Need to let loose a primal scream without collecting footnotes first? Have a sneer percolating in your system but not enough time/energy to make a whole post about it? Go forth and be mid: Welcome to the Stubsack, your first port of call for learning fresh Awful youā€™ll near-instantly regret.

Any awful.systems sub may be subsneered in this subthread, techtakes or no.

If your sneer seems higher quality than you thought, feel free to cutā€™nā€™paste it into its own post ā€” thereā€™s no quota for posting and the bar really isnā€™t that high.

The post Xitter web has spawned soo many ā€œesotericā€ right wing freaks, but thereā€™s no appropriate sneer-space for them. Iā€™m talking redscare-ish, reality challenged ā€œculture criticsā€ who write about everything but understand nothing. Iā€™m talking about reply-guys who make the same 6 tweets about the same 3 subjects. Theyā€™re inescapable at this point, yet I donā€™t see them mocked (as much as they should be)

Like, there was one dude a while back who insisted that women couldnā€™t be surgeons because they didnā€™t believe in the moon or in stars? I think each and every one of these guys is uniquely fucked up and if I canā€™t escape them, I would love to sneer at them.

(Semi-obligatory thanks to @dgerard for starting this, and happy new year in advance.)

  • Sailor Sega Saturn@awful.systems
    link
    fedilink
    English
    arrow-up
    8
    Ā·
    edit-2
    3 days ago

    The Google post appears to be Updating our platform policies to reflect innovations in the ads ecosystem.

    I have no idea what the heck those words mean (it appears to be some bizarro form of English), so I diffed the policy itself. Here are the parts I found notable.

    This will be removed:

    You must not use device fingerprints or locally shared objects (e.g., Flash cookies, Browser Helper Objects, HTML5 local storage) other than HTTP cookies, or user-resettable mobile device identifiers designed for use in advertising, in connection with Googleā€™s platform products. This does not limit the use of IP address for the detection of fraud.

    This will be removed:

    You must not pass any information to Google [ā€¦] that permanently identifies a particular device (such as a mobile phoneā€™s unique device identifier if such an identifier cannot be reset).

    This will be added:

    You must disclose clearly any data collection, sharing and usage that takes place in connection with your use of Google products, including information about the technologies used, such as your use of cookies, web beacons, IP addresses, or other identifiers. This applies for data collection, sharing and usage on any platform, surface or property (e.g., web, app, Connected TV, gaming console or email publication).

    • V0ldek@awful.systems
      link
      fedilink
      English
      arrow-up
      5
      Ā·
      edit-2
      2 days ago

      I remember during my very very first job a security guy explaining to me why I canā€™t record work emails of people borrowing stuff from the companyā€™s internal library because GDPR. In a company of like 100 people. I guess Google is too big to care.

      Itā€™s the same feeling as when itā€™s reported some guy was able to defraud literal millions from public funds while I had to separately report and bring a receipt for the $5 I spent on a city bus while out on a business trip because it was funded from a public grant or Iā€™d get fired and sued, in that order.

      • froztbyte@awful.systems
        link
        fedilink
        English
        arrow-up
        5
        Ā·
        2 days ago

        from the companyā€™s internal library because GDPR

        Iā€™m not a gdpr person (nor even european) but this sounds like bullshit - was it?

        • V0ldek@awful.systems
          link
          fedilink
          English
          arrow-up
          9
          Ā·
          2 days ago

          I simplified , but:

          The problem is that if someone leaves the company you should delete all of their PII you donā€™t need for compliance reasons. The emails were firstname.lastname@company.com, as is usual, so it was PII. So if someone borrowed something from the library and that record stayed in the database, when their company profile got deactivated we wouldā€™ve had to have a flow that deleted that row or at least anonymised it. Needless to say, this was a minor side project with a time budget of one month, so we just ended up not storing any PII in the first place instead of bothering with archiving and removal.

    • froztbyte@awful.systems
      link
      fedilink
      English
      arrow-up
      6
      Ā·
      3 days ago

      you just gotta love how vacuously pointless the wording is

      You must disclose

      google-rfc ā€œmustā€: ā€œwe want something we can bend you over a barrel with if youā€™re caught out by one, but thatā€™s all weā€™ll bother committing because otherwise it eats into our lovely extortion profitsā€

      • Sailor Sega Saturn@awful.systems
        link
        fedilink
        English
        arrow-up
        7
        Ā·
        edit-2
        3 days ago

        Also Iā€™m having a fun time imagining an accurate device fingerprinting disclosure from someone who was really really thorough.

        Not-A-Cookie-I-Swear Technologies LTD may collect the following information:

        Don't worry none of it is a cookie :D
        • Your User-Agent
        • Your browsers language / locale
        • The state of the service-worker associated with Not-A-Cookie-I-Swear Technologies LTDā€™s website
        • Whether your ā€œmouseā€ movements look more like a mouse, trackpoint, gamepad, joystick or touchscreen according to our heuristics
        • The current JavaScript time
        • Whether your browser prefers dark mode or not
        • Whether your browser reports itself as screen or print media
        • The device size, device pixel ratio, frame size, and frame position reported by your browser
        • Your browserā€™s HTTP request headers
        • The success or failure of fetching a URL included in the Easylist ad-block list
        • Whether or not an element associated with the Easylist element hiding list was hidden or not
        • Your IP address
        • The result of tracerouting your IP address from one of our servers
        • Browser Local and/or Session Storage
        • The state of the WebSQL and/or IndexedDB database for our website
        • The state of the OPFS filesystem store associated with our website
        • Whether or not there was an HTTP cache hit for our website
        • Whether or not there was a DNS entry cached for our website
        • A hash of the pixels in a WebGL and/or WebGPU scene
        • The browserā€™s default styling
        • The browserā€™s minimum font size
        • The browserā€™s default font family
        • The font file chosen for a variety of character (or ligature) and font-family combinations
        • A hash of the pixels of a canvas with a variety of font families and shapes written into it
        • A report on the presence or absence of various browser CVEs in your browser
        • Information about any other open tabs that happen to include technologies from Not-A-Cookie-I-Swear Technologies LTD
        • What video, audio, and/or image codecs are supported by your browser
        • Whether or not your browser enables video auto play (and whether or not itā€™s muted by default)
        • Whether your browser supports MathGL or not
        • Whether your browser recognizes any origin trials that Not-A-Cookie-I-Swear Technologies LTD happens to have opted into at any given time
        • The behavior of your browser against various web standards edge cases or the presence or absense of features in draft web standards (e.g. Web Platform Tests or Can-I-Use tests)
        • Whether or not your browser supports Widevine video DRM
        • Various browser performance characteristics
        • All key press events
        • Various form auto-fill data (if triggered)
        • Any mouse down, mouse move, or mouse up events
        • A rough geolocation calculated by examining the relative latency of fetches to a number of geographically distributed web servers
        • The presence or absence of various browser plugins developed by, purchased by, or affilated with Not-A-Cookie-I-Swear Technlogies LTD (and any data therein as agreed to by the extension permissions dialog ā€“ up to and including microphone, webcam, or full page DOM)

        Some stuff in this list is me being silly, but overall it shows that the talk about ā€œprivacy-enhancing technologiesā€ is premature on the web platform. The web has been trying to have better privacy defaults over time; but thereā€™s a long legacy of features from before this was considered as much, as well as Google tossing around their weight in the web standards and browser space.

        • skillissuer@discuss.tchncs.de
          link
          fedilink
          English
          arrow-up
          6
          Ā·
          3 days ago

          now i wonder how much of that is blocked by firefox enhanced tracking protection. not all, of course, and itā€™s probably much more than needed for unique identifier. thereā€™s mozilla security blog post on this topic says that some anti-fingerprinting measures were built in all the way back in 2020 (firefox 72)

          • Sailor Sega Saturn@awful.systems
            link
            fedilink
            English
            arrow-up
            9
            Ā·
            edit-2
            3 days ago

            Above I listed a bunch of things which would help narrow down browser version, but thatā€™s hopeless anyway ā€“ an adversary will probably be able to figure out your rough browser version even if you fake the UA string, and that youā€™re running in anti-fingerprinting mode.

            So assuming thatā€™s out of scope I think these are probably the big categories:

            • Normalize any system information presented to webpage (e.g. remove minor version from UA header, remove OS from UA header, etc)
            • Canvas, WebGL, and WebGPU need to be implemented in software in a deterministic way. Similarly any compositing (including stuff like font shaping, SVG rendering, page layout) must be done in software (prevent GPU fingerprinting)
            • A fixed font set must be used rather than using the system font set (prevent fingerprinting font enthusiasts)
            • The device size / frame size (and position) must be lied about (e.g. rounded to a common resolution or a multiple of 100px), and layout adjusted appropriately (Mozilla calls this ā€œLetterboxingā€) (prevent fingerprinting psychos who donā€™t run their browser in fullscreen mode).
            • Page storage should be disabled or cleared (local / session storage, cookies, service workers, indexeddb, etc) (A cookie by any other name would taste as sweet)
            • Caching is a big problem, probably have to disable it entirely (including HTTP caching, HTTP caching at the ISP level*, DNS lookups, favicons, JavaScript compilation cache) (Pesky pesky global state).
            • Performance metrics are another big problem. Disabling JavaScript would go a long way here but you probably canā€™t prevent them entirely unless youā€™re prepared to go to unhealthy extremes** (this is like the past 10 years of cutting edge security research so weā€™re doomed)
            • Disable any plugins or other customizations which may provide a fingerprint accessible to the webpage (oops it turned out the FBI caught me because I configured my browser to inject pictures of cute bunnies into every webpage).
            • And of course IP address, which you presumably want to do something about (proxy?)

            That said while Iā€™ve worked with browsers, Iā€™m not in the biz of fingerprinting or anti-fingerprinting, so thereā€™s surely stuff I havenā€™t thought of.

            * Actually we should probably just disable non-HTTPS entirelyā€¦

            ** Running under a VM is probably the minimum required to mitigate the chances of cutting-edge side-channel timing attacks from James Bond level adversaries, but at that point maybe you just want a dedicated browsing computer heh. I did chuckle at the idea of someone trying to apply cryptographic constant-time algorithm techniques to writing a browser though.