Show Navigation
Notices by Mike Gerwitz (mikegerwitz)
-
@diggity While this practice is expected (as the article notes, other companies do it as well), most users are definitely not aware of it and I think that many more people would be uncomfortable using these devices if they did learn that this isn't all just being processed by computers. Some of that conversation happened during the Snowden revelations---is it okay if it's just computers "listening" rather than a human being? (Of course, it's never just computers.)
It's also another example of AI capabilities being over-sold to users.
Thanks for sharing!
-
In my 404 logs for my website, I noticed an automated attack attempting to compromise various URLs. My site is static, so no harm done, but one thing I noticed was an injection attempt with a script at z e d . x s s . h t (added spaces to prevent generating links to it).
The header of the script at that URL states: "This is a payload to test for Cross-site Scripting (XSS). It is meant to be used by security professionals and bug bounty hunters. If you believe that this payload has been used to attempt to compromise your service without permission, please contact us using https://xsshunter.com/contact."
Okay, so I attempt to load the URL, via Tor, as all my web traffic is. It redirects me to the Internet Archive for that page, and it's not even archived. I archive it. It then masks the contact email address on the page. I click on it. It directs me to a CloudFlare page saying that I have to enable JavaScript in order to unmask the email address.
So in order to report abuse of this XSS testing service I have to allow non-free CloudFlare malware to run on my computer. Nope.
-
@shamar @adfeno Ironically, the ezine link you posted greets me with:
"It appears that you are using Tor anonymizing software
No Problem! We just need you to enter a Captcha so we can confirm that you are a person and not a bot."
Which is non-functional for me, presumably because I'm not running JS. I just loaded via the Internet Archive.
Some sites use CAPTCHAs even for read-only pages, presumably to try to thwart scraping, DOS attacks, and the like. (I fundamentally disagree with this practice.)
There are many other JS practices that need to change as well, both for security and user freedom. I highlighted what I perceive as many of the major issues a few years ago at LibrePlanet:
https://media.libreplanet.org/u/libreplanet/collection/restore-online-freedom/
In particular, I'm really hoping that someone will take up the issue of code signing and the ability to replace specific scripts with user-defined scripts (the latter may be best implemented in LibreJs considering the level of granularity it offers in script detection).
-
If I could offer some advice to people who use #Markdown to write posts:
Many people use Markdown not just because the formatting is convenient to write, but also because it is itself human-readable. Consequently, it's also used as a plain text alternative to e.g. HTML-rendered text. I read a lot of things in plain text, so I see plain Markdown frequently.
One of the worst things you can do for legibility is to place URLs inline---it obscures the text, especially if there's a lot of them. Instead, use a reference (ideally numeric), of the form "[foo][n]".
Then, rather than placing all URLs at the bottom of the document, please them below the paragraph that references them. Not only does this reduce scrolling, but it also allows easily copying/pasting portions of the text while keeping the references intact, which is especially convenient for quoting.
-
This article is popular right now on HN:
https://pxlnv.com/blog/bullshit-web/
It's something that many of us have been saying for many years. But I've been largely insulated from it: I have blocked all scripts and ads (for privacy and security reasons, but also because most sites serve proprietary JavaScript code) for years. If it weren't for my research (https://mikegerwitz.com/talks), I wouldn't have realized just how bad it has become.
I've also run all my browsing through #Tor for years. And what this article reminds me of (but does not mention; this is unrelated) is how Tor used to be so painfully slow---worse than dialup. It has improved drastically over the years, but by design, it's always going to be slower than directly connecting to a webserver.
But despite that, websites often finish loading for me much faster than those who use the "normal" web over a normal connection, because it's not loading so much shit. That also allows me to stick to <256MiB of data per month on my mobile plan, despite browsing sites linked to on HN and despite the extra packets from Tor itself. (Btw, text.npr.org is great, for those who didn't know of it.)
The very things that got me downvoted into oblivion on HN years ago are now the popular, obvious things. Why do things have to get so _bad_ before most people begin to care?
-
@randomdamage This is why a hardware switch (like the Purism Librem 5) is ideal.
It's possible to measure whether or not a phone is attempting a connection (emitting radio waves), so someone can determine whether the phone is lying to do if you put it in e.g. airplane mode. Manufacturers have incentive to have airplane mode do what it claims to do since there are FAA regulations that customers have to adhere to when on certain flights. Another option is to place your phone in a bag that acts as a Faraday cage; I have one (though I haven't used it in some time).
This doesn't prevent malware, malicious OS's, or targeted attacks from modifying phone software, though. But for your average phone user concerned about privacy with a modest threat model, something like airplane mode may be good enough.
If your threat model is higher, you probably know what more you should be doing.
-
It's difficult to have useful conversations about mobile tracking when people say "your phone / mobile device tracks you". The phone is just a computer.
The networks that you connect to can spy on you---your cellular network, bluetooth, wifi, etc. To help mitigate these threats, you can disable those communications until you are in a safe place that you don't mind others knowing about. This can really only be guaranteed with a hardware switch---iOS now lies to its users when they ask to disable those communications, for example.
The software running on your device spys on you: the operating system itself often spies; the apps you install often spy. This is the fault of the individual _authors_---_they_ are the problem. Consider using free/libre software that empowers you and serves _you_ rather than its creators; it's much harder to hide secrets in free software. On Android, consider using only free software available in F-Droid. We also need fully free mobile operating systems, like Replicant and hopefully Purism's Librem 5 that is still under development.
Call out those that do harm---don't veil and protect them using statements like "your phone tracks you". Talks about the specific issues. Demand change and have the courage to reject them entirely. That involves inconvenience and sacrifice, but if we're strong now, then in the near future, perhaps we won't have to make any sacrifices, much like the fully free GNU/Linux system desktops we have today.
-
Anyone subscribe to Mozilla e-mails? I forget what list. But they provide links that are nothing but a long unique identifier, which I can only assume to be unique per recipient. Further, they mask the actual destination, which is a security risk. I have never followed one of the links in the e-mails, which is unfortunate, given that some of them do sound interesting.
I have replied on a couple of occasions asking them to please stop doing that, but I haven't received an acknowledgement. Indeed, I'm not even sure if it goes anywhere. Maybe others can speak up as well. Or maybe someone seeing this message is or knows a Mozillian to forward this concern to.
-
I give my talk "The Ethics Void" in just over a week at #LibrePlanet2018. For those interested in attending or watching remotely, please consider watching or glancing at the slides for my talk last year, "The Surreptitious Assault on Privacy, Security, and Freedom"; I'll be touching on a number of examples and concepts from that talk, and a better understanding of the issues will help you to appreciate some of the moral consequences:
https://social.mikegerwitz.com/url/17200
But you won't be lost without it.
There's a great list of speakers and sessions; check it out, and please join us!
https://libreplanet.org/2018/
-
Just got word that I'll be speaking again at this year's #LibrePlanet! I was going to attend regardless, but I'm very excited to be able to continue to build off of last year's talk.
The title of this year's talk is The Ethics Void. Here's a rough abstract:
Medicine, legal, finance, journalism, scientific research—each of these fields and many others have widely adopted codes of ethics governing the lives of their professionals. Some of these codes may even be enshrined in law. And this is for good reason: these are fields that have enormous consequences.
Software and technology pervade not only through these fields, but through virtually every aspect of our lives. Yet, when compared to other fields, our community leaders and educators have produced an ethics void. Last year, I introduced numerous topics concerning #privacy, #security, and #freedom that raise serious ethical concerns. Join me this year as we consider some of those examples and others in an attempt to derive a code of ethics that compares to each of these other fields, and to consider how leaders and educators should approach ethics within education and guidance.
My previous talks can be found here:
https://mikegerwitz.com/talks
---
For this talk, I want to solicit the community at various points. I know what _I_ want to talk about, but what are some of the most important ethical issues to _you_? Unfortunately there's far too much to fit into a 40m talk! Also feel free to e-mail me at mtg@gnu.org.
-
Yesterday I had a long-awaited meeting with two lawyers and the CIO from my new employer (who purchased my previous back in April) regarding our releasing of certain software under the GPLv3+. This follows a previous, fairly deep discussion a number of weeks ago with one of the lawyers. Despite their unfamiliarity with software and copyright (we are not a software company), the CIO and lawyers approved our current arrangement. We will continue to release free software under the GPLv3+, and one of the lawyers will work with me on starting to formalize a procedure for doing so with projects going forward.
I'm relieved, because had this gone in the other direction, it would have been a nail in the coffin for me---this issue is deeply important to me, which I made clear. I structured a lot of my personal time and research around these projects knowing they would be free/libre, and they would not otherwise exist.
And it's a nice demonstration of the benefits of corporate use of the GPL as copyright holders. In this case, Copyleft made my job pretty easy: competition wouldn't be able to make use of our projects without releasing code, which made the legal department much more comfortable.
-
The @FSF's call for sessions for #LibrePlanet2018 continues until Wednesday, November 9th. LibrePlanet is one of the only places where I feel like I legitimately fit in with the group---where I'm with others with whom I identify on the most fundamental level. That's the reason I chose LP to try out public speaking for the first time two years ago---something I had wanted to do for years, but could never bring myself to do.
If you are passionate about free software, or maybe even just have a valuable perspective to share, LibrePlanet is looking for everyone from hackers to organizers, teachers to librarians. One of the most lasting impressions I received at last year's conference was with someone who wasn't even fully familiar with free software---he just came to check it out and see what others had to say. Everyone has something interesting to say, and everyone can leave a lasting impression.
So if you've been looking to maybe share your experience with others, consider submitting a proposal! Let's make this year's LibrePlanet even better than last. More information is here:
https://my.fsf.org/lp-call-for-sessions
If you're looking to see what others have done in past years, media from last year's conference can be found here:
https://media.libreplanet.org/u/libreplanet/tag/libreplanet-2017-video/
See everyone at LP2018. :)
-
@fsf The phrase "Free as in Freedom" is more meaningful today than ever before. We often talk of users being "robbed" of their freedoms by non-free software, but many users aren't provided the opportunity to have something to be robbed of to begin with. Nearly everything users do is controlled and surveilled by corporations and governments as a feature, by default. Non-free software exposes and exfiltrates the most intimate aspects of our lives---it explores our thoughts, sits in our living rooms, and understands us better than we understand ourselves. Children are exposed to and taught to love and accept these software and devices before they can even crawl.
I've never felt more liberated by #freesoftware. But I've also never felt more concerned and sympathetic for users who are caught up in all of this. Most users don't even know that there are things to be concerned _of_, let alone where to even begin, despite the best intentions and predictions of many within our community.
And I've also never felt more compelled to do something about it.
-
#GitHub is a plague. You can't fork without non-free JS. You can't send pull requests without non-free JS. And now I find you also can't attach files without non-free JS to comments.
I made a fix to a Minetest mod for my son so it'd stop crashing the server, and I have no more time to devote to getting around this bs. I wanted to send a ~3-line patch. I ended up opening an issue and putting the diff in the body of the comment.
People advocate GitHub to make collaboration easier. Well, I just spent orders of magnitude longer trying to send the person a patch than I did debugging and fixing the issue in the mod.
-
A reminder that this latest ransomware attack (#Petya) is made possible by #NSA-developed exploits #ETERNALBLUE and #ETERNALROMANCE (the former used in #WannaCry)---exploits that the government decided to hoard as 0days instead of notifying Microsoft to fix the issues. Instead of helping to protect the United States and its allies, it has made us far less safe. Petya and WannaCry are products of its negligence.
This issue goes back to the #VEP (the Vulnerabilities Equities Process)---the supposed process that is used by the government to determine whether to disclose to weaponize exploits. If WannaCry didn't spur enough discussion, let's hope this does.
https://social.mikegerwitz.com/url/7904