Musician, mechanic, writer, dreamer, techy, green thumb, emigrant, BP2, ADHD, Father, weirdo
https://www.battleforlibraries.com/
#DigitalRightsForLibraries
https://f-droid.org/packages/com.github.olga_yakovleva.rhvoice.android/
I user thus as a plugin for my epub reader.
My past employers have said the same, until I showed them they were already using apache, nginx, postgresql, MariaDB, and OpenWRT among other things.
A lot of shops think that using proprietary tools means they can demand fixes for critical vulnerabilities, but in my experience, even proprietary dev teams just reply that the code maintainers are aware and working on a fix.
Apache vuln? Here’s the link to their acknowledgment of that CVE and exactly what modules are affected.
That may show that the flaw is in an unused module, like node.js, but even when it is applicable, they just wait for the code maintainers to address it. They take no responsibility themselves.
that’s why I opened with “I wouldn’t call it writing on the wall.”
Damn; you’re right. My bad. I somehow missed your opener saying exactly the opposite of what you were saying.
Everything you said is true and verifiable, and worth considering when you decide which service to use. It’s a lot of reasons to favor the .onion/tor version of their service to limit what they have access to depending on your privacy stance.
In combination with tracker control, you can see who they connect to and block piecemeal, or simply block their connection completely (you don’t need an app for that, though).
A new data set obtained from a US data broker reveals for the first time about 40,000 apps from which users‘ data is being traded. The data set was obtained by a journalist from netzpolitik.org as a free preview sample for a paid subscription. It is dated to a single day in the summer of 2024.
Among other things, the data set contains 47 million “Mobile Advertising IDs”, to which 380 million location data from 137 countries are assigned. In addition, the data set contains information on devices, operating systems and telecommunication providers.
Ths investigation is part of an international cooperation by the following media: Bayerischer Rundfunk/ARD (Germany), BNR Nieuwsradio (Netherlands), Dagens Nyheter (Sweden), Le Monde (France), netzpolitik.org (Germany), NRK (Norway), SRF/RTS (Switzerland) and WIRED (USA).
- The approximately 40,000 apps in the new dataset cover a wide range of categories, from gaming, dating and shopping to news and education. They include some of the most popular apps worldwide, with millions of downloads in some cases.
- For a smaller number of apps, the data set contains alarmingly precise location data. This data can help to identify a person’s place of residence. These apps include the queer dating app Hornet with more than 35 million users; the messaging app Kik with more than 100 million downloads in the Google Play Store alone; Germany’s most popular weather app Wetter Online, which also has more than 100 million downloads in the Google Play Store; and the flight tracking app Flightradar24 with more than 50 million downloads in the Googles Play Store; the app of German news site Focus Online and classifieds apps for German users (Kleinanzeigen) and French users (leboncoin).
- For a bigger number of apps, less precise locations which appear to have been derived from IP addresses can be found in the data set. This list includes popular apps such as Candy Crush, Grindr, Vinted, Happy Color, dating apps Lovoo and Jaumo, news aggregator Upday, German email apps gmx.de and web.de as well as the popular dutch weather app Buienalarm.
- Since the sample only covers one day, it is difficult to identify people based on their locations from this data set alone. However, in combination with other data sets from the advertising industry, which the research team obtained from data brokers, it’s possible to identify and track people on a large scale. The location data might for example provide clues to their home and work addresses.
- Thus, the team was able to identify users of Wetter Online in Germany and Kik in Norway. The individuals confirmed that the data must belong to their devices and their use of the respective apps.
- Location data aside, the mere information about who uses which apps can already be dangerous. For example the data set includes numerous Muslim and Christian prayer apps, health apps (blood pressure, menstruation trackers) and queer dating apps, which hint at special categories of personal data under GDPR.
Where did the data set come from?
The research team obtained the data set from US data broker Datastream Group, which now uses the name Datasys. The company did not respond to multiple requests for comment.
Contact with the data broker was established through Berlin-based data marketplace Datarade. The company states in response to inquiries that it does not host any data itself. According to a spokesperson „Data providers use Datarade to publish profiles and listings, enabling users to contact them directly“. Datarade „requires data providers to obtain valid consent in case they’re processing personal data and to aggregate or anonymize data in case they’re processing sensitive personal data“.
Where does the data originate?
According to our analysis, the data originates from Real Time Bidding (RTB), which is a process in the online advertising ecosystem. These are auctions in which advertising inventory of apps and websites is sold. In the process, apps and websites send data about their users to hundreds or thousands of companies. These data contains the information that we can see in our dataset. There have already been multiple warnings that advertising companies are collecting the data from RTB in order to sell it – often without the knowledge or explicit consent of the users or their apps.
What the apps say
None of the apps we confronted so far states they had business relations with Datastream Group / Datasys. The apps Hornet and Vinted for example wrote, that they cannot explain how their users‘ data ended up with data brokers. Queer dating app Hornet emphasizes that it does not share actual location data with third parties and announces an investigation. Other companies such as Kik, Wetter Online, Kleinanzeigen, Flightradar, Grindr and King, the company behind the game Candy Crush, did not respond to press inquiries.
Important excerpt:
“Introducing a scanning application on every mobile phone, with its associated infrastructure and management solutions, leads to an extensive and very complex system. Such a complex system grants access to a large number of mobile devices & the personal data thereon. The resulting situation is regarded by AIVD as too large a risk for our digital resilience. (…) Applying detection orders to providers of end-to-end encrypted communications entails too large a security risk for our digital resilience”.
I agree that most websites don’t load without JavaScript, but you don’t need seven or more different domains with java allowed for the main site to work. Most sites have their own, plus six google domains, including tag manager, Facebook, etc. I whitelist the website and leave the analytics and tracking domains off.
I’m nor a cash-only convert, but I have some anecdotal evidence for you.
I’ve visited Boston five times in the past thirty years. Every single time I used my debit card at Thanuel Hall for food, my card was later used for fraud. Always caught and never a big inconvenience beyond replacing my card, but still not ideal. I only ever use cash there now.
Online shopping, before the Amazon monopoly on e-commerce, my card would get compromised every few months.
Now I use privacy.com for all transactions that allow it, and its amazing how often those cards are stolen. Thanks to the way the service works, the stolen cards are useless to scammers or thieves, but my declined transaction filter has a few charges declined each month.
My point being that if you want to avoid fraud, and you can do it, cash is king.
Okay, I do recall that our software had a feature that could classify on "DHCP requested options’, but it was low-fidelity, unreliable. Ultimately, the software works best with known devices, and isn’t very good at reliably classing unknowns.
As you say, just the first few seconds of actual traffic from a device is so rich in terms of ID characteristics compared to DHCP.
I used to provide commercial end-user support for a network intelligence product that used as much metadata as possible to help classify endpoints, shuffling them off to the right captive portals for the right segment based on that data.
I can tell you that the things you’re saying are transmitted in a DHCP request/offer are just not. If they were, my job would’ve been a LOT easier. The only information you can count on are a MAC address.
I can’t view that link you shared, but I’ve viewed my share of packet captures diagnosing misidentified endpoints. Not only does a DHCP request/offer not include other metadata, it can’t. There’s no place for OS metrics. Clients just ask for any address, or ask to renew one they think they can use. That only requires a MAC and an IP address.
I suppose DHCP option flags could maybe lead to some kind of data gathering, but that’s usually sent by the server,not the client.
I think, at the end of the day, fighting so that random actors can’t find out who manufactured my WiFi radio just isn’t up there on my list of “worth its” to worry about.
Re: DuckDuckGo:
You can sign-up and manage your aliases from any browser on any OS
But not on the TOR or Mull browsers on Android:
ETA: I use both DDG and SimpleLogin. I recently bumped up against the ten alias limit in SL, but I prefer the ease of creating outgoing aliases in their dashboard vs the DDG method of manually typing with underscores. That said, they both come in handy and I have dozens of DDG aliases that helped me break my dependence on gmail as my single email provider. Never tried Addy.
If you’re unfamiliar with the change being implemented, Google is using every android device to detect every other device and report that location to a central database. You can then go to the Find My Device app or website and your device can be located if it’s been seen by any other device.
There’s no need for the user to access anybody else’s device.
My concern is that my privacy is now being invaded by all the scanning devices in my area, and everybody’s movements are even more transparent for the data brokers.
The email has a link to opt out too.
Here it is for anyone else interested: opt out of the network
I’ve been out of the US since late '22 and they still haven’t cut my data or sent one email about it. I expected to lose it after 90 days. I get a google play services error once in a while about Fi needing it to have all permissions, but I don’t have any problems leaving them off. My next install of lineage I’m going to try no GApps and see if it still works. I know the LOS team say you need it for Fi.
We can already tell you the age, gender, hobbies, kinks, frequently visited spots and how long they stay there, who goes with them and who they meet, what they think about, when they go to sleep, but wouldn’t you also like to know where they are and who they’re near when their devices are offline with Bluetooth on? We can do that now too! Creepy? No! They think it’s so they can [checks notes] find their device even if its offline.
-Google probably
Some AV Processors include a night mode or loudness processing that attempts to normalize the levels. In practice, the levels will lower some, but perhaps not enough to alleviate the problem.
You could try reporting the provider, but it’s likely their legal team would argue the CALM act doesn’t apply to them. Come to think of it, the FCC may not have ever formalized the rules still…
This is classic efficient market hypothesis brain worms, the kind of cognitive dead-end that you arrive at when you conceive of people in purely economic terms, without considering the power relationships between them. It’s a dead end you navigate to if you only think about things as they are today – vast numbers of indebted people who command fewer assets and lower wages than at any time since WWII – and treat this as a “natural” state: “how can these poors expect to be offered more debt unless they agree to have their all-important pocket computers booby-trapped?”
-Cory Doctorow from his blog, unintentionally addressing you
I was wrong that it was water-themed. It was “Pacific Drive” which I guess made me think of underwater. I never got a chance to play it, and it’s no longer in my library. I think there was another one, but I can’t remember now. It was a while back that I discovered it.
EDIT: I agree with you 100% about ABZU. Boring after the first five minutes. Also, I don’t see Pacific Drive on the free games list. I need to try to remember the sequence of events. I know I never bought it, because I’ve never bought any games from EGS; all my titles were free ones.