People that don’t actually know this or just accept it. Look at how many people use ring cameras and you can tell them that Amazon will hand the video footage to law enforcement , and they will say “oh yeah I have nothing to hide” or “Oh yeah but the camera is cheap”
No one is reporting this, ford certainly isn’t putting it in their press material, and no one gets a copy of the manual to review before purchasing a vehicle.
Right but this is not an issue that’s in the public consciousness yet. No one thinks to read the manual or go to the website and check on how their privacy is going to be invaded by a fuckin car.
Also all these things he talks about you can just turn off lol.
Don’t want the car to send data? Turn it off…
Don’t want the speed limiter to be on? Turn it off…
Edit: lol why am I being downvoted? I’m right. Both are in car settings you can just turn off. Connectivity and speed limiter + traffic sign recognition.
Can you point to evidence that you can disable the speed limiter? I couldn’t find anything except in a Mustang forum that said the only way was through a hardware tuner.
I have the GT parked in my garage. The options to turn off the sign recognition and change the cruise control limiter are under vehicle settings in my sync menu.
Have you actually verified whether you can turn this connectivity off? I know on other new cars it’s embedded in the electronics with no on/off button.
Yeah, it’s a setting in the car infotainment system under connectivity.
You have like 4 options. One for each of the data types (so you can turn off cellular data but leave on GPS), and one to turn it all off. When it’s all off there is no data being sent to or from the car at all.
Love how lemmy just downvotes cause they don’t like that answer.
On my TCL TV, it’s impossible to disconnect the wifi after you connect it. The button just doesn’t exist. I had to make a new network, connect to that, and shut down the new network.
I do not understand the downvotes. I mentioned desolder in case some TVs have wiring that cannot be detached easily. People seem to have taken me to be a paranoid agent of sorts (my working assumption) just because of one word. Is this really the privacy community, or a place to discourage people from taking privacy into their own by (sometimes) doing the slightly difficult-to-do work?
It sounds overcomplicated, is there really a need for the blockchain aspect? Could the same security be provided by a simpler method (like how keybase has their identity proofs?) but better to have it and not need it than need it and not have it ig
How many people have verified how many people’s identity with PGP signatures? Also I’m willing to bet a horribly shocking amount of people would just accept a new key from someone (not necessarily sign it) and trust them regardless.
Yeah these issues are definitely not new, but replacing “I trust the people who sign/verify my keys” versus “I trust the blockchain” is not too far off. What rules are going to be in place for peers to validate entries to the blockchain and independently reach enough concensus to achieve true decentralization?
Blockchains are an immutable ledger, meaning any data initially entered onto them can’t be altered. Yen realized that putting users’ public keys on a blockchain would create a record ensuring those keys actually belonged to them – and would be cross-referenced whenever other users send emails. “In order for the verification to be trusted, it needs to be public, and it needs to be unchanging,” Yen said.
The benefit of doing this with a blockchain instead of a privately held and maintained database is that the latter can be compromised, and you just have to trust "whoever" is maintaining that private database. Blockchain means that the ledger is distributed to many nodes, and any post-entry modification to that chain would be instantly recognized, and marked invalid by the other nodes operating the chain. Besides that, when you're looking up a public key for a recipient on such a blockchain, you would be looking it up at a number of nodes large enough that in order for a malicious entry to come through, they would all have to be modified in the same way, at the same time, and you would have to be asking before the change got flagged. Poisoning blockchain data like this is simply not possible; that's what makes this an especially secure option.
As long as there is an appropriate method for adding a legitimate entry to the chain, incorrectly entered data can be handled by appending corrected data on to the chain, and marking the error as such. Sensitive data, in this case, would be along the lines of "I accidentally added my private key instead of my public key." The action necessary here is the same as if I published my private key anywhere: stop using that key pair and generate a new one.
Proton rolled out the beta version of Key Transparency on their own private blockchain, meaning it's not run by a decentralized series of validators, as with Bitcoin or Ethereum. Yen said Proton might move the feature to a public blockchain after the current version serves as a proof of concept.
Because the Proton blockchain is currently private, the keys they are currently adding could easily be affected by a man in the middle attack.
No. That's not how that works. Just because a blockchain is "private" doesn't make it suddenly changeable, and it doesn't mean there's a unsafely small number of nodes. People commonly get invited to participate in beta testing; that's kind of how software development works.
And there would be no way to invalidate those keys for any of the affected users, ...
Remember when I said:
As long as there is an appropriate method for adding a legitimate entry to the chain, incorrectly entered data can be handled by appending corrected data on to the chain, and marking the error as such.
Yeah, and that's called a fork. The chain doesn't vanish; a new chain is created, forking off of the old one. That's why we have both Ethereum and Ethereum Classic.
Oh wait, you're talking about a 51% attack. Read the whole article that you linked. It is amazingly difficult to perform, and as the number of nodes goes up, it becomes even more difficult.
Has anyone successfully performed a 51% Attack on Bitcoin?
Nope, not yet.
Some miners have come close to reaching 50% or more of the total mining power over Bitcoin’s history, but nobody has actually performed a successful 51% Attack.
If Big Daddy Bitcoin hasn't suffered a 51% attack, I find the risk of that happening vanishingly low.
There have been three. BTG, ETC and VTC. All three of those are Proof of Work. PoW is going by the wayside, I'm hopeful that Proton would be using Proof of Stake, which is a much more difficult model to 51% against. (You would need to possess 51% of the tokens.) Even if someone managed to do it, it would still be noticed pretty much immediately, and then you'd fork to a new chain and move on.
A fork assumes the old chain continues to exist instead of being completely replaced. Without insight into the chain, which is we can’t have until it’s public, you can’t make any guarantees of immutability.
Put differently, I’ve got a revolutionary new financial encryption system. It can safely act as the middleware between you and any vendor. You can trust me with your credit card numbers because of my years experience and industry clout. You can’t see my system and I won’t do a PCI audit because it’s in beta. You can totally trust me though.
You do realize that when it's out of beta, they could easily drop the beta chain and start a brand new one, right? And that the methodology for someone adding their public key as well as the blockchain node application (wallet) would be open source, so that anyone can look at the code? And that Proton isn't adding your public key to the chain, you are? And that being a beta blockchain kind of necessaily depends on having many nodes, in order to test scalability?
You're out of your depth here, and I'm not going to bother explaining any further.
But it’s not public. It’s a private blockchain. The immutable ledger aspect only matters if everyone can see the ledger. Otherwise we take at face value all of the things you said. Assume they run one node and that one node is compromised by a malicious actor. The system fails. Extend it to a limited number of nodes all controlled by SREs and assume an SRE is compromised (this kind of spearphishing is very common). The system fails again.
Sure, you can creatively figure out a way to manage the risks I’ve mentioned and others I haven’t thought of. The core issue, that it’s not public, still remains. If I’m supposed to trust Proton telling me the person I’m emailing is not the NSA pretending to be that person (as the Proton CEO suggested), I need to trust their verification system.
It's. In. Beta. Of course it's not being offered to the general public yet. It's likely that there are very many beta nodes, in order to test scalability. When it's out of beta, you drop the beta chain and start a new one.
Yen said Proton might move the feature to a public blockchain
I’m not interested until it’s public. Additionally, building out the chain then dropping it to rebuild a new public one is rewriting history, which violates the whole “immutable” part of “immutable ledger.”
Untestable security claims for sensitive information are useless. I’m a huge fan of Proton and I’m excited to test this but only once the blockchain is public. Until then there is no way to verify the trust so there is no trust.
If you disagree, I might have something for you. I’ve got the strongest financial encryption known to man on top of the best transit system ever that makes it super easy to do stuff. It’s all based on blockchain, of course. Just give me your credit card info and bank details. It’s in beta so I won’t let you audit it, but unless you’re shilling you don’t have a problem with that.
Yeah I guess I missed the part where security fundamentals weren’t supposed to be a part of a secure product. Do you mind explaining how a product centered on trust can be developed without trust? I think that would really help me understand why you think repeating the word “beta” allows a security-focused company to sidestep normal foundational components.
I don’t think we read the same article. We’re talking about a product those goal is secure verification of identity, correct? Something all about security?
Proton rolled out the beta version of Key Transparency on their own private blockchain, meaning it's not run by a decentralized series of validators, as with Bitcoin or Ethereum. Yen said Proton might move the feature to a public blockchain after the current version serves as a proof of concept.
It's not rewriting history. We're talking about validation of public keys. The exact same information can be added to a public non-beta chain, to satisfy the concerns about security that would come from maintaining a previously private beta chain into production.
… which gives a timing attack and the ability for bad actors to impersonate someone. I agree with you that, once public, this is a good idea. You cannot convince me that this is a good idea if done privately because there is no way to trust but verify, especially in the highly sensitive contexts they want trust in.
If it’s not public, I won’t trust it. You trust it blindly because it’s in beta. We’re not going to come to an agreement over these mutually exclusive positions.
I don't "trust it blindly" because it's in beta - I understand that it's a work in progress because it's in beta. Jesus christ you people and your fucking tinfoil hats.
Your only response to valid criticism about the lack of verification is pointing to the state of development as if that magically washes away all of the criticism. It doesn’t.
While I do have many tinfoil hats, basic fucking trust measures do not require me to pull them out. This is cryptography 101 shit not anything complicated.
You don’t understand basic trust relationships. I don’t really care about your opinion. I already called out that your blind trust in beta software conflicts with my security fundamentals so we’re at an impasse. Once you understand why validation is important or can show why a critical component of trust architecture is somehow not necessary, I’d be happy to be happy to reconsider your opinion.
Keep living in your weird fantasy world where applications and solutions should pop into existence fully formed, feature-rich, and bug-free, with no development or testing whatsoever.
It doesn’t matter what the tech is, if you can’t audit it, you can’t trust it.
Also a single private blockchain owner is just a blackbox data store, not a blockchain. I’ve already explained how it’s vulnerable to very simple attacks, much less the complicated attacks that will be thrown at something like this.
Just tried this out using a typical temporary email address (temp-mail.org) and a VPN (AirVPN).
I was only asked to confirm my e-mail address within 3 days, never for a phone address or any banking details.
Judging by the first post you’ve linked to, it’s only necessary for paid accounts or free trials.
The person in the second post is trying to register via GitHub / Google, well… sucks for them.
I’ve tried a few times in the past 2 weeks. Using a good email account and also with github, no luck though. Maybe its doing some “smart” heuristics to trigger it.
I just retried now, using that temp mail (but no vpn) and got the exact same phone verification. Maybe my IP address is evil :D
My thoughts exactly. Next is: "OMG did you know there's the all seeing eye on the dollar notes! That means you're being spied on wherever there is cash!!!!"
Stuff like this just makes me wanna roll my eyes.
Only if your younger and lump every form of communication as “social media”. The rest of the people that have been around know what a message board/forum is.
i looked over their linked.in profiles, COO and CEO seem to know each other from their time in college. Both are newcomers; looks like a nice startup. Their advisor is a professor from their school, Norbert Pohlmann, who is also chairman of TeleTrusT. Seems pretty legit from my perspective.
In any case it gives the EU user the right to use all measures at their disposal to block this crap, to give the middle finger to YT. The use of ad- and trackerblocker are a right and even recommended by security experts and official institutions. Fuck surveillance tech by big compnies.
I understand that pages use ads to finance themselves, but this is one thing and quite another to abuse ads, as YT does, in addition from unverified origins, to destroy videos and concerts with 3-4 ads in the middle and even with advertorials of up to 10 minutes, annoying with popups to use premium, having thumbnails with clickbaits that also require an extension to avoid them and also for this shit of interrupting playlists after a certain time, yes or yes, this serves no one, not even the user and nor from the authors of the videos. All of this practically forces the user to put in place countermeasures to block all this shit, or to use some frontend or similar, if they want to see something from their subscriptions properly.
It is not because YT needs money, on the contrary, in recent years it has had more income than ever in its history, it is simply abusing its position in the market, practically as a monopoly and the greed of the shareholders. No other thing. Before it was not so pronounced and you could even use YT without an adblocker, having a banner in the header of the page or an ad at the beginning of a few videos or a promotional video in the list of recommendations, but this has changed drastically.
In any case, I think that if this continues, they are going to shoot themselves in the knee (Cobra effect), getting more and more users to use countermeasures and content creators moving to other platforms (like on Twitter with Musk going overboard)
Vivaldi Ad- and Trackerblocker statistics from last week of Octubre, showing ads and trackers blocked since then.
Your computer, your IP address, your message to a destination gets encrypted in a couple layers and passed on.
Your ISP knows exactly who you are and that you’re reaching out to server 1. They can’t see your data but to them, you’re using a VPN probably.
The first server also necessarily knows who you are, unpacks one layer of your request and sends it on to a second server (in Invisiv’s case, Fastly; in Apple’s, Cloudflare).
The second server now knows that data was requested from the first server, and it can see the name of the domain you’re requesting (YouTube, for example) but because the request came from the first server, it theoretically won’t know it’s you making that request
The data moves on from the second server to the destination, with the destination only knowing it’s receiving data from the second server, and not knowing about the first server.
The obvious issues here:
Do you trust the people providing the multi-hop VPN-like service?
Do you trust the two servers, which have necessarily entered into an agreement of some sort, to not collaborate regarding transmitting data?
How easy is it to audit the code we can see?
What else is going on with your data?
In the case of Apple/Cloudflare, reputation is rather poor. From PRISM to false advertising to notification telemetry, Apple hasn’t exactly delivered on their promise. In terms of Invisiv, the company has some big names on board but Fastly and Cloudflare both have a rather significant grip on the internet (with Cloudflare’s being bigger) but any CDN gets a good view into personal data most of the time.
Update: in the case of Cloudflare/Apple, Apple adds additional location data to your request, making its “private” relay leak approximate location data the same way your IP address could leak it. To wit:
Apple relays geolocate user IP addresses and translate them into a “geohash”. Geohashes are compact representations of latitude and longitude.
But on the bright side: a VPN has far more issues than either of these, as it’s basically #4 above except the same service also has your identity by necessity. An untrustworthy VPN is as harmful as an untrustworthy ISP, with very little separating them.
A bit less private because things are going through one fewer hop, in addition to having to sign up. In my experience with Invisiv, it’s much faster and more reliable than Tor, but slower and much less stable than a traditional VPN.
It would be cool if more commercial VPN companies adopted this kind of tech.
They rent their servers, so it depends on what you consider as running the server. They have virtual access to it, but they don’t own the hardware. At least, that’s the case for countries I checked, maybe they have their own servers somewhere too.
My main concern is that cloudflare knows what content it is serving and it is certainly fingerprinting your browser. So regardless of how you request the data, cloudflare knows.
After reading their documentation a little closer, I discovered something else unsavory about Private Relay: it “relays” your approximate location, as it could usually be derived from your IP address.
Hate to break it to you but all the major CDN providers do the exact same things. My employer runs multiple websites mainly for US and European users. We use Akamai for both CDN and WAF services. For any CDN and/or WAF to operate properly it needs access to unencrypted content. Part of Akamais WAF tools includes what they call Bot Manager, which can identify traffic coming from over 1000 known bots and can also classify unknown ones. Part of how it works is by browser fingerprinting as well as TLS session fingerprinting and other proprietary fingerprinting.
So any time you visit a large website you’re likely being fingerprinted and otherwise analyzed by the CDN and security tools used by those sites.
When I see this, the only viable option I see is to close the site and boycott it. Any other choice would encourage more companies to do this blackmail.
It’s always struck me as a bit odd that people choose to use a paid proprietary app to access a free and open source social media platform which is developed and hosted entirely by volunteers based on donations. Whilst I don’t have a problem with people making money off of Lemmy apps, making them proprietary and with ads seems against the spirit of Lemmy
It’s entirely dependent on what car you buy, they’re all different. On some cars it’s integral to the ECU or some other component. On other cars like my Subaru it’s a box you just remove, then you’ll need a custom harness to make the speaker audio work again.
Without saying what car it is nobody can help you without saying “just unplug it”.
I know nothing about the i20 since we don’t get it here, but looks like on Hyundais you’ll most likely have to pull the entire factory radio and replace it with an aftermarket one. I believe on my friends Veloster it was a distinct module, but that one was 2g only and since 2g is dead it’s not really doing much.
Maybe if you’re lucky and it’s like my Subaru you can pull the radio, find that BlueLink is it’s own distinct module and just remove it. You’ll most likely have the same issue as me where your speakers and mic won’t work unless you build a custom adapter. I didn’t build my own adapter I found a guy online who does radio harnesses for aftermarket radios and he made a basic adapter for like $20, and a fancy one that lets my mic work for like $100.
I had a similar need and settled on tasks.org. Depending on your needs, this may not fit. It’s more of a Google/Microsoft tasks replacement. It’s been really nice for my needs.
privacy
Top
This magazine is from a federated server and may be incomplete. Browse more on the original instance.