Melody Fwygon

  • 2 Posts
  • 181 Comments
Joined 2 years ago
cake
Cake day: June 1st, 2023

help-circle
  • There’s something you need to know about the “anti-features” flags on F-Droid.

    They’re too “greedy” and widely defined. What you really need to do is examine the app and how the developer might use said “Anti-Feature”. Not all internet access and telemetry is an anti-feature, and neither is reliance on a “third party service” where you can simply configure your app to use your own self-hosted server instance.

    An app having no “Anti-Features” flag on F-Droid is absolutely not an informative indicator that it respects your privacy. Merely, it indicates common privacy foot-guns may not be present.

    Frequently F-Droid also is far too opinionated in it’s application of the anti-feature flags; giving developers no reason or chances to appeal or change the decisions. It does not matter if the anti-feature flag is mis-applied in any specific situation; nor does it matter if the developer shouldn’t be getting an anti-feature label because they have everything open sourced and it’s clear to see there is no anti-feature there.


  • False.

    The ad attribution system was proposed but never implemented due to user outcry.

    Some telemetry has been a part of Firefox for quite some time now; but it has always been privacy respecting and they self-host all of it. In general you can easily turn most, if not all of it off. The telemetry thing has been around since before they even started seriously fast-cadence releases. Some of my memories of this date back to the Firefox 34 days even. None of the telemetry collected is mandatory, and it can be shut off in preferences as well as through advanced config; which is what most forks do if they don’t specifically rip the code out. You should read their source code sometime; it’s quite interesting.

    I will however agree that Brave is way more intrusive than any misstep made by Mozilla in developing Firefox.


  • No.

    Brave is factually bad. It’s a failed attempt at monetization of users seeking some form of privacy in browsing. From the entire crypto integration with BAT tokens to the weird VPN stuff and more; it’s clear that the company who makes the browser is pivoting rapidly and iterating the software to make money from somewhere, somehow.

    Brave does treat it’s users like a product, and the company has made privacy-impacting decisions. They are very clearly a for-profit company with a well known CEO who operates on a for-profit basis only and never on a non-profit basis. You cannot say that Brave is operated on a non-profit basis. The entire concept of the Brave browser itself is to enable monetization methods that users and privacy advocates clearly want to see depreciated.

    Mozilla on the other hand; has only recently begun to take some weird steps. Given that their exclusive contract with Google is likely to be dissolved in courts; they are simply stuck in a financially challenging situation. At no point has Mozilla or Firefox actually done anything actively hostile to privacy or users. While Mozilla does make mistakes; nothing notably wrong that they’ve done has actively been anything but a simple mistake. They have not yet crossed the threshold into malicious profit motive as of yet. Although many privacy enthusiasts are watching Mozilla very closely for any sign of them crossing that line right now.


  • Given the absurd number of sites that require a login for no discernible security reason at all whatsoever; I get it.

    A “Common” password makes sense. This password should never be used to log into or protect anything secure however.

    Similarly a “Common” password might be used to enable login more easily from certain devices; but ideally this “temporary” password should probably be something that is, yet again, different from the first “Common” password you use.

    It boggles my mind that someone like this isn’t at least using a specific passphrase for secure work accounts only.

    While I can personally understand a need for some password reuse across multiple domains; at least there should be some separation of larger “superdomains” such as “work”, “personal” and “throwaway” so that breaches don’t have such a catastrophic impact.

    A system of generating secure, unrelated but memorable phrases (for you) for those times you can’t carry or use a password manager is frequently essential. That way you can recall the password on the fly when it is asked of you; all you need to do is think about the unrelated thing you attached that information to.


  • And this is why Fwyfwy refuse to move away from Windows 10. Fwy refuse to use any version of Windows that truly integrates their AI bullshit…and Fwy actively breaks and blocks installation of it too; during updates via NTFS security, policies and other tactics to otherwise deny or break their store app from installing anything automatically. If I need some shitty UWP packaged app; I will pull it down and manually install it myself using PowerShell kthx.

    Fuck your AI shit Microsoft. If I want AI; I’ll choose the models and run it locally on my own hardware and train it to my needs. If I need a screenshot; I have several app options to do so on command with a single keypress. I don’t need my PC taking timelapse photos of what I’m doing.



  • I don’t personally cut my usage of YouTube content at all; I just simply use necessary tools to prevent the apps and services from over-sharing too much data at a network level. DNS and IP level filtering is done typically to prevent well-known domains and telemetry targets from being utilized and any account preferences are set to minimize consent given. NewPipe and FreeTube are used interchangeably with yp-dlp if needed. No account is necessary…my viewing patterns aren’t being recorded except in a generalized aggregate manner which enforces a reasonable amount of privacy.

    I’m of the opinion that a completely de-googled device lacks critical features I use often; and restoring equal function is oftentimes made difficult. Unfortunately this also covers video content; there’s no real viable FLOSS alternative with enough content. The creators typically do not have a motivation to use PeerTube or other viable FLOSS software that does exist currently and do not publish videos there; which introduces a heavy timelag; even if the creator or even someone else IS willing to export the YT content out to PT.


  • Network is standard double NAT grade B. [ISP <-> Router <-> Firewall <-> Client] with all necessary port forwards in place (TCP/UDP 1025-65535 to Firewall). Firewall is standard pfSense CE; and will forward invisibly and does automatically perform necessary UPnP and port forwarding as detected. STUN may be necessary but does function and establish the route(s) and the ports your application selected would ordinarily be invisibly NAT’ed quickly by the firewall as long as the packets are solicited. ICE Candidates udp <Public IPv4>:65359 srflx udp <Public IPv6>:65363 srflx udp [<Public IPv6 /64 issued by ISP>]:54597 srflx udp [<Public IPv6 /64 issued by ISP>]:58798 srflx Error: No active TCP candidates were found

    To my knowledge your application does not appear to opinion or declare if it uses STUN. (Perhaps it should, there are valid reasons to offer STUN or not offer STUN). The application provides no meaningful errors so I can’t tell what might need adjusted or allowed network-wise.



  • I’m of the opinion that you should probably provide Source Code on a “Source Available” basis to people who ask and have a need to see it to audit or self-compile. The lack of “Open-ness” in your code is disturbing.

    I won’t comment or judge on your decision to refuse to offer this software on a Libre basis. You absolutely have the right to monetize as necessary; especially if this code is speaking to a backend infrastructure that you maintain for it. Even if all you do is aim to break even and pay for those servers.

    The experience is extremely unintuitive. I couldn’t get your app to work at all on my privacy enforcing browser within the confines of my privacy enforcing LAN. (Yes; I do/did enable WebRTC and the other required technologies, however they’re enabled in a privacy respecting manner.) Neither of my devices would show or remain connected once added. There were no popups or information given to me by the app to troubleshoot the issue; and I’m not going to crank open a Dev Console for something that I can’t contribute to anyways. If your software is going to remain closed in source; “It should just work™”.


  • No; it’s not inarguable.

    I do feel that some minor limitations around social media should exist; such as hours of the day you may not be allowed to read or post; but they should be simple age-gates created to privately verify a person’s age via a simple SSO/OAuth style token. If you can’t authenticate against some privacy respecting identity proving entity you probably aren’t old enough and any account(s) you create would be limited.

    Not all social media needs to be age-gated either; but social networks could be forced by law to avoid monetizing your account or habits at all if you don’t willingly identify. (and by doing so; also CONSENT TO THIS MONETIZATION) In short; if you are not verified they’re required to assume you are a child and handle your data as such…with utmost respect to your privacy.


  • S/MIME is insecure, outdated, depreciated, and should be discontinued; yet people don’t want to adapt or grow or change.

    Because some organizations do use S/MIME; all email software is required to implement it, that is if they want to be adopted and used by said influential organizations.

    OpenPGP and PGP in general is secure but suffers from usability issues and is often wrongly painted as user-unfriendly. (it’s really no worse than S/MIME, installing and managing keys is exactly the same hassle as it is with S/MIME.) The main issue is that some people are too lazy or resistant to change to adapt to it.


  • Lack of detailed audits…only in this case specifically…does not imply lack of security and/or privacy.

    The protocol that Signal uses, which is in fact firmly audited with no major problematic findings, plus the fact the client is OSS is generally enough to lower any concerns.

    The server side software in production for Signal.org is not OSS. It will not be. You are required to trust the server to use Signal; because the protocol and the client renders it factually impossible for the server to spy on your messages. The server cannot read messages; or even connect who is messaging who if the correct client settings are used. (Sealed Sender).

    Non-OS stats software in general is not automatically lacking in privacy or security, particularly not in this case where the affected software does interact only with software that is verifiably open-source and trustworthy in general due to the protocols and how they are implemented correctly in a verifiable manner.


  • Melody Fwygon@lemmy.onetoPrivacy@lemmy.ml*Permanently Deleted*
    link
    fedilink
    English
    arrow-up
    24
    ·
    2 months ago

    E2EE is, theoretically, secure. It certainly prevents a government from hoovering up your data when they casually cast too wide of a dragnet while “chasing a criminal”. …At least, when it is implemented honestly and correctly.

    Now if governments wanted to properly backdoor some E2EE implementation; all they really need to do is compromise one end of the conversation. Of course, they want to be able to do it auto-magically; through delivering a court order to a single point; and not through busting down the door, or capturing the user of, one end or another of the conversation and compromising the device.

    The question therein lies; do you as a person want the government to be forced to bust down a door? Some people think they should be forced to break doors and others do not feel that it is necessary. There are many diverse stances on this question; all with unique reasons.

    It’s clear to me that E2EE works properly…the governments would not be trying to “end Encryption” if it did not work. Therefore it stands to reason that E2EE is not compromised, if a government is forced to pass a law in order to compromise the encryption or turn it off entirely. That proves it works.

    I just logically proved Encryption works, without even taking a stance on the matter. For the record however; I do support Encryption. I think this law undermining it is a massive governmental overreach that will quickly lead to that same government finding out how critical Encryption actually is to their people. Just give it time.


  • All that being said; I’m going to be watching carefully.

    I still think they have time to backpedal, make it right, and clarify. I don’t permit my installations to talk to their data collection services anyways; via network policies. I have no problem tightening those screws and forcefully disabling their telemetry in other ways as well.

    If I have to migrate; well; I already have LibreWolf installed. I might try a few other forks next; to see which ones ‘just work’ with the web properly to protect my privacy while still allowing all websites to work properly as intended so long as I give that website appropriate permissions as I see fit.


  • I don’t believe that anyone misunderstood the wording.

    The problem lies within the broad meaning of the chosen words. If you are angry, you have absolutely every right to be.

    Regardless of Mozilla’s intent here they have made a rather large mistake in re-wording their Terms. Rather than engaging with a legal team in problematic regions; they took the lazy way out and used overbroad terms to cover their bottom.

    Frequently when wording like this changes it causes companies to only be bound by weak verbal promises which oftentimes go out the door whenever an executive change takes place, or an executive feels threatened enough.

    Do not be deceived; this is a downgrade of their promise. It is inevitable that the promises will be broken now that there is no fear of a lawsuit. There’s nothing left to bind them to their promises.

    The Mozilla foundation wasn’t ever intended to remain “financially viable”; it was supposed to remain non-profit. They should be “rightsizing” and taking pay cuts instead of slipping a EULA roofie into their terms of use.


  • It is not only true; it is required by the WMF. Wikipedia and Wikimedia will go dark before it compromises those values.

    Wikipedia can always be revived by it’s massive worldwide community; on Tor even. Trump taking down the WMF servers won’t help; the databases probably get backed up daily and would likely end up on torrents within moments of it being taken down.


  • As an editor with advanced rollback rights on Wikipedia; I can agree with the above statement.

    It is Extremely Difficult; even with slighly escalated rollback rights such as mine; to push an agenda on Wikipedia.

    WP:NPOV is a good read and the editing community and contribution culture on Wikipedia enforces it strongly.

    EnWiki itself for certain has some very strong Page Protection policies that prevent just any editor from munging up the encyclopedia or changing history.

    It’s safe to say that Wikimedia cannot be bent or broken easily by special interest groups…Vandalism and PoV pushing is quickly quelled by sysops on Wikipedia. There are more of us editors than Elon could ever possibly hope to take on.

    Not even Elon Musk gets to ignore Wikimedia policies. That will never change. They are written in blood and sweat and cannot be manipulated. The entire foundation is set up in a way that it always, eventually, cracks down on corruption and greed. Not even a cabal of admins, bureaucrats and Wikimedia Stewards can help you.