Welcome to Incremental Social! Learn more about this project here!
Check out lemmyverse to find more communities to join from here!

@0xtero@beehaw.org cover
@0xtero@beehaw.org avatar

0xtero

@0xtero@beehaw.org

Glorified network janitor. Perpetual blueteam botherer. Friendly neighborhood cyberman. Constantly regressing toward the mean. Slowly regarding silent things.

This profile is from a federated server and may be incomplete. Browse more on the original instance.

0xtero ,
@0xtero@beehaw.org avatar

So, is this the type of SLAM you'd typically see in a moshpit? Or are we talking about wrestling slams?

Is it impossible to be private online? (yewtu.be)

In sharing this video here I'm preaching to the choir, but I do think it indirectly raised a valuable point which probably doesn't get spoken about enough in privacy communities. That is, in choosing to use even a single product or service that is more privacy-respecting than the equivalent big tech alternative, you are showing...

0xtero , (edited )
@0xtero@beehaw.org avatar

Every time I talk about privacy online, the pessimists always come out. "It's impossible to have any online privacy.

My experience is actually completely opposite. While mainstream "normies" don't seem to care, most of them are using readily available privacy tools in their communication daily. Things like WhatsApp, Signal and iMessage. Most websites these days are HTTPS enabled. Governments are so concerned about this loss of monitoring capability, they're trying to craft laws which allow them to backdoor devices before encryption happens. And they're meeting resistance, despite all the lobbying (see Chat Control2.0). We've never had as widely adopted privacy tools as we have today.

Big tech and advertising are two problems that still create trouble. A lot of this stems from completely different, non-privacy related reasons (the lax US policies concerning anti-consumer and monopoly laws) but even here policies around the world are slowly catching up. GDPR gives Europeans quite a bit of control over our data and while this is still just one baby step - it's much better than it used to be. There's a lot of global inequality here though. Facebook/Meta is synonymous to Internet in the developing world, because they've used their monopoly money to exploit the situation. Digital imperialism is still strong.

I'm not going to harp too much on SMTP privacy, Proton has a bunch of nice services. If that's where your MX happens to point at is, then great, but we do also need to slowly move away from these old protocols that offer no privacy choice (yeah I know, SMTP is here to stay).

What I'd like to see more, is talk about threat modeling in this space. Because that's where it all starts and threat models are quite personal. There's no "one size fits all" privacy, because our needs vary. Political dissident living in exile from hostile government has completely different needs for privacy compared to a person who doesn't like YouTube ads. We should try to foster easily digestible discussion around personal threat modeling - right now we (the privacy crowd) come across as loonies since lot of the advice we give starts from the wrong end of the model.

I don't see digital privacy as a pessimistic space. But what do I know, I'm not a content creator.

0xtero ,
@0xtero@beehaw.org avatar

I notice you quoted the sentence from the description - did you watch the video itself?

No, I'm afraid I didn't.

0xtero ,
@0xtero@beehaw.org avatar

Ah, well. Maybe that saves a click and 10 minutes of someones life.

0xtero ,
@0xtero@beehaw.org avatar

This is the moment in Scooby-Doo where the gang unmasks the person they've just caught and underneath is just the Microsoft Bing logo

Is Privacy Worth It? (blog.thenewoil.org)

When I announced I would be closing my communities earlier this year, a curious thing happened: a surprising number of regulars replied with some variation of “I think this is my exit.” While some were specifically talking about Matrix, claiming that mine was the only room they were really active in and therefore they saw no...

0xtero ,
@0xtero@beehaw.org avatar

Well, that was extremely long winded way to say "depends on your threat model".
Which it does.

So nothing new under the sun.

maegul , (edited ) to Fediverse
@maegul@hachyderm.io avatar

The fediverse won’t succeed at putting up a substitute and that’s a problem?

Just an impression: All the pieces seem to be there. But what’s required is a team, with devs, PMs and coordinators, dedicated to making a particular place in the .

That’s resources and decently sized financial and organisational demands, especially to get a critical mass of users.

Is the fediverse up to that challenge? If not, is it an issue worth addressing?

@fediverse

0xtero ,
@0xtero@beehaw.org avatar

I think what we mainly lack is people asking questions, not a particular set up of tech.

0xtero , (edited )
@0xtero@beehaw.org avatar

So your requirement with cellular calling (eSIM) is already fairly restrictive and depends on which market we're talking about. Where I live (.se) you get to choose between Apple and Samsung and since Apple was out of the question, you're stuck with Samsung.

Not entirely sure if your second requirement with long battery life can be fulfilled. You'll be charging the watch every day, probably more often if you take calls on it.

There's some rumors that Garmin Forerunner/epix will get eSIM support, but that will be also carrier dependent.

These wearables are pretty complicated high end devices, I wouldn't really give them to elderly parents who stuggle using a normal mobile.

I think it might be better to look into other tyoe of devices like pager systems from caregivers, if you're worried about health issues.

Novel attack against virtually all VPN apps neuters their entire purpose (arstechnica.com)

Pulling this off requires high privileges in the network, so if this is done by intruder you're probably having a Really Bad Day anyway, but might be good to know if you're connecting to untrusted networks (public wifi etc). For now, if you need to be sure, either tether to Android - since the Android stack doesn't implement...

0xtero OP , (edited )
@0xtero@beehaw.org avatar

I also don’t get much value out of the statement that “every” OS except Android is vulnerable. Do they really mean all other OSes, or just what would come to mind for most people, i.e. Windows, macOS, Linux, iOS? What about the various BSDs for example?

It's a DHCP manipulation attack, so every RFC 3442 compliant DHCP implementation implementing option 121 would be "vulnerable" (it's not vulnerability though). Android apparently doesn't implement it, so it's technically impossible to pull off against Android device. There might be others, but I'd guess most serious server/desktop OS'es implement it.

The title isn't misleading at all, even though the "neutering their entire purpose" is a bit of a click-bait. This doesn't affect ingress VPN at all.

It's an attack that uses DHCP features (according to RFC).

It's a clever way to uncloak egress VPN users, therefore it does have privacy impact since most of us use VPN for purposes of hiding out traffic from the local network and provider and there's no "easy" fix since it's just a clever use of existing RFC.

maegul , (edited ) to Fediverse
@maegul@hachyderm.io avatar

Reflecting on the firefish/calckey "moment"

which was about a year ago now, I can't help but suspect it was a small event with wider implications on the dominance of in the

I think it was the last chance to direct the twitter migration energy into discovering new/different fedi platforms.

And it was blown, with alt-social in a weird steady/waiting state that's smaller I suspect, than what many hoped for.

@fediverse

cntd: https://hachyderm.io/@maegul/112358202238795371

1/

0xtero ,
@0xtero@beehaw.org avatar

Congrats and/or condolences for this "moment".

I guess I'd have to check mastodon to find the rest of this thread and the context of what it actually references.
Posting into Lemmy/Kbin groups from long mastodon threads is quite janky experience, I find.

1/

0xtero ,
@0xtero@beehaw.org avatar

Thanks for the context.

And yeah - a lot of fedi is built on spur of the moment inspiration without much planning on the long term. Sometimes it works out (like pixelfeed and the other related projects) and sometimes the passion of one (or small group) of devs just isn't enough.

Lemmy is pretty good example (from the other side of the scale) as well - we're at version 0.18.4 - and the devs are pretty hostile.

0xtero ,
@0xtero@beehaw.org avatar

Yeah, exactly the beehaw vs. lemmy situation.

0xtero , (edited )
@0xtero@beehaw.org avatar

Yeah, as a beehaw user, I'm pretty familiar with the situation. I'm not going to re-hash the whole thing here (and I don't represent the instance), but let's just say PR's for features were offered, but not accepted. Discussion was attempted but it resulted in Lemmy devs asking beehaw to fuck off - so that's the end of that.

There's an alternative being tested. I believe we're going to Sublinks, but there's still active development going and sizeable migration. So we're still here. For the time being.

0xtero ,
@0xtero@beehaw.org avatar
0xtero , (edited )
@0xtero@beehaw.org avatar

Ente Photos - Google Photos replacement with encryption and privacy
Ente Auth - Good multiplatform authenticator.
^^ These are paid for service (you get both with same sub), but extremely good.

AntennaPod - Podcatcher
K-9 email

0xtero ,
@0xtero@beehaw.org avatar

I don't and the energy consumption of public AI services is a stopper for "testing and playing around". I think I'll just wait until it takes over the world as advertised.

Ask: How do you handle your résumés?

Usually I rely on my network & haven’t needed this kind of document in ages, but I’ve been tasked with creating a résumé for myself. I’ve grown more privacy-conscious every year & I think it’s weird that we are expected to give out so much information about ourselves to companies that lie about their culture & don’t...

0xtero ,
@0xtero@beehaw.org avatar

I'm a consultant so whenever I'm applying for a new gig I need to provide a consultant profile, which is very similar to resume.

Over the years I've learned that most customers are not very interested in the "personal stuff" sections - they just want to know you have the skills required, so try to minimize the amount of personal data and concentrate on skills and past gigs (anonymizing customers/companies) etc.

But - unfortunately you have to tell something about yourself and your ability to work together with others, there's really no way around it. It's also more and more customary that (for some reason) they want your photo. Stuff like education, certifications need to be there, but keep it very short. Think about "social media profile page".

Provide stuff like contact info, address, phone, date of birth (if required) and references separately - don't put them into your resume. You can add something like "Personal information and references provided separately by request" in there, that way, even if the document is shared, all they get is something resembling a LinkedIn profile.

You can also try to add "confidential" to the document header, but I've noticed it's not respected very often.

0xtero ,
@0xtero@beehaw.org avatar

And thus begins the enshittification of Discord

0xtero ,
@0xtero@beehaw.org avatar

I think they're only worried about U.S class action. Don't think American companies really care about the legality anywhere else

0xtero ,
@0xtero@beehaw.org avatar

Only reason Discord has "a shop" in EU is for tax evasion. It's a P.O Box at Schipol airport. I really don't think they care very much.

0xtero ,
@0xtero@beehaw.org avatar

I meant NL is one of the top 10 tax havens in the world due to their exemptions that allow corporate tax evasion.

0xtero ,
@0xtero@beehaw.org avatar

SELinux has been GPL for 24 years.

It's part of what was called Rainbow Books, but is known more widely these days as the Common Criteria.
https://en.wikipedia.org/wiki/Common_Criteria

It's the "Government setting standards" sort of scenario.

Backdoor found in widely used Linux utility breaks encrypted SSH connections | Ars Technica (arstechnica.com)

TL;DR there was a backdoor found in the XZ program. All major distros have been updated but it is recommended that you do a fresh install on systems that are exposed to the internet and that had the bad version of the program. Only upstream distros were affected.

0xtero ,
@0xtero@beehaw.org avatar

Catching this now is pretty huge, because it mainly targets distro build systems. Had this gone undetected, we'd be in shiznit creek couple of years down the line.

Meta gave Netflix and Spotify access to users private messages (arstechnica.com)

in 2018, Facebook told Vox that it doesn't use private messages for ad targeting. But a few months later, The New York Times, citing "hundreds of pages of Facebook documents," reported that Facebook "gave Netflix and Spotify the ability to read Facebook users’ private messages."...

0xtero ,
@0xtero@beehaw.org avatar

If you want private messaging - use Signal.
If you use any kind of messaging on commercial platforms, expect immediate loss of privacy. They call them "direct" messages for a reason.

0xtero , (edited )
@0xtero@beehaw.org avatar

Something something Privacy vs. Anonymity.
But I invite you to try. Good luck getting into my phone!

0xtero ,
@0xtero@beehaw.org avatar

Oh boy. Some of you people watch too many movies.

Let's get some basic stuff established:

  • This thread is about commercial platforms selling your direct message data. That's the threat model.
  • I don't live in a country where the police SWAT teams throw flashbangs without court orders
  • If the authorities want to get to me (which, again, is not the threat model of this thread). They can. Easily. They know where I live. They just have to knock on the door. It's not even locked.
  • I did, to my best knowledge, not reply to you in anywhere this thread. I'm not sure why you are replying to me.

But sure. I'll give you this: If your threat model is dodging SWAT team flashbangs, I doubt using Signal is much use to you at that point. That just wasn't what this thread was talking about.

0xtero ,
@0xtero@beehaw.org avatar

Which was a response to this

0xtero ,
@0xtero@beehaw.org avatar

It doesn't mean anything at all. Swedish SIGINT agency has been working with 5-eyes for ages.

0xtero ,
@0xtero@beehaw.org avatar

That's not quite right. Mastodon does not have any privacy at all and it's not safe to treat it as privacy platform.

What makes Mastodon worth using is the federated model and lack of commercial engagement algorithms.

0xtero ,
@0xtero@beehaw.org avatar

I bet the CFO was in habit of joining Zoom company calls with the cat filter turned on. Therefore everyone was pretty much OK with this.
https://www.youtube.com/watch?v=lGOofzZOyl8

0xtero ,
@0xtero@beehaw.org avatar

So hear me out. What if we took $6.9M out of the CEO bonus and dropped the Mozilla AI project?
Maybe that would be enough to hire a maintainer or two for Firefox iOS port?
Maybe that could work?
I don't know, just an idea. Crazy.

0xtero ,
@0xtero@beehaw.org avatar

My next Windows PC doesn't need any RAM, because I'm not going to need one.

0xtero ,
@0xtero@beehaw.org avatar

I thought the blog was hot garbage (my entire original comment here: https://beehaw.org/comment/2044864 so I won't repeat it).

I'd like to offer an alternative - https://erinkissane.com/untangling-threads

0xtero ,
@0xtero@beehaw.org avatar

When I was last working in the automotive industry about two decades ago, a lot of effort was being put into protecting BIOS on diagnostic laptops, so that only "authentic" manufacturer diagnostic tools could be used to service the vehicles.

Pretty sure that development has continued.

0xtero ,
@0xtero@beehaw.org avatar

LibreOffice will do just fine reading and writing the format as long as you don't care too much about small formatting/layout differences.

It will also struggle if you've embedded other office components into your documents (like excel embedded in word).

0xtero ,
@0xtero@beehaw.org avatar

Thanks for the share.
Obviously Perens is one of the FOSS OG figures and he makes a lot of good points. Lately the RHEL/IBM situation has shown a mere license text file isn't going to keep megacorps from finding ways to circumvent the ideology and the purpose behind it. They have simply too many resources both in development and in legal departments and too many ways to work around the legalese of its intended purpose .

Also there's been an increasing trend where products (Elastic etc) start off with FOSS license and as soon as they gain critical mass, they split their product and switch to their own FOSS-light license and gimped "community edition" downloads. Again, all still legally above the board, but at the same time completely ignoring the intended purpose of the license in the first place.

I think what Perens is proposing is too complicated. I understand that "contract" has far more binding legal fire power compared to a "license", but as he also points out in the article, it complicates things to the point where it's hard to adopt. The problem is of course far deeper than just licensing and has its roots deep somewhere in late-stage capitalism and deregulation of corporate entities and those are of course not problems that Perens or the free software community can easily solve. Unfortunately.

It's clear that something new is needed and I appreciate the work he is doing. I'm not sure it's the right direction to take, but can't say I have any rabbits I can pull out of my hat either, so I'll follow this with interest.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • incremental_games
  • meta
  • All magazines