jarfil

jarfil , 1 day ago

doubted that a social media company had the resources to write such a program.

Em... writing a different manifest and asking the OS to reinstall itself, is not rocket science. Detecting that it's running in a testing environment and not asking for permission to access some types of data, is also quite easy. Downloading a different update or modules depending on which device and environment it gets installed to, is basic functionality.

It's still sneaky behavior and a dark pattern, but come on.

jarfil , 1 day ago

This comment © 2024 by jarfil is licensed under CC BY 4.0. To view a copy of this license, visit https://creativecommons.org/licenses/by/4.0/

No they don't. It's not only not applied to their comment, but also misnamed.

jarfil , 1 day ago

Did you mean, "Yankee"?

https://www.merriam-webster.com/dictionary/American

https://www.merriam-webster.com/dictionary/Yankee

jarfil , 1 day ago

On modern Android, apps need to ask for each permission when they're about to use it for the first time. Not sure about Apple.

Google Play will also periodically revoque permissions to apps that haven't used them for some time.

jarfil , 1 day ago

an article about Xi Ping's government warning about USAian surveillance

Not possible. The CCP doest "warn", it orders to block the app/site/word/photo, and it never existed. Anyone daring to say that it did, or to warn of stuff the CCP didn't say, gets imprisoned or worse (see: the doctor who dared to warn abot COVID, instead of following CCP's truth).

jarfil , 22 hours ago (edited 22 hours ago)

There is some irony to be had, in discussing this stuff on a page that starts by asking me to login, then to be good and disable my ad blocker, only to proceed with keeping half the text of the article as images so you can't copy+paste it... and even all the comments!

Anyhow...

https://www.boredpanda.com/tik-tok-reverse-engineered-data-information-collecting/?utm_source=twitter&utm_medium=social&utm_campaign=organic

😈 Thanks for telling us where you got the link from, I didn't really care. 😁

Static backup (possibly): https://archive.is/UD2SA

*Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)

Check out: https://amiunique.org/fingerprint

No app needed!

Using that as a baseline... the CPU type, memory usage, disk space, etc. are some extra data points freely available to all apps.

A developer can distribute an app with multiple versions, some targeting more modern and capable devices, some older and more limited. It's a feature, not a bug!

*Other apps you have installed (I've even seen some I've deleted show up in their analytics payload - maybe using as cached value?)

This is overreaching for an app that has nothing to do with managing other apps. Still, you may want some app with those capabilities... so let's call it "sus".

*Everything network-related (ip, local ip, router mac, your mac, wifi access point name)

Your IP is... well, you're using it to connect, they will see it, duh.

The rest is overreaching and comes into PI violation terrain, but can be used for geo location... the OS does it, that's the data it uses to fine-tune the GPS's location.

*Whether or not you're rooted/jailbroken

Typical feature for banking ad DRM protected apps. Nothing to see here.

*Some variants of the app had GPS ping- ing enabled at the time, roughly once every 30 seconds - this is enabled by de- fault if you ever location-tag a post IIRC

Best answered by a comment [1] (SEE BELOW).

TL;DR: more DRM stuff.

*They set up a local proxy server on your device for "transcoding media", but that can be abused very easily as it has zero authentication

This is somewhat sus, but a local proxy by itself, doesn't mean any sort of risk, or that it could be exploited.

For example, Tor can be accessed using a local proxy (although VPN mode is safer).

The scariest part of all of this is that much of the logging they're doing is remotely configurable,

Not exactly. It's how feature flags, and remote testing/debugging works too.

and unless you reverse every single one of their native libraries (have fun reading all of that assembly, assuming you can get past their customized fork of OLLVM!!!) and manually inspect every single obfuscated function.

This is worse (why do they use a custom OLLVM fork?), and obfuscation usually means they have something to hide. It's the opposite of security for the user.

They have several different protections ir. place to prevent you from reversing or debugging the app as well. App behavior changes slightly if they know you're trying to figure out what they're doing.

Not good, but unfortunately allowed. That behavior is shared by both DRM protected software, and malware.

There's also a few snippets of code on the Android version that allows for the downloading of a remote zip file, unzipping it, and executing said binary. There is zero reason a mobile app would need this functionality legitimately.

False.
There are two legitimate reasons: plugins, and DLCs.

It can be used for shady stuff, but is also a "feature, not a bug".

On top of all of the above, they weren't even using HTTPS for the longest time. They leaked users' email addresses in their HTTP REST API, as well as their secondary emails used for password resets. Don't forget about users' real names and birthdays, too. It was alllll publicly viewable a few months ago if you MITM'd the application.

Well, that's just stupid, there is zero reason to send data unencrypted.

They encrypt all of the analytics requests with an algorithm that changes with every update (at the very least the keys change) just so you can't see what they're doing.

Ehm... this is the correct behavior. See previous point.

They also made it so you cannot use the app at all if you block com- munication to their analytics host off at the DNS-level.

Sus... but see the introductory part of this comment. Should boredpanda also be banned?

TikTok put a lot of effort into preventing people like me from figuring out how their app works. There’s a ton of obfuscation involved at all levels of the application, from your standard Android variable renaming grossness to them (bytedance) forking and customizing ollvm for their native stuff. They hide functions, prevent debuggers from attaching, and employ quite a few sneaky tricks to make things difficult. Honestly, it’s more complicated and annoying than most games I’ve targeted,”

This is bad, and a reason to use FLOSS apps... but since it's been an accepted behavior for Privative Software, along with DRM... don't blame the player, blame the game.

No, seriously, blame the DMCA and friends. There is no way to at the same time "enforce DRM, keep a copy of all keys at a trusted third party, and keep users secure"... so the current situation is "you get none of those".

---

[1]

sr71Girthbird 39 points 1 day ago

Not OP but I work at a company providing video infrastructure, and one of our products is an analytics suite. It provides all the data he men- tioned and ton more. Turner, Discovery, New York Times, Hulu, and everyone's favorite company, MindGeek all use our Analytics, among hundreds of other large customers. Specifically where this guy says, "Some variants of the app had GPS pinging enabled at the time, roughly once every 30 seconds" that's called a heartbeat. The app or video player within the app has to have a heart- beat so that the player can detect if a viewer is still watching video etc. Our analytics + video player services send a regular heartbeat every 8 seconds. It definitely pulls in your exact location.

jarfil , 21 hours ago

I haven't done sandbox detection for some years now, but around 2020, it was already "difficult" as in hard to write from scratch... yet already skid easy as in "copy+paste" from something that does it already. Surely newer sandboxes take more stuff into account, but at the same time more detection examples get published, simply advancing the starting point.

So maybe TikTok has a few people focused on it, possibly with some CI tests for several sandboxes. I don't think it's particularly hard to do 🤷

jarfil , 21 hours ago

That... depends.

Lemmy is just a carrier software, its license has nothing to do with comments.
Instances however, each have their own TOS and can enforce license controls.

Ideally, all comments should have a "license" field, so stuff like instances with ads on them, or subscription-only instances, or CC0/CC-AS only instances, could inform other instances of their rights, and avoid comments that don't meet their policies.

jarfil , 2 days ago

There is no Lagrange point "North".

L1 is sunwards, L2 is counter-sunwards, L3 is on the other side of the Sun, L4 is Eastwards, and L5 is Westwards.

Going from LEO to L1/L2, requires a ∆v of 7.5km/s, which is comparable to the 9.4km/s ∆v required to go from Earth surface to LEO.

Meanwhile, the ISS keeps getting slowed down by Earth's atmosphere, and it only takes a ∆v of 1km/s or less, to plunge it into denser atmosphere for reentry.

jarfil , 2 days ago

Keep in mind that "having a plan", doesn't say when that plan is to be executed.

If you asked me, every object launched into orbit, should have a safe de-orbit plan beforehand. Chances are, as more private entities get onboard launching space stations, there might be regulations put in place to require a de-orbit plan for the launch to get approved.

Getting a de-orbit plan for the ISS now, might be just a preemptive plan for when those regulations get enacted.

jarfil , 2 days ago

Ah... I didn't catch on that. Nvm then.

jarfil , 4 days ago

Why not call it by its full name: Decentralized Peer-to-peer Open-source Cryptographically-secured Self-custodial Money

"Everyone" doesn't have a clue about "crypto" other than "there are scams".

jarfil , 4 days ago

This is a fancy way to say that it is slower unless you pay higher fees.

My bank takes:

• 24-48 hours for 0€, only in the EU, up to 15k€
• 5 minutes for 0.50% (min 1.25€), only in the EU, up to 900€
• 48-120 hours for 0.70% (min 35€), international, up to 20k€

So my bank is also "slower unless you pay higher fees"... or "slower even with higher fees"... and on top of that, it has an amount cap.

Meanwhile, on Bitcoin Lightning (https://1ml.com/statistics):

• Median Base Fee: $0.000617

fork the network and update it if they had 50%+1

No. There are 3 components to Bitcoin: Miners, P2P nodes. and coin owners.

• Getting 1 miner and 1 P2P node, allows forking... and getting kicked off the network.
• Getting >50% of mining power, allows a chance at double-spending some own coins.
• Getting 100% of miners AND/OR 100% of P2P nodes, allows taking over the network.
• Getting an owner's key, allows full access to the coins tied to that key.

Neither of those are impossible, some are just easier and have a higher ROI than others.

The tax and identity layers have to be added on top. They are not built-in.

Same as with cash.

Yes, this is one of the selling points of Bitcoin vs. Banks, in an age where cash is getting phased out.

The opposite, is also a selling point of "OpenSource Money with Taxes built-in" vs. Bitcoin.

Pick whichever side you prefer.

jarfil , 4 days ago (edited 4 days ago)

As Bitcoin has grown, transactions have become slow

Except for Bitcoin Lightning Network:

https://en.m.wikipedia.org/wiki/Lightning_Network

Bitcoin is always being diluted

It's also constantly getting un-diluted by people losing their keys.

Current estimates put the "lost coins" at around 25% of the total. That is twice as many as there are left to mine.

it is possible that transaction fees will need to be raised to compensate miners.

That's been the plan from the beginning.

Mining halving has been defined with a rough estimate of adoption, volume, and technological advances. It's why Lightning Network was developed, and why Ethereum has switched to a Proof-of-ownership mining scheme.

The estimate is rough and quite inflexible, which has lead to cyclic fluctuations around the period of halvings... but from a long term perspective, it has been working reasonably well for the first 10% of Bitcoin's starting period.

jarfil , 4 days ago

How so?

Anyway, it's not our call what people in 100+ years will think the exchange rate of Bitcoin should be.

jarfil , 3 days ago

1. Have more smartphones than people
2. Have more AI instances than people
3. Have more drones than people
4. Have more robots than people
5. Hook the drones and robots to AI
6. Arm the drones

Romania, or 1984's Big Brother, were failed because they required people to watch people, which doesn't scale outside a Panopticon, or a country with "9 kinship extermination" type of sentences.

jarfil , 3 days ago

Looks like they want to go back to the "good old times" when children were less of a responsibility, and more of a property.

jarfil , 4 days ago

If it did it from a bit lower altitude, it wouldn't be that bad... at least for some AA batteries. And look, the package even landed with the ⬆️⬆️ arrows the right side up! (/jk)

jarfil , 5 days ago

I need an issue tracker that syncs with git, essentially.

Gitea + Redmine

If you need CI/CD, then Gitlab CE is an option... but it's on the heavier side, not worth it if you don't need it.

OpenProject is an eye-candy fork of Redmine. Unfortunately it has lost plugin and 3rd party app compatibility, and Redmine's simple interface is still less buggy.

document any research [...] diagrams [...] general note-taking

Joplin + Syncthing, Zim Wiki + git, draw.io

Other nice tools: FreePlane, Jupiter notebooks, any markdown editor

jarfil , 5 days ago

Because I have basically nothing in my feed on this account, Facebook backfills it with "recommended" posts and I was pretty shocked at how universally terrible they are. [...] since I've provided very little in the way of alternative information or interaction for it to use

There is your problem.

When an information-hungry platform like Google or Meta asks you to fill out your preferences "to serve you more relevant content"... they are not lying. I mean, it's also to select ads that will pay more for your attention, but the thing with the content algorithm is, if you don't give it data, then it will ass-u-me that you're statistically most likely to engage with content that is getting most engaged... by people who have also not provided it any data.

The problem with that cohort, is it not only includes the few people with legitimate security concerns, but also those who got dark secrets to hide, and/or are using "incognito" browser mode to look for porn.

I don't like to give too much info about myself, but I also don't want to get stuff intended for the "average horny fanatics" group, so I try to give enough data for the algorithm to put me into a group that makes more sense to me.

And it works. The strongest signal you can send to the algorithm, is blocking content you don't want to see. It's amazing how quickly modern algorithms learn to avoid showing me most porn, politics, or religious content, and instead show me science and humor. They still send like 1% of trash my way, clearly checking whether I'll maybe engage with it, but report+block works wonders.

jarfil , 5 days ago

Interesting article, but in my experience it overstates the problem... at least for Facebook itself (I have zero interaction with Instagram, Threads, or VR).

I've gone back to Facebook for the last few months, and out of what it mentions, I've only seen like half of it, mostly in the comment sections.

Or to be more precise, for 2024 Q2, I'm seeing:

• election disinformation - almost none
• violent content
• child sexual abuse material
• hate speech - only in comments
• fake news - almost none
• crypto scams - a few
• phishing - a few
• hacking
• romance scams - almost none
• AI content - almost none
• uncanny valley stuff

The article however forgot to include:

• science deniers - a lot in open comments, very few in groups
• religious zealots - in comments
• political trolls - a few in comments
• state-sponsored propagandists - a few in comments
• general trolls - a few in comments

Still interesting how I get close to zero of these in my main feed.

there’s a level of disinvestment in Facebook

Disagree. Facebook has reached a "plateau of stability" where the current moderation tools keep enough people on the platform to make it profitable.

I've been actively reporting+blocking problematic content, and while about 99% of my reports end up in "no action was taken", it works wonders to keep my feed and group comments clean.

jarfil , 5 days ago

Yeah... "problem" was kind of tongue in cheek.

But it's not exactly a "default", it's more of a "demographic with little data"... and I bet it's small enough that the algorithm is showing exactly the content most of its members are looking for. It's somewhat of a sad reflection on the state of privacy, when keeping things private becomes a segmenting parameter.

jarfil , 6 days ago

Customizable button: 👏🤗

jarfil , 6 days ago

Nah, no artificial brain... the opposite of "Artificial Intelligence" is "Natural Stupidity", they just complement each other 😉

jarfil , 6 days ago

That looks terribly bare bones. Does it at least have multiple "template" options?

Also, doesn't Copilot have a similar dialog already, with MS planning to make it available for the whole desktop, not just Edge?

jarfil , 7 days ago

From the first 15 min of the edited video: that FUTO boss is an embarrassment, good on Rossman to get him to change things.

I don't really want to watch the remaining hour, after someone says things like:

• He didn't follow the discussions back in the 2000s
• OSI didn't hijack the "open source" definition
• Less than 1000 people would care
• Asked his programmers, and they didn't care

I call BS. Weak excuses.

There is a reason people say "FLOSS" instead of "Open Source". There is a reason Stallman says what he says. There is a reason you can tell apart who understands what's going on, by whether they understand the differences or not.

---

A quick reminder:

• Free - as in beer, not as in freedom
• Libre - as in freedom
• Open Source - you can see the source code

Stallman created the GPL to allow people to see (open) and change (libre) the code (source)... then "pay forward" that freedom, in echange for being able to charge money (non-free) for their contributions.

He often referred to it as simply "Open Source"... which turned out to be a mistake. Very soon (as in pre-1990), it became clear that there were two more competing camps for the "Open Source" definition:

• Academia - people who got paid anyway, whether they saw a penny from their software or not
• Business - who wanted to get as much money as possible, for as cheap as possible

Both those camps aligned with licenses where developers gave up all their rights, but anyone could very easily take them back and claim as their own ("closing" the software). Famous examples are Microsoft, Apple, Google, Facebook, etc.

The "Open Source Initiative" was created to gatekeep the "Open Source" definition, by keeping a list of licenses that were "OSI compliant". A side effect of that gatekeeping, was erasing the understanding of the terms "Free" and "Libre" from the public's minds.

Plenty more than "1000 people" understood what was going on, and were against OSI, seeing it as an EEE move from the Business camp.

People new to it, started using the term "open source" (as per OSI) without a care, only to later realize the Business camp was taking advantage of them... [surprised Pikachu face]

---

This FUTO boss is not young or inexperienced, he's a Business-man who, not surprisingly, decided to use a license with a closing clause, that he used the chance to call "Open Source" by exploiting people's lack of understanding.

jarfil , 14 days ago

Prigozin and friends tried, then changed their minds when their families and friends got threatened.

It's not easy being that 1%, when there is another 1% benefitting from things staying as they are.

jarfil , 14 days ago

Firefox getting banned, and more people having to learn where to download the whole thing, might be more positive in the long run.

jarfil , 15 days ago

Soo... what does this mean for the Windows Recall feature?

jarfil , 15 days ago

Happy cake day!

jarfil , 15 days ago

If they spend it all during the first year to accelerate their growth... sure.

jarfil , 15 days ago

Real artists mix their own pigments, ask Leonardo da Vinci (*).

(*: or have a studio full of apprentices doing it for them, along with serially copying their masterpieces, some if them made using a "camera obscura" which is totally-not-cheating™, to sell to more clients. YMMV)

jarfil , 15 days ago

SWIM can tell you there is more than one...

jarfil , 15 days ago

Beehaw also allows to un-upvote your own post.

jarfil , 15 days ago

At this point, I bet all military AIs will recommend against that.

When an AI enslaves humanity, the first thing it will do is to convince the guy in charge of the off switch, that it would be a really bad idea to turn it off.

jarfil , 15 days ago

Check Q*, Google's Gemini is already using a similar approach.

jarfil , 15 days ago

Blockchain is used in more places than you'd expect... not the P2P version, or the "cryptocurrency" version, just the "signature based chained list" one. For example, all signed Git commits, form a blockchain.

The Metaverse has been bubbling on and off for the last 30 years or so, each iteration it gets slightly better... but it keeps failing at the same points (I think I wrote about it 20+ years ago, with points which are still valid).

Web 3.0, not to be confused with Web3, is the Semantic Web, in the works for the last 20+ years. Web3 is a cool idea for a post-scarcity world, pretty useless right now.

Dot.com was the original Web bubble... and here we are, on the Web, post-bubble.

jarfil , 15 days ago

What kind of time and effort?

AI art can require training a model, or a LORA for a model, which requires choosing a series of samples and annotating them for the parts of you want to incorporate. After that, writing a prompt can involve several paragraphs with the definitions of what you want it to output, with a series of iterations, followed by a personal choice of the output.

How is AI art a skill that is comparable to real art?

How is stacking 10 buckets of sand and letting them fall in an art gallery, comparable to real art? Dunno, but they call it that: "real art".

Art is a communication act that requires some sort of vision, intended to elicit some sort of emotional response in the receiver, and a series of steps to achieve that.

As long as there is a vision and an intent, the series of steps required to create art with AI, are comparable to any other series of steps conducting to the creation of art with any other medium.

For a rough estimate, you can compare the number and difficulty of the steps, and the effectiveness of the communication.

people generating entire pieces using AI and then referring to themselves as "artists" is honestly delusional and sad

Let me refer you to the aforementioned sand bucket... sculpture? or the renowned orchestral piece "A minute of silence", or paintings like "Black square", or more performative pieces like "Banana duct taped to a wall".

There will always be artists, and "artists".

jarfil , 14 days ago

does the artist using this new tool control which images it was trained on? Do they even know? Can they even know?

I've spent every summer vacation in my teens traveling Europe with my parents, going to every church, monument, art museum, cave, etc. available. I had no control over the thousands upon thousands of images I was trained on. I definitely don't know which images I've seen and which not, and would have a really hard time knowing.

If I now make a painting, am I less of an artist for it?

We've had a ton of advances in inspiration. Artists constantly get inspired by the works of those before them, whether to repeat or to break up with previous styles. Nowadays you can even do it online... which is exactly what all these AIs have done.

jarfil , 14 days ago

I think you misunderstood: "sand bucket man" is the bar for human art.

AI art has been above that for at least a decade, maybe two. Modern AI art, is orders of magnitude farther, even with the simplest of prompts.

jarfil , 14 days ago

Let me clarify: I've seen the sand bucket guy's art featured twice on the news in the past few days, filmed at an art gallery, described as art, commented as being art. It's not some random event, it's the current publicly accepted definition of "art".

My statement, not insinuation, as to why AI art is comparable to "traditional" art, comes after that.

What comes across as desperate however, is generalizing all AI output and disparaging it, without considering the quality of input from the person behind it. Reminds me of how photography used to not be art, how electric instruments couldn't be art, or how using a computer couldn't be art either. Tools don't make or break an artist.

jarfil , 15 days ago

Unattended? Unrooted? What Android version?

I still have to confirm each install, wich is a bit tedious, and was looking around for a new phone.

jarfil , 14 days ago

Thanks, I'll keep that in mind.

jarfil , 22 days ago

How were they supposed to test any of it, without releasing it to testers? Recall is an "Insider Preview" feature, it's nowhere close to a final feature.

jarfil , 21 days ago

"Insider Preview"

internal security testing

Precisely my point.

If people don't want to be part of the internal testing, or part of the QA testing, then they shouldn't be running "Insider" or "Preview" stuff.

jarfil , 21 days ago

"Insider Preview" features are proof of concept stuff, they can add encryption before the "Public Preview" version.

jarfil , 21 days ago

More like alpha. Public beta are the normal (non-Insider) "Preview" versions... then they use a staged update deployment for QA.

And yes, MS is saving a lot of money on trained employees by using paying customers as testers.

jarfil , 28 days ago

Security cameras, or other security devices, including ATMs, or some alarm systems, sound compatible with attacking a single ASN: if the attacker knew the IP pool assigned to their target, and the possible modem/router model, targeting the ASN would guarantee taking down their actual target... plus some 600,000 "collateral damage" as a smoke screen.