- 0 Posts
- 144 Comments
Search that specification for “private.” You’ll find precisely one reference to it…
It might be better to look for what the article mentions: “manuallyApprovesFollowers”, and it is explicit about what to do when that value is set to true. I don’t understand how you’re confused by it.
Mastodon, in general, is regarded as careless with safety.
Regardless, two wrongs don’t make a right, and I found the description of how to properly handle a security issue as discussed in the article to be appropriate. For example, collaborating with administrators of large instances.
The “security issue” is created on Mastodon’s side
Are we reading the same article? I realize this isn’t the first time you implied this, but I thought I must have been mistaken.
From the original post: “Importantly, your Mastodon or GoToSocial instance isn’t handing your private posts to any random server, just because it asks.”
Mastodon is behaving. Pixelfed was not. Pixelfed fixed the security issue because it was their issue…
I looked at your comment before reading this article, and you make several bold statements that the article dispels
A fork of Mastodon created a new abstraction for “private posts”
The author of the article links to the official specification which was made for ActivityPub. This does not appear to simply be “some fork of Mastodon”, but if it is, please provide a citation.
they’re trying to blame Pixelfed for not adopting their homemade standard
See previous comment
It’s fixed in 1.12.5
The article also goes into great lengths about how the security update was handled poorly, with inappropriate communication along the way. It contrasts this with a correct update.
Back when Samsung saw Android as a legitimate threat to their business model, and they made alternate apps to every Google offering, I think they did have a better ecosystem. I think that has waned in recent years, though.
And I say that as someone who loved Samsung phones at least until 2020, when they gave up on the SD card and started giving up on camera quality. I still think they make the best devices out of the box (between screen and camera output, and not overheating) but they’ve been lazy at the top
Samsung has retired their messaging app. Google Messages is the only option on Android.
(cc @MoonlightFox@lemmy.world)
The decision to cache results is interesting. (When I searched “Mullvad Leta,” this critique of it popped up.) As far as I can tell, though, this is a really promising looking search engine.
Unlike DuckDuckGo and so many other engines, you don’t have to rely on Bing’s results (they usually work for me, but I’ve heard complaints. And getting pointed at the same news aggregators can be annoying.)
Unlike Brave, the results arrive quickly. Presumably, it also won’t hit me with captchas like Brave has in the past.
Unlike Kagi, I don’t have to worry about signing in with an email address and unknowingly funding Brave, Yandex, or whoever they contracted with. (Vladimir Prelovac hid the source data out of what appears to be spite.)
Unlike Google… Do I even need to elaborate? It’s Mullvad. They have a reputation for being the best, not the worst.
Here’s to hoping competitors follow suit.
Here’s the actual privacy policy of an actual Mozilla product. Instead of being dry like privacy policies typically are, this one is practically dripping with malicious compliance.
Your Privacy Rights. In accordance with applicable law, you may have the right to…
Request to Opt-Out of Certain Processing Activities including, as applicable, if we process your personal information for “targeted advertising” (as “targeted advertising” is defined by applicable privacy laws), if we “sell” your personal information (as “sell” is defined by applicable privacy laws), or if we engage in “profiling” in furtherance of certain “decisions that produce legal or similarly significant effects” concerning you (as such terms are defined by applicable privacy laws)
It’s no longer a question of if Mozilla targets you, sells your data, or profiles you. It’s a question of when, and how abusively.
…We “sell” and “share” your personal information to provide you with “cross-context behavioral advertising” about Fakespot’s products and services.
Again, no scare quotes are needed here. They sell your data. I don’t know what “cross-context behavioral advertising” is exactly, but I’m not excited to find out.
We all have different priorities, I guess. You might be okay with aiding American money launderers, but draw the line at anything that might have touched Israel.
(PS: It didn’t. Matrixis several degrees of separation from anything Israeli, let alone any government, so you might want to edit that comment.)
Potentially helpful extra context that makes me extra suspicious when somebody evangelizes it all the time
Monero users can and have been deanonymized by the police. Monero also acts as a de-facto tumbler, meaning by using it, you’re money laundering for criminals as a matter of course.
Complying with government data requests is NOT the same as collecting information for profit. A company cannot just decide to not comply with the local laws where they sell their products…
This is technically true, but… The privacy oriented person will drift towards products that cannot violate their privacy. Or, if that is not possible, towards products that push back against orders that are unlawful or unethical.
When Andy Yen and Proton Official published their multiple social media comments, this looked dangerously close to signaling fealty to a foreign government, which is not something I am interested in seeing.
I read this entire medium article from start to end, and that point stuck out to me so much that it caused me to pause, make sure I’d seen it correctly, and then restart with a more critical lens.
Between lines like that, and the assumptions like
- The “three cis-gender women on the board” wouldn’t be put there by a MAGA person because MAGA people would never hire women. This argument is piss-poor on its face. You could use it to say Trump isn’t sexist either.
(Off topic but: “cis-gender”?) - These women are “feminists with liberal values” - no citations, no examples needed apparently.
There are multiple issues with this blog post.
Paints entire issue as “politics”
The post falsely assumes Andy Yen’s politics exclusively matter - they don’t. Andy Yen stupidly posted a opinion online, then stupidly got the official corporate Proton account to stupidly repeat it on multiple platforms.
This is the issue: they demonstrated massive corporate mismanagement.
Then the company tried sweeping it under the rug, and many users are unaware about the corporate statements.
The article never addresses that issue. The author probably wishes Andy Yen’s mistake was just political, because that would be easy to write off. But it’s not.
Trust matters
If the CEO is able to bungle something this badly in full public sight, I lose a tremendous amount of trust in the actual product. And because Proton gets a good chance to read over every single email that comes in from an external source - password reset emails, confidential documents, etc - now I’m worried that they could bungle something that I can’t see… Until it’s too late.
Article misrepresents Slater
If you read this Medium article alone, you might come away with the impression Gail Slater is a champion of small business. After all, it says
Legal experts have described Slater to be “not known as a friend of Big Tech”, and “not good for Google” despite her Republican ties. It is likely that knowing this, Andy was caught by surprise at Trump’s pick…
I was caught by surprise too: this article misses key details about Gail Slater. Several people pointed this out to Andy Yen.
Her Wikipedia page suggests she worked for the FTC before working for a lobbying firm and joining the first Trump administration. Then she worked for Fox and Roku and is now rejoining the Trump administration.
That lobbying group that employed her for four years was the Internet Association.
The Internet Association (IA) was an American lobbying group based in Washington, D.C., which represented companies involved in the Internet. It was founded in 2012 by Michael Beckerman and several companies, including Google, Amazon, eBay, and Facebook…
In 2017, the Internet Association opposed California AB 375, a data privacy bill that would require Internet service providers to obtain customers’ permission to collect and sell their browsing history, citing desensitization and security as the basis for their opposition.
Maybe Andy Yen stupidly didn’t know better when he made his post (as “Proton Team”) when he claimed she had “a solid track record of being on the right side of the antitrust issue”.
But this article should have known.
Technical issues
This article also makes a poor technical assumption: if you read it without knowing better, you’d think Proton isn’t capable of scanning and recording the text of mail as it arrives.
Lines like these
Proton is end-to-end encrypted, meaning it cannot decrypt user data.
tell the reader, either ignorantly or intentionally, the opposite of most email works. Banks, service providers, and password reset emails are all likely to be readable on receipt. E2EE emails in Proton are literally exceptionally rare.
Assorted notes
- This article is the one the Proton team officially endorses. (Or is that Andy Yen commandeering the account again?)
- Assuming racism isn’t possible for Asian people is, at best, a naive thing to say as a defense.
- The article equates women with automatically being feminist; for a paper with so many links, it’s strange that this claim was unsourced
From a tech perspective, it looks promising. In theory, your privacy will be, at very worst, only as bad as the most private actor in a two-hop chain.
In practice, though, Mullvad seems relatively okay with offering a white label version of its services to anybody who asks. And there’s a plus side there, because it means anybody who subscribes to that other service will be part of a larger crowd of Mullvad users in general. And blending in with the crowd is a good way of staying obscured.
Seeing the perspective of somebody who’s not particularly well versed in Android forks is interesting, though.
I found the part around 2:45 to be interesting, where the YouTuber says the thought of the OS getting compromised was scary. This is a sort of privacy paradox where Calyx looks worse than other, less honest, alternatives.
Could a rouge employee compromise Calyx? I guess, but Calyx has the best possible setup to avoid it. And Android itself is basically compromised by default, which should be far more concerning. The biggest reason people aren’t concerned is because Google understands PR, and they know how to spin things in the most positive light possible.
This change will impact how you set up Signal on your desktop computer. Previously, after linking your desktop to your phone, you would be presented with basically an empty window.
This change will allow you to, optionally, synchronize your message history from your phone to your desktop, filling it with your previous messages, making it much easier to pick up where you left off with your conversations.
Pictures and videos that were sent will also synchronize, as long as they are from the past month and a half.
fake news drama storm
Uh… No?
Proton’s CEO just hijacked the company account, wrote a bunch of stuff that said “Our team” at the beginning. Then he claimed he had accidentally used the wrong account and accidentally spoken for the entire team.
I could have been 100% on board with everything the CEO said, but then his rapid denial of obvious facts is a huge deal in itself. Proton’s entire existence exists upon being trustworthy, and if somebody’s going to clearly lie, trust gets broken fast.
I think the article made a typo that claims GPC is the same as DNT.
When you enable the feature, the GPC sends a signal… This signal is sent via a special HTTP header called DNT: 1 (Do Not Track)
But the GPC spec does say it sends a new signal: Another header (like DNT) and a JavaScript variable the client would set. I don’t see why this couldn’t be used for tracking too.
A user agent MUST generate a Sec-GPC header
So if it generates a header, it can still be used for fingerprinting, but this header is actually less restrictive for what the receiver must do.
DNT was “do not track,” and GPC is "do not sell:
GPC is also not intended to limit a first party’s use of personal information within the first-party context (such as a publisher targeting ads to a user on its website based on that user’s previous activity on that same site).
That’s an interesting detail!
I’m not surprised this tagging system is imperfect, but in a broader context – that a company like Google probably has something a hundred times more powerful and more accurate, and it’s scanning through people’s whole photo libraries, really adds to their creepy factor.
Mozilla is adopting a ton of the things that were wrong with Brave. Recently, Brave criticized Mozilla’s PPA data collection for being too centralized, which implies to me that otherwise, there’s a lot of overlap between the two allegedly “private” systems. I don’t trust Brave telemetry, but it seems not even they can come up with many ways to differentiate themselves from Mozilla.
If they’re different somehow, I would love to know how.
In a way other than accrued trust or distrust, that is. At this point, I don’t think Mozilla is owed any inherent trust.
I wasn’t going to make a generic comment about how cryptocurrency is only worth money to people if they can convince other people to also purchase the cryptocurrency…
… But then I looked at your post history, and it’s like a week of pivoting conversations to be about Monero.
- New GPU released? Perfect for mining Monero.
- FBI made fake cryptocurrency? Monero isn’t fake.
- People shouldn’t store your information, so use Monero
- Taylor Swift donates for hurricane victims? Monero is worth more than her!
Edit: oh god it was worse than I thought
- All cryptocurrency is good… JK just Monero
- Good YouTube video? They should accept Monero.
- Good nudes? (NSFW) Take my Monero
(1) (2) (3) (4) (5) (6)
(probably more, but mods removed many) - Their phone wallpaper? Anime girl Monero
When a user interacts with an ad or advertiser, a record of that interaction is… sent to two independently operated services.
If a company is unethical, they will ignore the Mozilla standard. If a company is ethical, they don’t need the Mozilla standard, as they can adopt their own tracking-free methods of serving ads.
I have been told repeatedly by Firefox advertisement advocates that PPA only affects people that don’t use ad blockers, so it allegedly only affects people that are already blasted by tracking networks to the fullest extent possible, while people who use ad blockers wouldn’t see the supposedly less invasive ads anyway. So it’s either 100% tracking to 110% tracking, or 0% tracking to 0% tracking. Seems like a lose-lose scenario for both sides of the equation.
Okay, so for those of us using third party apps like Thunderbird, everything is done using app specific passwords, which is great
But if this is a new feature, how did third party apps work before? Could people just not use them if they enabled 2FA?