians went on strike, gathering outside Rome and refusing to move until they were granted representation; this was the famed Conflict of Orders or the First Succession of the Plebs. The strike worked, and the plebians would be rewarded with an assembly of their own - the Concilium Plebis or Council of the Plebs. (via https://www.ancient.eu/Roman_Republic/)

Privacy disclaimer: Algo is not focused on privacy, but prioritizes security. You host it yourself on a cloud instance, so you are attached to a single IP. As an iphone user, I have not seen many good ad-blocking solutions and I sadly expect zero anonymity on mobile. Perhaps Disconnect was OK. I would like to know more if they exist. Algo gives an option to install an adblocker on your vpn server and it seems to work fairly well. You can set it up in under half hour and destroy your $5 instance as needed. You can use on desktop if you want, but I prefer dynamic IP VPNs when possible.


For five years running, Rust has taken the top spot as the most loved programming language. TypeScript is second surpassing Python compared to last year. We also see big gains in Go, moving up to 5th from 10th last year.

> U.S. Sens. Jeff Merkley and Bernie Sanders have introduced the National Biometric Information Privacy Act (BIPA) ... Most importantly, the bill empowers you (and the EFF) to sue businesses that break these rules.

> It would be an overstatement to say Microsoft now has an iron grip on JavaScript, a view that is rooted in fear among those who remember the time when Microsoft was openly hostile to open source, Murphy added. > "How you package for Node.js is hardly controlling the future of JavaScript," he said. "Microsoft does have a large play in JavaScript as a whole, but it is an open community."

In 1997, Eric S. Raymonds, The Cathedral and the Bazaar, prompts Netscape to release Navigator as free software. The tech industry was examining how to bring open source ideas, principles into commercial software. Some decided that social activism tendencies of the FSF (Free Software Foundation) unappealing, and looked for ways to rebrand free software movement to emphasize business potential. "Open Source" was decided upon and Linus Torvalds approved. Raymond in Cathedral and Bazaar, relates managing open-source project fetchmail, struggle between top-down (Cathedral) like emacs, bottom-up design (Bazaar) like Linux, "given enough eyeballs, all bugs are shallow", the more widely available, scrutinized, iterated, all bugs discovered. Inordinate time, energy spent in Cathedral model. Many lessons, principles inumerated.

Use the "site" search operator to help find non-commercial results
Avoid commercial sites by adding your own flavor of top level domain (TLD) limitations, e.g. "(site:*.org OR site:*.net OR site:*.edu))" For example: instead of returning the top result on ahrefs.com, this query: - 'search operators "site" (site:*.org OR site:*.net OR site:*.edu))' makes it easier to find: "https://guides.lib.berkeley.edu/GoogleTips" in what would be a sea of SEO gamed results on .com domains. Reference: - https://guides.lib.berkeley.edu/GoogleTips