evenwicht

Privacy seekers rightfully bad-mouth Google and Microsoft. Yet I don’t see the slightest trace of fedi chatter about things like:

• detecting whether an email address is hosted by Google or MS
• snail mail issues and snail mail generally (pretty much no one took notice that a whole country pulled the plug on postal mail)
• getting proof of delivery without paying extortionale registered letter prices
• getting ignored because corps/govs who receive snail mail cannot be bothered to respond via post
• how to align addresses in windowed envelopes - reusing windowed envelopes
• what email services deliberately block MS and Google servers
• onion-only email services with no clearnet addressing
• mail clients that flag inbound messages with whether Google or MS were in the loop (by doing a header inspection)
• using GDPR art.17 to get your email address removed after finding that a sender uses MS or Google.

etc..

Am I the only person in the world who refuses to send email to an MS or Google recipient, or give them an email address?

I’m trapped with a shitty bank and won’t go into the reasons here.

This is what happened: I called to pay the bill. The idiot at the bank gave a pay-off quote that included interest charges of less than $2, even though the bill was not due yet. There should be no interest in this case. He would not listen. So I’m like, fuck it, I’ll pay what he quotes and then dispute the interest charge when it comes.

The billing system did the right thing.. did not charge interest. So of course I ended up with a tiny credit <$2. The asshole bank could not just let that small credit sit because there is a business advantage if they zero out all positive balances to increase the chances of a negative the next month. So they mailed a paper check for the credit.

It’s not worth my time and effort to cash a check so small. But I’ll also be damned if I let that be a donation to the bank. So I just sat on the check until it became stale and worthless. The check is bad, but the bank still owes me the money. So then I call the bank to say: hey, don’t bother sending another check, just credit my account with that amount, toward by current balance. The banker refused. In fact, the banker tried to say the money was gone -- that I lose it because it’s my fault the check is bad. I know that’s not how it works. The check goes bad but the debt does not. The bank still owes me the money. Customer service genuinely seemed clueless about that.

I spent 90 minutes on the phone arguing over this. Customer rep had to repeatedly check with management. In the end, the bank still refused to credit the account but they agreed to send another check. WTF. I guess I will just repeat the pattern until they learn.

Customer service is not cheap. Someone once told me what the bank pays per minute on phone support. I don’t recall what the figure was but it was shockingly high. I wonder how much this tiny check will cost the bank as it sits in limbo and causes repeat customer service calls, in a loop.

Some obnoxious piece of shit scumbag has been non-stop attacking Debian testers with a flood of spam the past several days.

Why attack a harmless charity? Why not target a shitty expoitive platform like MS Github instead? It’s choosing to target an organisation that just helps people. It would be like entering a public library and taking a shit on the carpet, when you could have just as well taken a shit on the hood of Elon Musk’s car hood instead, for example.

This is not just a rant. I want a serious answer. I have a vague notion of why spam exists. It’s not just malice without purpose. Cyber criminals build botnets to effectively create powerful supercomputers for very little money by hijacking their victim’s CPU cycles and the energy that drives them. Then they sell supercomputing access on the black market, or they mine cryptocurrency. Those criminal botnets need to be controlled surreptitiously.

Spam somehow facilitates the command and control of the botnets. Supposedly… though I struggle to understand why. When spam is sent to some arbitrary recipient, how does that serve as a command signal? Is it perhaps a mechanism that only serves the botnet if the spam recipient happens to be unwittingly part of the botnet? Thus everyone who is not on the botnet who receives spam, it’s just a waste for everyone?

Surely there are more clever ways to anonymously control a botnet without shitting on the world with spam. Surely the rage spam causes motivates intelligence agencies to shut them down, no?

1990s botnets were clumbsy. The greed was unhinged so they would steal as many CPU cycles from each PC as possible. When someone’s PC is so sluggish it’s intolerably dysfunctional, it was a big red flag. The victim reinstalled Windows to overcome and thus shrinks the botnet, which increases the botnet owner’s burden of having to reinfect more PCs. So they got more clever.. they only steal enough processing to go unnoticed. I’m not seeing how spam fits into modern day clever crimes.

Before sharing my email address with some person or some org, I do an MX DNS lookup on the domain portion of their email address. It’s usually correct. That is, if the result is not of the form *.mail.protection.outlook.com, then that recipient is not using Microsoft’s mail server.

But sometimes I get stung by an exception. The MX lookup for one recipient yielded barracudanetworks.com, so I trusted them with email. But then they sent me an email and I saw a header like this:

Received: from *.outbound.protection.outlook.com (*.outbound.protection.outlook.com…

Is there any practical way to more thoroughly check whether an email address leads to traffic routing through Microsoft (or Google)?

I’m working on a campaign against the use of Facebook by gov administrations. So far I have like 20 or so pages covering human rights violations by the gov when they impose the use of Facebook. But I have not yet written anything about addiction or mental health in this context.

I have never used Facebook myself, so I’m working somewhat blind. The question is whether Facebook is addictive and ultimately to what extent can it be faulted for mental health issues. I mean, of course it’s addictive to some extent, as is just about everything and anything. But the question is whether it can reasonably be argued that when a government pushes the use of Facebook onto people, is the gov significantly undermining people’s human right to living in good health? Or is that a far-fetched or crazy enough that it would actually dilute the campaign against gov-forced use of FB?

There are countless public wi-fi access points that push captive portals which collect identity info on users and track them. The purpose of the privacy intrusion is (allegedly) so they can respond to complaints about unacceptable use. Or worse, so they can directly snoop on their own users activity to police their behavior. Those burdens are not cost-free. Babysitters cost money.

Tor solves this problem. There can be no expectation that a service provider nanny Tor users because they naturally cannot see what users are doing. You are only responsible for what you know -- and for what data you collect. The responsibility of Tor users falls on the exit nodes (to the extent they are used, as opposed to onions).

It’s bizarre how public access admins often proactively block egress Tor traffic, out of some ignorant fear that they would be held accountable for what the user does. It’s the complete opposite. Admins /shed/ accountability for activity that they cannot monitor. If it’s out of their hands, it’s also beyond their responsibility. This is Infosec Legal Aspects 101 -- don’t collect the info if you don’t want the responsibility that the data collection brings. Somehow most of the population has missed that class and remains driven by FUD instead. They foolishly do the opposite: copious overcollection, erroneously thinking that’s the responsible thing to do.

In principle, if you want to deploy gratis Internet access to a population free of captive portals and with effortless administration that respects the privacy of users, then it is actually clearnet traffic that you would block. If you allow only Tor traffic, you escape the babysitter role entirely.

In thinking about how to configure this, first thought was: setup a Tor middlebox transparent proxy and force all traffic over Tor. The problem with that is you would actually still have visibility on the traffic before it gets packaged for Tor, so it fails in the sense that you could technically be held liable for not babysitting the traffic between the user and the Tor network. OTOH, the chances of receiving a complaint from the other side of the Tor cloud are naturally quite low. Still, it’s flawed.

It really needs to be a firewall that blocks all except Tor guard nodes. A “captive portal” of sorts could be used to inform clearnet users that only Tor traffic is permitted, which could give some basic advice about Tor, such as local workshops on installing a Tor client.

It imposes a barrier to entry of both knowledge and wisdom on users. So be it; it is what it is. Not everyone can expect a free hand-out, and it’s usually Tor users to face the oppression of access denial. Of course the benefit is that some people will decide to install Tor in order to use the hotspot.

I’ve pulled the plug on the Internet. After a few months of being offline, these are my findings:

• Love DAB radio; even in a region with only one English station, it’s enough to get my news. Very grateful for BBC!
• Great to exercise the power of boycott and say “fuck you” to shitty ISPs. In the US, most ISPs support the republicans. And most ISPs worldwide do not accept cash payments (thus support the oppression of forced-banking).
• Very grateful for some¹ public libraries with truly open and anonymous wi-fi. (¹ some is stressed b/c sadly most public libraries outsource Internet to shitty big corps and are elitist enough to deny wi-fi to those who lack a GSM subscription [i.e. those who most need wi-fi], and some libs also block egress Tor [indeed they are naïve about how liability and accountability works])
• Web enshitification has less of an impact when just getting the web in small doses as a periodic library visit.
• No more wasting time doom scrolling.
• Money saving. Broadband costs are unreasonable in most parts of the world.
• Sending postal mail instead of e-mail is liberating, as it cuts Microsoft out of the loop (almost all businesses and gov offices use MS email). Also fun to typeset letters in LaTeX.
• ArgosTranslate enables offline people to machine-translate documents. This is great for privacy anyway, because it’s a bad idea to trust the cloud with translating personal docs you get in the mail.

Shortcomings:

• Severe lack of offline apps. In the 90s and 2000s when many people had spotty access, apps were more accommodating of that. There are no Mastodon, Lemmy, or Kbin apps to facilitate offline reading and writing, and periodic syncing.
• Most websites are now designed to assume everyone has 24/7 access. Coupled with an unhealthy and short-sighted hostility toward bots, webpages are rich with JS. They are a shit-show to download and tend not to make content easily fetchable for later consumption.
• Can be tedious to find open hotspots outside of libraries where you can make enough noise to make a VOIP call. (UPDATE: fortunately hospitals tend to have open wi-fi access and generally no noise constraints. Some libraries have a lobby where VOIP calls can be made)

I could really use a way to synchronize posts and messages (XMPP, Lemmy, Mastodon, e-mail) with a smartphone, and then to synchronize the phone with a PC. This would really cut down on having to lug a laptop around. An Android app would serve the most people, but it’d perhaps be easier to implement on a linux-based phone like PostmarketOS.

Advice if you want to try unplugging, in baby steps

A non-stop broadband contract with continuous billing setup is designed to be inconvenient to stop. Perhaps there is a threat of startup costs if you want to return to their service, and pains of returning equipment. Bear in mind they are exploiting your auto-pilot comfort by giving startup discounts to new customers but not to their loyal boot-lickers. You can probably save money if you’re willing to bounce around to other providers anyway.

Find a cheap prepaid mobile data package and make your phone a hotspot. Or if you are more advanced get an LTE USB modem that plugs into a router that supports a GSM uplink. “Cheap” in this case does not mean cheap per meg -- it means cheaper per month if you can greatly reduce your consumption by doing things like killing the graphics on your web browser. If you have enough discipline you can get by on ~5gb/month for probably around $5—10. It’s enough for basic comms.

When your 5gb (or whatever) of mobile data runs out, don’t topup right away. See how long you can hold out. Use the library wifi. I would have a week of offline time after my data runs out before topping up. Then each cycle that timespan grew. Now I have been offline for months.

Prepaid mobile broadband is a good middle step because you are not pushed to stay on an auto-pilot plan. It’s actually the opposite.. you have the inconvenience of topping up each time you need to continue your access, which is perfect for a progression into offlineness.

I wonder what is the rationale. Will be shitty if all FM radios become bricks because of some stupid push to obsolete them.

Or is there a smarter plan, like using the bandwidth for something more worthy than FM radio?

UPDATE

Some more FM advantages:

Fast channel changing.

Better reception. There is a station in my city that transmits both DAB and FM. Their DAB signal has chronic cut-outs but their FM station is good enough. And in general, weak FM signals are still useful while weak DAB signals are unusable. So a DAB-only policy marginalises people who live remote from the cities.

cross-posted from: https://lemmy.sdf.org/post/36402193

The knee-jerk answer when an app pushes designed obsolescence by advancing the min Android API required is always “for security reasons…” It’s never substantiated. It’s always an off-the-cuff snap answer, and usually it does not even come from the developers. It comes from those loyal to the app and those who perhaps like being forced to chase the shiny with new phone upgrades.

Banks, for example, don’t even make excuses. They can just neglect to be mindful of the problem and let people assume that some critical security vuln emerged that directly impacts their app.

But do they immediately cut-off access attempts on the server-side that come from older apps? No. They lick their finger and stick it in the air, and say: feels like time for a new version.

It’s bullshit. And the pushover masses just accept the ongoing excuse that the platform version must have become compromised to some significant threat -- without realising that the newer version bears more of the worst kinds of bugs: unknown bugs, which cannot be controlled for.

Banks don’t have to explain it because countless boot-licking customers will just play along. After all, these are people willing to dance for Google and feed Google their data in the first place.

But what about FOSS projects? When a FOSS project advances the API version, they are not part of the shitty capitalist regime of being as non-transparent as possible for business reasons. A FOSS project /could/ be transparent and say: we are advancing from version X to Y because vuln Z is directly relevant to our app and we cannot change our app in a way that counters the vuln.

The blame-culture side-effect of capitalism

Security analysis is not free. For banks and their suppliers, it is cheaper to bump up the AOS API than it is to investigate whether it is really necessary.

It parallels the pharmacutical industry, where it would cost more to test meds for an accurate date of expiry. So they don’t bother.. they just set an excessively safe very early expiration date.

Android version pushing is ultimately a consequence of capitalist blame-culture. Managers within an organisation simply do not want to be blamed for anything because it’s bad for their personal profit. Shedding responsibility is the name of the game. And outsourcing is the strategy. They just need to be able to point the blame away from themselves if something goes wrong.

Blindly chasing the bleeding-edge latest versions of software is actually security-ignorant¹ but upper management does not know any better. In the event of a compromise, managers know they can simply shrug and say “we used the latest versions” knowing that upper managers, shareholders, and customers are largely deceived into believing “the latest is the greatest”.

¹ Well informed infosec folks know that it’s better to deal with the devil you know (known bugs) than it is to blindly take a new unproven version that is rich in unknown bugs. Most people are ignorant about this.

Research needed

I speak from general principles in the infosec discipline, but AFAIK there is no concrete research specifically in the context of the onslaught of premature obsolescence by Android app developers. It would be useful to have some direct research on this, because e-waste is a problem and credible science is a precursor to action.

cross-posted from: https://lemmy.sdf.org/post/36402193

The knee-jerk answer when an app pushes designed obsolescence by advancing the min Android API required is always “for security reasons…” It’s never substantiated. It’s always an off-the-cuff snap answer, and usually it does not even come from the developers. It comes from those loyal to the app and those who perhaps like being forced to chase the shiny with new phone upgrades.

Banks, for example, don’t even make excuses. They can just neglect to be mindful of the problem and let people assume that some critical security vuln emerged that directly impacts their app.

But do they immediately cut-off access attempts on the server-side that come from older apps? No. They lick their finger and stick it in the air, and say: feels like time for a new version.

It’s bullshit. And the pushover masses just accept the ongoing excuse that the platform version must have become compromised to some significant threat -- without realising that the newer version bears more of the worst kinds of bugs: unknown bugs, which cannot be controlled for.

Banks don’t have to explain it because countless boot-licking customers will just play along. After all, these are people willing to dance for Google and feed Google their data in the first place.

But what about FOSS projects? When a FOSS project advances the API version, they are not part of the shitty capitalist regime of being as non-transparent as possible for business reasons. A FOSS project /could/ be transparent and say: we are advancing from version X to Y because vuln Z is directly relevant to our app and we cannot change our app in a way that counters the vuln.

The blame-culture side-effect of capitalism

Security analysis is not free. For banks and their suppliers, it is cheaper to bump up the AOS API than it is to investigate whether it is really necessary.

It parallels the pharmacutical industry, where it would cost more to test meds for an accurate date of expiry. So they don’t bother.. they just set an excessively safe very early expiration date.

Android version pushing is ultimately a consequence of capitalist blame-culture. Managers within an organisation simply do not want to be blamed for anything because it’s bad for their personal profit. Shedding responsibility is the name of the game. And outsourcing is the strategy. They just need to be able to point the blame away from themselves if something goes wrong.

Blindly chasing the bleeding-edge latest versions of software is actually security-ignorant¹ but upper management does not know any better. In the event of a compromise, managers know they can simply shrug and say “we used the latest versions” knowing that upper managers, shareholders, and customers are largely deceived into believing “the latest is the greatest”.

¹ Well informed infosec folks know that it’s better to deal with the devil you know (known bugs) than it is to blindly take a new unproven version that is rich in unknown bugs. Most people are ignorant about this.

Research needed

I speak from general principles in the infosec discipline, but AFAIK there is no concrete research specifically in the context of the onslaught of premature obsolescence by Android app developers. It would be useful to have some direct research on this, because e-waste is a problem and credible science is a precursor to action.

The knee-jerk answer when an app pushes designed obsolescence by advancing the min Android API required is always “for security reasons…” It’s never substantiated. It’s always an off-the-cuff snap answer, and usually it does not even come from the developers. It comes from those loyal to the app and those who perhaps like being forced to chase the shiny with new phone upgrades.

Banks, for example, don’t even make excuses. They can just neglect to be mindful of the problem and let people assume that some critical security vuln emerged that directly impacts their app.

But do they immediately cut-off access attempts on the server-side that come from older apps? No. They lick their finger and stick it in the air, and say: feels like time for a new version.

It’s bullshit. And the pushover masses just accept the ongoing excuse that the platform version must have become compromised to some significant threat -- without realising that the newer version bears more of the worst kinds of bugs: unknown bugs, which cannot be controlled for.

Banks don’t have to explain it because countless boot-licking customers will just play along. After all, these are people willing to dance for Google and feed Google their data in the first place.

But what about FOSS projects? When a FOSS project advances the API version, they are not part of the shitty capitalist regime of being as non-transparent as possible for business reasons. A FOSS project /could/ be transparent and say: we are advancing from version X to Y because vuln Z is directly relevant to our app and we cannot change our app in a way that counters the vuln.

The blame-culture side-effect of capitalism

Security analysis is not free. For banks and their suppliers, it is cheaper to bump up the AOS API than it is to investigate whether it is really necessary.

It parallels the pharmacutical industry, where it would cost more to test meds for an accurate date of expiry. So they don’t bother.. they just set an excessively safe very early expiration date.

Android version pushing is ultimately a consequence of capitalist blame-culture. Managers within an organisation simply do not want to be blamed for anything because it’s bad for their personal profit. Shedding responsibility is the name of the game. And outsourcing is the strategy. They just need to be able to point the blame away from themselves if something goes wrong.

Blindly chasing the bleeding-edge latest versions of software is actually security-ignorant¹ but upper management does not know any better. In the event of a compromise, managers know they can simply shrug and say “we used the latest versions” knowing that upper managers, shareholders, and customers are largely deceived into believing “the latest is the greatest”.

¹ Well informed infosec folks know that it’s better to deal with the devil you know (known bugs) than it is to blindly take a new unproven version that is rich in unknown bugs. Most people are ignorant about this.

Research needed

I speak from general principles in the infosec discipline, but AFAIK there is no concrete research specifically in the context of the onslaught of premature obsolescence by Android app developers. It would be useful to have some direct research on this, because e-waste is a problem and credible science is a precursor to action.

Europe has a legal cap (0.9%) on the fee the credit card companies charge to the merchants. In the US there is no limit, so merchants get hammered with fees of ~3—5%. US credit cards often offer a 1% kickback to cardholders for using their card. Some credit cards offer as much as 5% as a kickback on certain categories of purchases, like groceries. Some credit cards also charge a zero percent markup on foreign currency exchange.

So if you use a forex-free card with rewards in Europe on a purchase that has a rebate that exceeds 1%, the merchant only absorbs 0.9% of the cost. The bank loses 4.1% on a 5% rebate.

Or am I missing something? The bank obviously still profits from purchases in categories with a lower rebate, and late fees and interest.. but of course only if you make that happen.