Onno (VK6FLAB)

Anything and everything Amateur Radio and beyond. Heavily into Open Source and SDR, working on a multi band monitor and transmitter.

#geek #nerd #hamradio VK6FLAB #podcaster #australia #ITProfessional #voiceover #opentowork

  • 6 Posts
  • 63 Comments
Joined 1Y ago
cake
Cake day: Mar 04, 2024

help-circle
rss

In my experience, Sarcasm and Satire appear to have cultural hooks that prevent them from translating well online.




Not just the EU, the rest of the world. The whole point of OSS was to distribute knowledge across all of humanity, not just be used as a way to make trillions of dollars in profits by a few billionaires working off the backs of OSS developers.


cross-posted from: https://infosec.pub/post/25342439
fedilink


Undocumented “backdoor” found in Bluetooth chip used by a billion devices
Update: https://darkmentor.com/blog/esp32_non-backdoor/
fedilink

I only noticed the € vs $ because I was searching for the case, so all good.

It’s telling that they continue to attract fines. I saw the ones you mentioned also but didn’t have the energy to start digging.

Despite assertions made to the contrary in this thread, I’m not at all convinced that they’re doing anything other than maximising shareholder value to the exclusion of all other considerations, including making a risk assessment in relation to paying fines versus compliance with the law.


Interesting, when you read that article, it says that Meta will appeal, searching for the GDPR fine and the appeal, all I found was more fines, but no records of the results of any appeals.

Also, it was €1.2 Billion, not $1.2 Billion.


Again, you vastly underestimate the size of Meta.

In the last quarter of 2024 it shows a net income of $20,838 million. A $20 million fine would change that 3 into a 1 and again, that’s net income for just for three months.

Source: https://investor.atmeta.com/investor-news/press-release-details/2025/Meta-Reports-Fourth-Quarter-and-Full-Year-2024-Results/default.aspx


What are the legal implications of hosting this information in a different jurisdiction and are there places where this data would be legally protected?


Think about it in terms of risk / reward or if you like, shareholder value.

If the value of the data exceeds the fine combined with the risk of it being discovered, the data will continue to exist.

Factor in the cost of actually guaranteeing that deleting something across all online, nearline, offline and archived data stores and the chances of anything being purposely deleted are not high.

Accidental data loss, sure, purposeful data loss, I can’t see it happening.




Perhaps you should ask the moderator of the community from where that post was removed.


I’ve been using Adguard public DNS for over a year across my LAN and it works great, with much less hassle than a pihole, which I previously used for years.

I miss the ability to add random hosts to either black or white lists, but in reality only used it sporadically.


All google advertising does that. It’s blocked in my network too.


There is no mention of e-ink, OP has an Android device, I have an Android device, I read eBooks on it daily, I use FBReader. I’m not sure what all the kerfuffle is about.




And now you know why we’ve been telling you not to use Telegram.


You don’t need to.

By using metrics like IP address , age, gender, race, religion, city, workplace, application, website, favourite song, colour and flavour, throw in a few more questions and you can lucratively target specific groups of people.

By COMBINING those metrics you can target extremely small groups of people, groups with precisely ONE member.

No need for a unique GUID at all.


Effective for whom?

The users who’s data was disclosed, or the company that made the disclosure?


I discovered that I watch enough YouTube to warrant paying for a premium subscription. I’ve turned off viewing history (after one video, so the homepage renders).

This isn’t a solution for everyone, but it works for me.


I hear you, but in the last year I’ve begun wondering if full public disclosure isn’t a better way to go these days.

The sheer volume of breaches is overwhelming and in my experience (of over 40 years as an ICT professional) many companies sweep their failures under the carpet, hide behind crisis management teams and marketing speak, and ridicule those bringing issues to their attention.

Their disclosure is abysmal if it’s made at all and there are precious few who reveal precisely what data was exfiltrated or how the issue was remediated.

This way anyone can verify the issue and companies cannot hide, everyone sees precisely what’s leaked and can act accordingly.

If you know of a more effective way, I’d love to hear it.


So far the Wayland implementation requires embedded X11 which puts everything in the same environment again.

I’ve not yet discovered how to run separate Wayland screens across the network from a Docker container and I’m also not sure if either Chrome or Firefox actually support native Wayland, from memory they didn’t last time I checked.


I don’t know. When I built this, several years ago, none of that existed.


This is true.

However, I’m running trusted software, not the backyard efforts of someone randomly selected off the internet.

Additionally, the Docker container is running on a dedicated Debian virtual machine with only Docker installed.

What’s of deeper concern is that all instances are running on X11 which means that they all share information via the clipboard for example.



Excluding Chrome, Firefox and Safari means that you are now relying on some random developer to understand security and privacy and as a software developer for over 40 years I can tell you that this is a fools errand.

Don’t get me wrong, the big three absolutely have privacy issues, but they can be mitigated in many different ways without compromising on security.

For example, you can force DNS requests to one of your choosing, you can run them in incognito mode, refuse cookies, run them inside user accounts without personal information, etc.

I tend to run individual instances of a browser in incognito mode and am very conscious of which tabs are open in which instance, so websites cannot steal information from other tabs.


What makes you think that new hardware coming from a manufacturer is more secure than second hand hardware?

There’s numerous examples of hardware being compromised before it even got into its original packaging, let alone those intercepted during shipment.

In other words, at some point you need to realise that there are no guarantees in life.



I’ve been using Linux for almost 25 years and I’ve never once considered mouse or keyboard incompatibility, and that’s including ADB, PS/2 and DB9 devices, let alone USB.

As far as I know, you can intercept any signal from any such HID device and map it to whatever action you want to achieve at whatever level you need it.

I’m happy to be wrong, but I’d be surprised.


We’ve been using an Apple TV. From memory, there’s a Jellyfin client.


Credit bureaus are not for your protection, they’re for the protection of their clients, the banks.


Excellent.

I think I might be able to create a fail2ban rule for that.


Is the page linked in the site anywhere, or just mentioned in the robots.txt file?


This does not block anything at all.

It’s a 1994 “standard” that requires voluntary compliance and the user-agent is a string set by the operator of the tool used to access your site.

https://en.m.wikipedia.org/wiki/Robots.txt

https://en.m.wikipedia.org/wiki/User-Agent_header

In other words, the bot operator can ignore your robots.txt file and if you check your webserver logs, they can set their user-agent to whatever they like, so you cannot tell if they are ignoring you.


Like the cookie that stores the “Reject All the cookies” response for your next visit 😇


Having seem the inside of some of these trackers, I can assure you that cross-domain “protection” is a furphy. Also, 848 partners is small fries. For shits and giggles you should turn on network logging on Firefox or Chrome and open any modern news website.



So, this cookie alert on theverge.com is both refreshingly honest and depressingly disturbing
A cookie notice that seeks permission to share your details with "848 of our partners" and "actively scan device details for identification".
fedilink
671
So, this cookie alert on theverge.com is both refreshingly honest and depressingly disturbing

RFC: Cross Platform Password Manager
How are you storing passwords and 2FA keys that proliferate across every conceivable online service these days? What made you choose that solution and have you considered what would happen in life altering situations like, hardware failure, theft, fire, divorce, death? If you're using an online solution, has it been hacked and how did that impact you?
fedilink

How much should an organisation reveal about a data breach?
There is a growing trend where organisations are strictly limiting the amount of information that they disclose in relation to a data breach. Linked is an ongoing example of such a drip feed of PR friendly motherhood statements. As an ICT professional with 40 years experience, I'm aware that there's a massive gap between disclosing how something was compromised, versus what data was exfiltrated. For example, the fact that the linked organisation disclosed that their VoIP phone system was affected points to a significant breach, but there is no disclosure in relation to what personal information was affected. For example, that particular organisation also has the global headquarters of a different organisation in their building, and has, at least in the past, had common office bearers. Was any data in that organisation affected? My question is this: # What should be disclosed and what might come as a post mortem after systems have been secured restored?
fedilink

How do you trust a U2F key?
U2F keys can be purchased online for the price of a cup of coffee. They're being touted as the next best thing in online security authentication. How do you know that the key that arrives at your doorstep is unique and doesn't produce predictable or known output? There's plenty of opportunities for this to occur with online repositories with source code and build instructions. Price of manufacturing is so low that anyone can make a key for a couple of dollars. Sending out the same key to everyone seems like a viable attack vector for anyone who wants to spend some effort into getting access to places protected by a U2F key. Why, or how, do you trust such a key? The recent XZ experience shows us that the long game is clearly not an issue for some of this activity.
fedilink