cwbussard

cwbussard, 1 month ago

@karlauerbach @eff @theregister
@pluralistic

It's not in the advertiser's interest either. If someone wants to block ads, but is stopped from doing so by Google's fuckery, there's a darned near 0% chance that they'll click the ad or buy the advertiser's product. It's more likely that they'll be annoyed and mentally associate that annoyance with the advertiser's brand. Showing ads to this cohort is a net negative for advertisers. The only party who benefits is Google, collecting money for showing ads that have no hope of leading to a sale, and annoying some users enough to drive them to pay them to make the ads stop.

cwbussard, 6 months ago

@campuscodi

Sounds like a really good reason to block both ads and tracking.

cwbussard, 6 months ago

@Fuzzbuzz @nuncio @campuscodi

Short answer: Probably to a limited extent.

Medium answer: Depends on how the data purchased by Patternz was originally collected.

Long answer: Brace yourself for a multi-part reply.

Off the top of my head, I sort tracking methods into 8 subtypes:

1. The OS spying on you. (E.g., Android collecting location data (even when you try to turn it off).)
2. Spyware. (E.g., just about damn near every smartphone app requesting permissions it doesn't need, then using them to spy on you.)
3. ISP snooping your DNS requests.
4. ISP snooping the destinations on your outgoing packets.
5. First party website tracking what you do while logged in.
6. First party website stateful tracking (i.e., cookies/supercookies).
7. First party website stateless tracking (i.e., fingerprinting).
8. Third party website tracking, stateful and stateless.

continues...

cwbussard, 6 months ago

@Fuzzbuzz @nuncio @campuscodi

...continued

The only solution to #1 (OS spying) is to use an OS that doesn't spy on you. For PCs, you can use Linux. But smartphones are a problem. Both Google and Apple are engaged in "Rambler in the Attic"-level snooping, and your other options are limited: You can jailbreak your phone and install an ungoogled android rom, or buy an overpriced, underpowered linux phone and run android apps via an emulator. In both cases, you'll find a lot of apps -- esp. banking apps -- just won't work outside of an unrooted, fully-googled environment.

#2 Spyware is a solved problem on PC, but a huge problem on smartphones. To avoid spyware on PC, use Linux. In Windows world, Windows Defender does a decent job of dealing with spyware. Aside from things you consider spyware but it doesn't (e.g., anything made by Microsoft). But pretty much every smartphone app is built on a spyware-included SDK and the OS's lack adequate controls for permissions and autorun to reign this in.

continues...

cwbussard, 6 months ago

@Fuzzbuzz @nuncio @campuscodi

...continued

#3 is defeated by using another DNS server instead of your ISP's. Note that browsers that implement DNS-over-HTTPS (e.g., Firefox) are already using another DNS server. Note also that this doesn't solve the problem; it just moves it. You've still got a DNS server out there that knows every site you visit. Just maybe one that's more trustworthy than your ISP. You hope. (In the future, the "oblivious DOT" protocol should go a ways towards fixing this, but that's not widely implemented yet.) (Running your own DNS resolver on a rented VPS is also an option.)

#4 is defeated by using a VPN. Again note that you're moving the problem rather than solving it. Your ISP can no longer snoop on your traffic, but the VPN operator can. (You can reduce this problem by running your own wireguard VPN on a cheap VPS from Digital Ocean, Linode, etc. The VPS provider might peek inside the VPS, but that's unlikely without legal process.)

Continues...

cwbussard, 6 months ago

@Fuzzbuzz @nuncio @campuscodi

The only solution for #5 is "don't log in." For situations where, for example, you want to be logged in to g-mail but not logged in to google search, Firefox's container tabs feature can isolate them from each other. (There's also an extension to automate always opening certain website in certain containers.)

To defeat #6, delete the browser state. Firefox's option to delete everything on shutdown suffices. Cookie Autodelete is a more aggressive solution.

#7 is tricky. Blocking first-party javascript stops it dead, but it often breaks websites. As a practical matter, Firefox's "resist fingerprinting" option stops most of this kind of tracking. And the CanvasBlocker extension stops a little more. However, it is theoretically impossible to stop tracking by a sufficiently sophisticated script that uses statistics to detect faked inputs. You can only hope that the bother of writing something that can beat FF's RFP isn't worth the effort for most adversaries.

Continues...

cwbussard, 6 months ago

@Fuzzbuzz @nuncio @campuscodi

#8 is easy. Third part tracking stuff usually ends up on adblock lists really fast. So most adblock solutions will block third-party tracking.

Now, I bet you were wondering when I'd finally get to Blokada? Here we are. (Finally.)

The first thing I noticed about Blokada is that after 5 minutes on their website, I still can't find anything that clearly states how it works. This is not a good sign. This sort of opacity is usually a sign of hucksterism.

Anywho, as best I can tell, their basic product is a DNS server that blackholes ads and trackers. So, it's functionally equivalent to a piehole. It should stop #3 and #8. But at the cost of trusting Blokada with all your DNS traffic. (Note also that blocking #3 without also blocking #4 is of limited use.)

They've also got a VPN product. That blocks #4, at the cost of trusting Blokada with all your traffic.

cwbussard, 6 months ago

@GossiTheDog

So what's the "buyer's" endgame here? What were they aiming to accomplish?

cwbussard, 6 months ago

@mattblaze

OK, I usually ignore your photography posts, but this is fricking neat!

cwbussard, 7 months ago

@LouisIngenthron @peterdrake @georgetakei

I'd argue that the additional "seriousness" element that originated in the Whitney dissent survived Brandenburg.

(Also, you stated the second element a bit wrong -- it's likelihood that the lawlessness will occur under the given circumstances, not reasonable person -- but you already noted that elsewhere.)

continues...

cwbussard, 7 months ago

@LouisIngenthron @peterdrake @georgetakei

...continued

A big problem with the term "stochastic terrorism" is that it's vague. Depending on who's saying it, it may have some overlap with legally punishable "incitement," or it may have none. So, when someone calls for legal punishment for "stochastic terrorism," it's not really clear, to me at least, how much at odds with the First Amendment that position is. Are they focusing on one instance of "stochastic terrorism" that also qualifies as "incitement" and forgetting that the overlap is (much) less than total. Are they advocating for punishing an entire class of protected speech? Are they really just asking for enforcement against incitement and using the wrong word because "stochastic terrorism" is the new hip phrase all the cool kids are using?

continues...

cwbussard, 7 months ago

@LouisIngenthron @peterdrake @georgetakei

For the record, I think that a lot of Trump's "Will no one rid me of this turbulent priest?" statements DO qualify as incitement, and probably ought to be prosecuted. Is twice publishing Letitia James's home address a coded way of saying "somebody go kill her"? Yes, I think it is. Would killing her be lawless action? Yep. Serious lawless action? Yep.
Immediate lawless action? Yes. "Now" seems to be implied along with "kill her." Is someone sufficiently likely to obey this exhortation, under the circumstances? Yes, I think so. I think, given that his exhortation to violence was obeyed on Jan 6, and his recent publication of Obama's home address actually prompted an idiot with a gun to show up, the exhorted lawlessness is a sufficiently likely outcome under these circumstances.

Prosecuting statements made in coded language is always a hard job for a prosecutor, but shying away from such prosecutions encourages repetition.

cwbussard, 7 months ago

@LouisIngenthron @peterdrake

Coded language is not magical armor against prosecution. We can and do prosecute people for the meaning of their statements even when the dictionary definitions of the words they used mean something else or when the statement leaves something unsaid but understood. See, e.g., just about every drug conspiracy case.

Prosecuting statements made in coded language can be a hard lift for prosecutors. You've got to convince the jury of the coded meaning beyond a reasonable doubt. But there's a distinction between "things that are not crimes" and "crimes that are a headache to prove." This is the latter, not the former.

cwbussard, 7 months ago

@ai6yr
@arstechnica

Does anyone have a link to the video or transcript of this closing argument?

cwbussard, 7 months ago

@seldo

It's things like this that make me feel really smug about switching to Linux a few years back. I know Linux has a reputation for being difficult and "not for gaming," but I've found neither of those to be true.

cwbussard, 8 months ago

@briankrebs

Satanist pedophiles? Really? Sounds more like the cops found a 4chan knockoff and fantasized the rest.

cwbussard, 8 months ago

@malwaretech

I thought this was a pretty good demonstration that there's no "comprehension" going on.

https://benchmarks.llmonitor.com/sally

cwbussard, 8 months ago

@malwaretech

The case for protecting hate speech isn't a slipperly slope argument that not protecting hate speech now will lead to not protecting other speech later. Rather it's a direct argument about the corrupt use of government power -- if we let the government decide what constitutes "hate speech," then whatever upsets the people in power will be labeled "hate speech" and prosecuted. All the examples you cite about US gov't agents stomping all over freedom of speech in other areas show why they can't be trusted with the power to define "hate speech." Think about that prosecutor who overcharges to compel cooperation -- what would he do if there were an anti-hate-speech law on the books? He'd think of a way to twist something you said around into "hate" speech" so he could pile another bogus charge on top -- that's what!

[continues]

cwbussard, 8 months ago

@malwaretech

Sooo.....

1. Why is the machine holding the key crashing in the first place? Shouldn't that be a single-purpose machine that only ever executes one relatively simple, well-tested program for producing signatures?

2. Why move the dump to a less secure network for debugging?

3. Why delete logs?

cwbussard, 8 months ago

@Nightyear @sawaba

Wait a minute, who is that one company? Did I miss the part where he said who it was?

cwbussard, 8 months ago

@briankrebs

I suppose the two big lessons here are:

(1) The people in charge at LastPass are just buffoons. They've had so many second chances, and they just keep screwing up. They're simply not capable of making a secure password manager and no one should use their product again ever.

(2) Cloud storage for a password manager is just a fundamentally bad idea. Something is inevitably going to go wrong. And this is what happens when it does.

I'm skeptical about low iterations on the KDF being the culprit here. Sure, having low KDF iterations like this really bad -- like "comically negligent" kinda bad. But I'd assume that these sophisticated victims ought to have strong enough LastPass master passwords to survive brute force regardless of the KDF iterations. I'm thinking there's something cryptoanalytic at play here -- a padding oracle or a dumb AES mode or dumb IV reuse or something. I'm flagging @matthew_d_green who actually knows about this stuff and might have a better idea.

cwbussard, 9 months ago

@Popehat

I'm beginning to think that we live in some kind of Douglas-Adams-ian universe in which the very structure of reality itself has been organized with the goal of irritating Ken.

cwbussard, 9 months ago

@pluralistic

Back when I practiced law in NYC, I did consumer bankruptcy, along with some debt collection defense and FDCPA stuff too. So this is a subject near and dear to my heart. I've got some thoughts. Oh yes I do.

First and foremost, Mr. McKenzie seems not to understand something of really critical importance: The harassment calls and the eventual lawsuit are largely operating on independent tracks. Stopping the calls may give great psychic relief, but it doesn't stop the sue-sue train that's coming down the tracks. If you don't do something about that then one day you're going to wake up to a frozen bank account.

For this reason, I'm concerned about the impression readers may take away from a "paying consumer debts is basically optional in the United States" tone. Often that's not the case, and believing that dealing with the calls fully deals with the problem can set someone up for a terrible surprise.

(continues...)

cwbussard, 9 months ago

@georgetakei

I don't care for her music, but it's hard not to like her for this.