overview for coffeeClean

Has ethernet become illegitimate? A librarian flipped out after spotting me using ethernet in c/cybersecurity

[+] coffeeClean -37 points 1 year ago* (last edited 1 year ago) (12 children)

Someone should let the IT staff know so they can properly block those services on ethernet as well.

Someone should let the IT staff know that wi-fi does not work for everyone, including:

People running a free software platform that lacks support for a wifi NIC that needs a proprietary driver and firmware
People running free software who ethically object to running the proprietary non-free driver and firmware their wifi NIC requires
People without a mobile phone to perform the captive portal-mandated SMS verfication
People with a mobile phone but who want to exercise their GDPR right to data minimization
Climate activists who prefer not to spend 30 times more energy needed for wi-fi radios
People who want the security of other wi-fi users not eavesdropping on their traffic by simply pointing a yagi antenna from a block away (on a network that blocks the VPNs that would protect them from that on wi-fi)

(edit)

People who cannot get past the captive portal for other reasons, such as the captive portal imposing TLS 1.3 on older software (forced obsolescence), or anything else that fails technically, like DNS breakage preventing the captive portal’s hostname from resolving.

And because simply turning on Wi-Fi in public enables all iPhones in your range to automatically snoop, collect your wi-fi params including SSIDs your device looks for before sending it to Apple, along with GPS fix and timestamp (according to research), there are people who:

for privacy reasons object to being snooped on generally in this way
boycott Apple already for any number of reasons, and who have enough discipline and resolve to oppose feeding profitable data to Apple -- regardless of whether they actually care about the disclosure.
boycott the fossil fuel industry, including Google who supplies AI to Totaal Oil to find drilling locations, and thus oppose feeding Google by way of Androids in range doing the same collection as Apple. (note it’s disputed whether Google actually mirrors Apple on this to the extent of Apple)

Has ethernet become illegitimate? A librarian flipped out after spotting me using ethernet in c/cybersecurity

Mastodon threads no longer archivable on archive.org in c/bugs@sopuli.xyz

[–] coffeeClean 2 points 1 year ago* (last edited 1 year ago) (1 children)

Thanks for digging into the problem. So in the end, it looks like you’ve worked it out that the content is getting archived but it’s just not rendering, correct? It used to render. Apparently the Mastodon JavaScript got too fancy and broke the use of archival.

I wondered at first if Mastodon was deliberately archive-hostile. The sensible ways to block archival are host-specific¹, so I guess it’s still unclear.

¹ (for lack of better phrasing… I don’t mean to imply it’s sensible to block archival to begin with)

(Lemmy bug) cannot cross-post to !android@hilariouschaos.com b/c the pull-down list is clusterfucked with Cloudflare sites in c/infosecpub

[–] coffeeClean 0 points 1 year ago* (last edited 1 year ago)

That website you linked clearly doesn’t use it, because it took about 5 seconds to load up despite being entirely text. That’s why it’s a good service.

Selling your soul for a slightly faster load time is your personal preference but arbitrarily trading off inclusion of marginalized groups of people so some people get a faster load time is not in line with the netneutrality principles that the fedi community values. Diversity and inclusion trumps faster load times of some dude in Australia.

Yes, you can in fact access content on the fediverse without Cloudflare if you really want to. You can choose to use a different instance, and it doesn’t matter where that data is hosted.

That’s not true specifically for Lemmy. Images do not get copied. If a LemmyWorld user posts an image in a federated community, everything except the image is accessible on other instances. So those of us in Cloudflare’s excluded groups get a broken threads (people talking about an image we cannot see - we just see the discussion because only text is mirrored).

Even if you are in CF’s included group of those permitted access, if you are on a measured rate uplink you would want to see the size of an image before downloading it. That is something else that Cloudflare breaks. There is no content-length HTTP header. So CF also discriminates against those on measured rate connections.

There are also various other circumstances requiring users to visit a thread’s copy on another host. If that other host is Cloudflare, CF’s access restrictions determine whether the user gets access. If bob@fedi-respecting.node needs to revisit an old thread to recall a link, and fedi-respecting.node had to delete the thread in a periodic cleanup to recover disk space, bob might need to access another node directly which hosted the same thread. Yes, I’ve been there. And if that other node is Cloudflared, bob will be blocked if he is in CF’s excluded groups.

Cloudflare’s wall breaks the fedi in so many bizarre ways I should probably start a log of the various circumstances that CF causes enshitification to manifest.

The fediverse is by design not a privacy-forward platform, so concerns about “content they expect to be private” don’t matter.

That’s not true either. Cloudflare gets a view on all traffic, both public and private including access credentials. Users are deceived because of the lack of disclosures about the CF MitM. E.g. users commonly expect a DM to be visible to the admins of both hosts with no idea the Cloudflare also has visibility as well. Most users don’t even know about the existence of CF. Aussie.zone, for example, is not responsible enough to disclose to users that CF has that visibility.

Of course it completely changes the equation when the same single corporation who has visibility on about half all web traffic in the world also has a view on people’s social media DMs and acct creds, it’s an all-eggs-in-one-basket kind of compromise. That abusive level of visibility increases in the extent of the compromise when all that data can be aggregated. So the centralised nature of just the data exposure alone makes it antithetical the fedi philosophy from a privacy standpoint, most particularly coupled with the masses being uninformed about it.

It’s still decentralised because each instance is run by its own instance administrators with their own rules and capable of maintaining its own culture.

Certainly not. It’s centralized by Cloudflare’s access controls on all Cloudflared nodes under a single corporate policy. What aussie.zone is doing is very rare. Cloudflared nodes run with CF’s default access controls, which blindly gives CF blanket centralized authority over who gets access. This goes directly against the purpose of federation philosophy.

Even when a node like aussie.zone whitelists Tor, there are still half a dozen other demographics of people who they uniformly and centrally discriminate against and this is strictly under Cloudflare’s control and beyond the control of aussie.zone.

Even if they were all hosted in the same data centre it would not be a large mark against the fediverse

Of course it would. You have something like 5 of the 7 biggest fedi instances dependent on Cloudflare. If there is CF-wide downtime (regardless of whether it’s all on one data center or more realistically broken logic that’s distributed like cloudbleed was), the benefits of decentralization fails to deliver. Lack of network diversity makes disproportionately large number of people vulnerable to a single point of failure.

(Lemmy bug) cannot cross-post to !android@hilariouschaos.com b/c the pull-down list is clusterfucked with Cloudflare sites in c/infosecpub

[–] coffeeClean 0 points 1 year ago* (last edited 1 year ago) (2 children)

You obviously lack a bit of knowledge about Cloudflare and how it operates. I suggest reading the link you overlooked:

https://thefreeworld.noblogs.org/post/2024/03/18/cloudflare-has-created-the-largest-most-rigidly-exclusive-walled-garden-in-the-world/

I suggest also understanding a bit about Cloudflare as an organisation:

https://git.kescher.at/dCF/deCloudflare/src/branch/master/subfiles/rapsheet.cloudflare.md

Cloudflare is antithetical to every objective of the federation. Most importantly: decentralization. You don’t decentralize a platform by giving central access control and traffic visibility to a single tech giant in the US. It defeats the core purpose.

1

Did protonVPN recently start blocking VOIP? (self.voip)

submitted 1 year ago* (last edited 1 year ago) by coffeeClean to c/voip

5 comments fedilink

cross-posted from: https://infosec.pub/post/9382315

I have had no problem using VOIP over #protonVPN until recently. Connections happen but there is no audio. Anyone notice this?

I wondered if maybe they decided to make VOIP a non-free feature, but their premium plans do not list VOIP as an extra feature.

4

Did protonVPN recently start blocking VOIP? (self.cybersecurity)

submitted 1 year ago* (last edited 1 year ago) by coffeeClean to c/cybersecurity

0 comments fedilink

cross-posted from: https://infosec.pub/post/9382315

I have had no problem using VOIP over #protonVPN until recently. Connections happen but there is no audio. Anyone notice this?

I wondered if maybe they decided to make VOIP a non-free feature, but their premium plans do not list VOIP as an extra feature.

3

Did protonVPN recently start blocking VOIP? (self.vpn)

submitted 1 year ago* (last edited 1 year ago) by coffeeClean to c/vpn@derpzilla.net

0 comments fedilink

I have had no problem using VOIP over #protonVPN until recently. Connections happen but there is no audio. Anyone notice this?

I wondered if maybe they decided to make VOIP a non-free feature, but their premium plans do not list VOIP as an extra feature.

4

Post edits appear accepted but get discarded (self.infosecpub)

submitted 1 year ago by coffeeClean to c/infosecpub

4 comments fedilink

This may be an instance-specific problem because I’ve had no problem editing posts on other instances. When I try to exit the title and body of this post, I click save (or whatever) and without error it behaves as if my change was accepted.

Most instances take a minute or two to re-render the screen to show my updates. If the wait is long, I sometimes do a hard refresh to make sure the change got accepted (and if I don’t do that and I do another update, the old content populates the form and causes the recent edit to be lost).

Anyway, with infosec.pub my edits on the above-mentioned post just take no effect, confirmed by a hard-refresh showing no change.

2

Torsocks $udp_app (self.tor)

submitted 1 year ago by coffeeClean to c/tor

0 comments fedilink

What happens if an app uses UDP instead of TCP (or both UDP and TCP), and you use the torsocks wrapper script? Would the UDP connections all leak without the Tor user knowing?

-2

[EU Guide] How to penalize Tor-hostile companies (e.g. Cloudflare users) (self.fightforprivacy)

submitted 1 year ago* (last edited 1 year ago) by coffeeClean to c/fightforprivacy@feddit.ch

0 comments fedilink

cross-posted from: https://infosec.pub/post/9048075

I simply make a GDPR request. Write to a Tor-hostile data controller making an Article 15 request for a copy of all your data. Also ask for a list of all entities your data is shared with.

The idea is that if a website blocks Tor (or worse, uses Cloudflare to also share all traffic with a privacy offender), then they don’t give a shit about privacy. So you punish them with some busy work and that busy work might lead to interesting discoveries about data abuses.

Of course this only works in the EU and also only works with entities that have collected your personal data non-anonymously. After getting your data it generally makes sense to also file an Article 17 request to erase it and boycott that company.

11

(EU) How to penalize Tor-hostile companies (e.g. Cloudflare users) (self.tor)

submitted 1 year ago by coffeeClean to c/tor

2 comments fedilink

I simply make a GDPR request. Write to a Tor-hostile data controller making an Article 15 request for a copy of all your data. Also ask for a list of all entities your data is shared with.

The idea is that if a website blocks Tor (or worse, uses Cloudflare to also share all traffic with a privacy offender), then they don’t give a shit about privacy. So you punish them with some busy work and that busy work might lead to interesting discoveries about data abuses.

Of course this only works in the EU and also only works with entities that have collected your personal data non-anonymously.

4

(mastodon) fedi.at down (edit: back up) (self.isitdown)

submitted 1 year ago* (last edited 1 year ago) by coffeeClean to c/isitdown

0 comments fedilink

tested from tor. Also reported down by downinspector.com.

BTW, downinspector.com is the only Cloudflare-free service of its kind, but it’s notable that noscript reports XSS scripting attempts via Google.

(edit) it came back online yesterday.

14

[guide/discussion] The language fight -- stop accepting industry terms and brands (“smart”, “Meta”, “Threads”, “X”) (self.fightforprivacy)

submitted 1 year ago* (last edited 1 year ago) by coffeeClean to c/fightforprivacy@feddit.ch

0 comments fedilink

Language is important. The corporate propagandists are winning the language branding battle. In fact there is no battle because the pushover public just accepts their terms. We need to organize and define their garbage with our terms. E.g.

(smart → dependent) Homes and appliances dependent on a corporation and contract are perversely called smart. So we should refer to them as “contract-dependent” or simply “dependent”. It’s not a smart dryer or doorbell, it’s a dependent dryer or doorbell. Probably makes no progress to mess with “smartphone”, but anything that has an avoidable and needless dependency needs renaming. (smartphone is debatable.. maybe a degoogled or Postmarket OS phone is a smartphone while a stock Android is a dependent phone, but let’s not get too carried away). Initially it’s not effective to just start saying “dependent washer” because readers won’t understand. Say “‘smart’ (read: dependent) washer”. Credit for this terminology goes to @dannym@lemmy.escapebigtech.info for this post, which gives a bit more detail.
(Meta→Facebook) Meta hi-jacks a common English word to benefit a surveillance advertiser. We can’t allow this. IMO Facebook is understood and clear enough, but note that it’s not technically accurate because Meta is a parent company which has Facebook and Threads as subsidiaries IIUC (just like Alphabet owns Google).
(Threads→fbThreads™/®?) Since Threads is the original name of Facebook’s forum, there is no unambiguous past name to cling to. We must invent something here. Fuck those egocentric self-centered asshole fucks for hi-jacking a generic common word to describe their service. There are already confusing conversations where it’s unclear from context if someone means FB’s Threads or a generic forum (threads). It’s not just a confusion problem.. when you refer to a thread in the generic sense and it is understood, there is still a subconcious tie to that shitty company.. their brand benefits from conversation that does not even involve their brand.
(X→Twitter) This is an easy one. Just keep with the old term.
(Cloudflare→CF walled garden) I’ve not encountered a replacement term for Cloudflare that’s not overly hyperbolic. But we can often incorporate “walled garden” and “centralized” to stress the issues. Instead of just saying “it’s a Cloudflare site”, say some variant of “the site is jailed in Cloudflare’s exclusive centralized access-restricted discriminatory walled garden contrary to netneutrality principles of access equality”.

It’s worth nothing that hyperbole doesn’t help. E.g. we might want:

Meta/Facebook→Fakebook
Microsoft Windows→Microsnot Winblows

The problem is these terms are only accepted by fully committed digital rights folks. That’s not the crowd that needs to be swayed. Hyperbole does not catch on with moderates - the masses where it’s most important for rebranding to take hold. Good rebranding doesn’t deviate too much from neutrality.

(user→pawn) Exceptionally, I refer to “users” of surveillance capitalists as “pawns”. It’s probably too edgy to catch on, but it is what it is. Users is neutral and understood so it can’t easily be rebranded anyway. I will just say pawns to stress the point: who is using who?

Anyway, this is just the start of a crowd-sourcing effort. Please contribute more rebrandings in this thread as well as improved alternatives to my effort above.

update

Google has hi-jacked the term #Gemini to name its AI chatbot. What was previously a protocol to free people from the madness of documents becoming apps (javascript) and to build a web alternative like gopher without the bullshit -- it has been snuffed out by Google.

5

[guide/discussion] How to attack CCDs like that of Amazon Ring (laserpointerforums.com)

submitted 1 year ago* (last edited 1 year ago) by coffeeClean to c/fightforprivacy@feddit.ch

3 comments fedilink

Suppose you’re fed up with being video surveilled in public and you object to your neighbor placing your home under 24/7 video surveillance which is fed to a surveillance advertiser (#Amazon). Or you want to kill the video surveillance in vending machines.

laser

Is it practical and affordable to buy laser that can reach across the street and still have enough focus and power to burn a CCD? Can it be done from different angles without the CCD capturing the source before the damage manifests? There is some chatter here on power levels.

Of course it must be precisely controllable as well; obviously no one wants to inadvertently hit an eyeball and blind someone. Which I suppose implies that the laser either needs a well calibrated scope or it needs to be in the visible spectrum so you can see where it lands.

I would really love it if someone would rig up a drone to do this, which could then go down the street and knock out many Amazon Rings.

cyber attack

(Amazon Ring only) A simple cyber attack: if you can find out (social engineer?) the username of the Ring pawn¹, you can deliberately submit wrong passwords until the acct locks. When an Amazon account is suspended, the doorbell no longer functions. Funnily enough. So people with smart homes must constantly obey Amazon’s wishes if they want their home to continue to function. Would love to see that backfire. But it’s unclear if an account locked due to failed passwords goes into the same state of suspension that breaks the doorbell. I just recall a story where someone’s Amazon account was suspended due to some dispute or misunderstanding with Amazon which then broke their doorbell and probably other “smart” (read: dependent) appliances to go out of service.

I don’t say “user” because they are being used by Amazon. That means they are a “pawn”.

0

Freesat → MythTV would be useful. But with what hardware? (self.cordcutters)

submitted 1 year ago* (last edited 1 year ago) by coffeeClean to c/cordcutters

0 comments fedilink

I bought a Silicondust HD Homerun back before they put their website on Cloudflare. I love the design of having a tuner with a cat5 port, so the tuner can work with laptops and is not dependent on being installed into a PC.

But now that Silicondust is part of Cloudflare, I will no longer buy their products. I do not patronize Cloudflare patrons.

I would love to have a satellite tuner in a separate external box that:

tunes into free-to-air content
has a cat5 connection
is MythTV compatible

Any hardware suggestions other than #Silicondust?

#AskFedi

8

Lemmy deletes your URL and replaces it with an image URL if you post a link then add a pic (lemmy.ohaa.xyz)

submitted 1 year ago by coffeeClean to c/infosecpub

0 comments fedilink

cross-posted from: https://infosec.pub/post/8863199

This post was composed with a link to a Wired article:

https://lemmy.ohaa.xyz/post/1939209

Then in a separate step, the article was edited and an image was uploaded. The URL of the local image unexpectedly replaced the URL of the article. Luckily I noticed the problem before losing track of the article URL.