jard

jard, 6 months ago

I mean, we can’t entirely discredit her effort. With her given design criteria for what is a “good user interface,” she nailed it out of the park. I would personally be inclined to use that UI if Steam went in that direction.

However, designing for her specific design criteria is also the problem here. One of the golden, and frankly most obvious, rules of UX design is to design for users. You’re exactly right that she didn’t design for the needs of Steam users, but instead designed for her preconceived notion of what a user interface should look like. This would likely have turned out far better if she conducted research beforehand to see what Steam users actually want.

jard, 6 months ago

I never insinuated that my personal opinion was at all representative of Steam users as a whole. My point still stands that she probably should have asked a large body of Steam users to gauge their needs for the platform, so that she can incorporate their feedback into her redesign.

jard, 6 months ago

Google promised an open market in the form of alternate, competing app stores, but signed contract deals with developers under the table to make them publish through Google Play only. Their monopoly was enforced through contract law, which is lawyers’ bread and butter.

Apple never promised any such open market. Their monopoly was enforced through product design, which boomers and juries can’t wrap their heads around.

Regardless, the case will be appealed to the Ninth Circuit, which also ruled in favor of Apple, so it’s possible things will change.

jard, 6 months ago

U2F on Bitwarden, in principle, doesn’t guard against attackers breaching into your accounts, as the Yubikey serves as a second factor during the authentication stage when the Bitwarden app retrieves the encrypted vault. Unless you combine a static secret from the Yubikey into the master password of the vault, an attacker could, in theory, steal your encrypted vault from the central Bit/Vaultwarden server or any device that’s already downloaded it (note that if this device is your phone, all conventional TOTP is thwarted anyways, so in general phones are the most lucrative target here.) From there, the strength of your master password becomes the only thing separating an attacker from access to all of your online accounts.

I’m not saying that it’s a bad practice and you absolutely shouldn’t do it — I do it myself, as I trust the security of Bitwarden’s servers and my devices in keeping my vault safe. The salient point here is the burden lies on online services upgrading their outdated security options to support U2F, not on us settling with an objectively inferior 2FA option because these services are too lazy and slow.

jard, 6 months ago

Apps can implement their own form of push notifications – most privacy-respecting ones already do. However, it’s an endeavor that’s too much effort for the average dev, so they default to using the existing FCM service instead.

jard, 6 months ago

None of these “Apple bad” types read anything beyond the headline.

Nowadays, anything remotely outrageous or negative is very hastily construed to be “Apple bad, duh” without a second thought. We legitimately can’t have genuine, thoughtful criticism of these companies anymore.

jard, 6 months ago

There is also the approach of representing 0.999… as the infinite geometric series 9(1/10) + 9(1/100) + 9(1/1000) + 9(1/10000)… which, by definition, is equal to 9(1/10) / (1 - 1/10) = 0.9 / 0.9 = 1.

jard, 7 months ago

I think you might be overthinking things. “Apple devices you use on a regular basis” just generically means whatever you use and plan to enable hardware 2FA for.

Maybe it’s to emphasize that you’re now going to have to use your hardware keys to regularly use Apple services on your phone, in addition to things like passwords, Face ID, etc.

jard, 7 months ago

In my personal experience this is blatantly untrue, because now I can’t even log into my Google/YouTube account on Librewolf anymore. I get a prompt saying “this browser may be insecure” and requesting that I use Chrome instead. This is exactly what the Web Environment Integrity API was intended for — maybe they did decide to shelve it for general use, but Google is still absolutely trying to push this bullshit for their own services.

I never had this issue for the past 2 years I’ve used Librewolf until, coincidentally, Google “decided” to “sunset” its browser DRM.

jard, 7 months ago

I have Librewolf with uBO and CanvasBlocker whitelisted for very specific websites. It required me both disabling uBO and allowing *.google.com in CanvasBlocker’s whitelist for my browser to suddenly be “secure” again.

In other words… “we won’t let you sign in unless you enable your trackers on your browser.”

jard, 8 months ago

Definitely a battery-related issue. When I first got my Deck a year ago I actually had a very similar experience. Turns out the power regulator IC that controlled the voltage from the battery got itself fried, so not only did I get the burning and hissing but it just straight up refused to boot and charge.

If you want to you can try diagnosing the issue further… but yeah, RMA time. It’s so much easier.

jard, 8 months ago

If you’re comfortable with self hosting, I recommend SilverBullet: it’s a Markdown-based knowledge management solution that runs as a PWA in any modern browser. It automatically syncs to a hosted SilverBullet server during use when you have an internet connection, and otherwise can run completely offline (provided that you use a browser that supports offline PWAs)

jard, 8 months ago

I tested it on iOS Safari with my own hosted instance and it seems to be fine. Is macOS Safari different? Maybe that’d be a good bug to report.

jard, 8 months ago (edited 8 months ago)

OP’s “evidence” is that Kagi internally uses Sentry.io (a FOSS crash report aggregation service for developers) to report crash logs, which they then use to assert that Kagi is aggregating personal data and sending that data to Sentry. The “proof” is that they used an Android tool that reports whether an APK contains specific Java classes whose fully qualified names match a “tracker” name filter (which, coincidentally, cherry-picks Sentry.io as a tracker), runs it on some completely irrelevant Android APK, and then concludes that because these classes are showing up with their cherry-picked filter, Sentry.io is a tracker, ergo Kagi is tracking personal data. Q.E.D.

In short, it’s complete nonsense. I did a thorough debunking of their methodology in a previous comment of mine. You can safely ignore anything they have to say.

jard, 8 months ago

They do share data with a notorious 3rd party tracking company.

Care to give any details?

jard, 8 months ago

“Anonymous logs are shared with Sentry when bugs, crashes, or warnings occur for debugging purposes.”

It is quite a leap in logic — a non sequitur, even — to go from “debug crash logs sent to a crash reporting service” to “your personal information is being shared with third parties,” especially since Sentry themselves advise that their own users (developers) should not send personal information to them.

Please give the evidence detailing what personally identifying information Kagi collects and how they send it to Sentry, since you clearly know how things work internally in there.

jard, 8 months ago (edited 8 months ago)

From my understanding, Kagi counts searches against accounts based on how many times that account has accessed the search endpoint. That is, multiple repeated searches (over a period of time) are treated as unique searches.

According to them, searches are cached for 2 minutes, and next page results are also counted as a unique search.

jard, 8 months ago

Searching for Sentry with your supplied source gives nothing helpful, in fact Exodus doesn’t even list Sentry as a tracker here. I’m sure a “well known and notorious” tracker should be listed as such.

So again, citation needed. Link evidence of these claims.

jard, 8 months ago

The non-exhaustive list of Python, Swift, Java and native bindings for the Sentry SDK are all FOSS by your own criterion, so I’m not sure where this whole FOSS diatribe is coming from.

Again, can you send a direct link to a credible source (read: not a remark to “look it up myself”) that presents the evidence on exactly how Sentry aggregates and collects personal data? Your criticism about corporate privacy policies boiling down to a “just trust us bro” mentality can be applied to your own claims and chain of comments: without any evidence I’m forced to take your assertions at face value and “just trust you bro.”

jard, 8 months ago

we can’t be sure what code are they exactly running on the server side

The same can be said about the hundred random SearXNG instances floating around on the Internet. How do you know that some of those aren’t running custom binaries that are then linking your IP to your search queries and sending them off?

The only true solution is to self host, but the majority of people are looking for a quick and easy Google/DDG replacement, not to completely overhaul their digital life.

jard, 8 months ago

Anonymity is not the same as privacy, because the latter fundamentally entails a measure of trust between two parties over the control of personally identifying information. Note that this is contingent on whether that personal information is exchanged.

In the situation you described, privacy is irrelevant in either case, whether you access a SearXNG instance with a VPN/Tor or use a pseudonym and Monero payments to access Kagi, because no personal information was exchanged in the first place.

The “privacy” in both situations then becomes how difficult it is for a bad actor to deanonymize you, which comes down to whether you can trust that the VPN service you’re using isn’t logging your traffic and the email service your pseudonym is on won’t just give up your data… or whether Tor isn’t being actively deanonymized via malicious exit nodes controlled by certain three-letter government agencies. This isn’t a fault on either search engine, IMO.

jard, 8 months ago (edited 8 months ago)

You clearly don’t understand how this works, do you?

Let’s start from the beginning: Your suggested app, “classyshark3xodus”, notes that the database it uses is the concatenation of the existing exodus-privacy trackers, as well as an addendum list of 31 “additions”. Most importantly, this list comes from the repository linked here.

Let’s ignore, for a moment, that this clearly implies that the creator of this app lied about the database it uses (because it’s very clearly not some official “new” Exodus database, but a hodgepodge mashup made by some complete stranger on the Internet…) The repository for the addendum list states that the Sentry listing comes from the Exodus Tracker Investigation Program (ETIP). Thus, we expect that there should be a page on the ETIP for Sentry, and indeed there is one here.

We can see that the description for this tracker is… hold your breath… to report unhandled exceptions to an online service. It’s almost as if… that was the exact, entire, unmitigated stated purpose of the fucking software in the first place! Also note that the stated category is… again, hold your breath… crash reporting. Again, this is exactly the stated purpose of the SDK, which was advertised on their own site.

This means you already lied multiple times about the intended purpose of Sentry. Your own source states that Sentry is not an “analytics company”, but a “crash reporting” service. Again, this is what we have already clearly established by a very cursory, trivial look at the software itself. Oh, also, it’s also stated in the ETIP that Sentry is not even listed in Exodus as a tracker. Gee, I sure wonder why…?

I also had the displeasure of going through with downloading this app from F-droid and testing it on Fennec as you stated. As expected for the simplistic process of “does the fully qualified name of this class begin with this specific filter?” Sentry classes show up.

I know what I’m doing, so let’s dig into some of the classes. The vast majority of them are actually dummy classes that do not contain any fields or functions that mutate state. For example, io.sentry.UserFeedback:

<span style="color:#323232;">package io.sentry;
</span><span style="color:#323232;">import java.lang.String;
</span><span style="color:#323232;">
</span><span style="color:#323232;">public final class UserFeedBack extends Object
</span><span style="color:#323232;">{
</span><span style="color:#323232;">/*
</span><span style="color:#323232;"> * Field Definitions.
</span><span style="color:#323232;"> */
</span><span style="color:#323232;">/*
</span><span style="color:#323232;"> * Declared Constructors
</span><span style="color:#323232;"> */
</span><span style="color:#323232;">    public final String toString() { ... }
</span><span style="color:#323232;">}
</span>

The reason for this is that F-Droid runs ProGuard on compiled artifacts from source, which optimizes away unused Java bytecode. This means we can be sure that the APK we received only consists of the instructions actually used by the APK. An empty class file also means that it is a stateless class, and for the sake of OOP is effectively a no-op that can’t perform anything.

So with that being said, let’s dig straight into the io.sentry.protocol.User class. We should expect this to contain the most sensitive user information sent to this “analytics” company, such as email addresses, geo locations, and… uhh wait…

<span style="color:#323232;">package io.sentry.protocol;
</span><span style="color:#323232;">import java.lang.Object;
</span><span style="color:#323232;">
</span><span style="color:#323232;">public final class User extends Object
</span><span style="color:#323232;">{
</span><span style="color:#323232;">/*
</span><span style="color:#323232;"> * Field Definitions.
</span><span style="color:#323232;"> */
</span><span style="color:#323232;">/*
</span><span style="color:#323232;"> * Declared Constructors
</span><span style="color:#323232;"> */
</span><span style="color:#323232;">  public User() { ... }
</span><span style="color:#323232;">  public final boolean equal(Object) { ... }
</span><span style="color:#323232;">  public final int hashCode() { ... }
</span><span style="color:#323232;">}
</span>

It’s a dummy class! That means it can’t store anything about the user because it doesn’t do any of that in the first place, thus being optimized away by ProGuard. Oops.

So, how about io.sentry.protocol.Session?

<span style="color:#323232;">package io.sentry;
</span><span style="color:#323232;">import ...
</span><span style="color:#323232;">
</span><span style="color:#323232;">public final class Session extends Object
</span><span style="color:#323232;">{
</span><span style="color:#323232;">/*
</span><span style="color:#323232;"> * Field Definitions.
</span><span style="color:#323232;"> */
</span><span style="color:#323232;">    public String abnormalMechanism;
</span><span style="color:#323232;">    public final String distinctId;
</span><span style="color:#323232;">    public Double duration;
</span><span style="color:#323232;">    public final String environment;
</span><span style="color:#323232;">    public final AtomicInteger errorCount;
</span><span style="color:#323232;">    public Boolean init;
</span><span style="color:#323232;">    public final String ipAddress;
</span><span style="color:#323232;">    public final String release;
</span><span style="color:#323232;">    public Long sequence;
</span><span style="color:#323232;">    public final UUID sessionId;
</span><span style="color:#323232;">    public final Object sessionLock;
</span><span style="color:#323232;">    public final Date started;
</span><span style="color:#323232;">    public Session$State status;
</span><span style="color:#323232;">    public Date timestamp;
</span><span style="color:#323232;">    public String userAgent;
</span><span style="color:#323232;">/*
</span><span style="color:#323232;"> * Declared Constructors.
</span><span style="color:#323232;"> */
</span><span style="color:#323232;">    public Session(Session$State, Date, Date, int, String, UUID, Boolean, Long, Double, String, String, String, String, String) { ... }
</span><span style="color:#323232;">    public final Session clone() { ... }
</span><span style="color:#323232;">    public final volatile Object clone() throws CloneNotSupportedException { ... }
</span><span style="color:#323232;">}
</span>

Finally, a class with actual state! We can see from here that a Sentry session can contain the following information:

• The user’s IP address. Pro tip – any time you connect to the Internet, your outmost IP address is always shared with any destination servers you connect to. This is in the design of the protocol.
• The ‘userAgent’. According to this line, the user agent is sent as the User-Agent header of the HTTP request to Sentry’s servers. This value is composed of the app’s chosen programming language and platform of choice of the user, along with the version of the Sentry SDK.
• The user environment. From these lines this is simply whether the user is operating in a production or development environment; e.g. the typical Fennec user will be running in a “production environment.” Standard stuff.
• Information related to the internal Sentry session, such as error counts, session length, error status, time the session started, etc. This information is intrinsically anonymous, since it’s tied to the operation of the application itself and not the user.

So what potentially personal information does Sentry “leak” in a session?

• The user IP address
• The platform of the user (for Fennec, it is always Android)
• … that’s it.

In other words… this is a typical crash log… containing the unhandled exception which caused the crash… that is then sent over to a server over the Internet via a specific user’s Internet connection (leaking an IP by necessity of the protocol). In other words… this is a crash reporting service. 🤦

As war said, you don’t know what Sentry does. Actually, you don’t understand how any of this works. This is a privacy community first and foremost, but I also expect that FOSS “enthusiasts” such as yourself actually understand how to work with FOSS.

jard, 8 months ago

That’s a fair stance to take — however, it’s worth noting that Tate already has participated in MLM/pyramid schemes before.

Most notably, Hustler’s University itself was designed from the ground up as a pyramid scheme through an affiliate marketing system. People paid in at $49/mo expecting lessons on how to make money (which were all publicly available on the Internet), but at the end they received instructions on how to promote HU. The profits they made (through copywriting, I believe it was) would then get funneled to the person who referred them via the affiliate link, and this gets chained up higher and higher, ending at Tate himself.

When I looked into the whole thing, there were so many 14 year old Fortnite squeakers on Youtube who also desperately pushed for people to sign up to HU using their own affiliate link. If you called this out they get hyper defensive and accuse you of spreading FUD. This alone says everything: HU was a textbook MLM scheme through and through, and I wouldn’t be surprised if this Real World Portal thing is just the same rebranded crap.

jard, 8 months ago

I don’t think many people here are genuinely interested in Apple hardware and technology; a lot of them are active in predominantly Android or Windows communities and their responses essentially boil down to “Apple bad, incremental upgrades bad, consooming bad, enshittification bad, anti repair bad” without actually understanding the topics at hand, and spew out some pretty egregious and erroneous shit as a result.

The people who do very trivial research of these topics then become easy targets as now they seem like they’re “Apple bootlickers.” Case in point: your recent comment about calibration/Asahi Linux. Or a trivial debunking of the statement that “there is enough bandwidth in 2.4GHz [Bluetooth]” attracting the negative attention of tech geeks who think they know everything. Or the complaint that “Apple is locking USB3.0 to the more expensive iPhone 15 Pro”, despite that being the result of a process they’ve been doing for years now (current gen base models have the previous gen Pro chip).

It’s sad to see for Lemmy, who I’d expect would be composed of knowledgable tech enthusiasts, but what can we really do about it when nonsense is so easy to churn out?

jard, 9 months ago

I use Bitwarden TOTP because my Bitwarden account is already secured with a Yubikey as a second factor. It’s the best solution I have for services that only provide TOTP and not FIDO U2F (I would use the Yubikey directly otherwise.)

jard, 9 months ago

Yep, for some reason Valve and the incessant Steam fanboys insist that mobile-based Steam Guard is absolutely perfect and anything like U2F just makes things more insecure… somehow.

Fortunately, Bitwarden at least implemented Steam’s own TOTP algorithm. With a very user unfriendly process you can grab the authenticator key Steam gives you via the third party Steam Guard desktop client, insert it into Bitwarden, and then it’ll happily generates the right verification codes for you.

jard, 9 months ago

Same story here. I self hosted my email with a Linode for a year and a half and it fucking sucked. Gmail almost always filters inbound email from what they deem as untrustworthy IP addresses (which is pretty much any mail server other than the big players), and even if you never plan on mailing Gmail addresses your server’s IP will show up on some “critical spam” blacklist somewhere simply because you’re running a mail server, which basically spells doom for mail deliverability.

You also need to diligently harden your mail server because bots indiscriminately try to find loopholes in mail server configs all the time, and once they do they start spamming their poor victims through your server. It’s a fool’s errand that varies wildly based on what distro you installed, which mail/postfix/dovecot/fail2bam/dkim/spf etc configuration you have, and a lot of the time the information doesn’t actually exist on the Internet so you have to figure it all out yourself.

Ever since I switched to Tutanota + redirection with my domain I’ve never had any of these issues, and I’m never going to look back. It’s unfortunate, but the days of self hosting mail servers are over. It’s simply not worth the struggle and it just becomes an uphill battle in the end.

jard, 9 months ago

Ignoring the obvious implications of these actions, doesn’t this also fly in the face of net neutrality?

I mean, a guy who effectively serves as the ISP for millions of people, suddenly and arbitrarily deciding he doesn’t like a specific type of internet traffic, then proceeds to block their access entirely. So much for Starlink “opening access” to the full Internet…

jard, 9 months ago (edited 9 months ago)

That’s fair, and the article doesn’t explain exactly how Elon was able to “cut off connectivity” to the drones, but regardless I think his own stance on how Starlink should be used can be reasonably interpreted as him favoring one form of traffic (‘Netflix and chill’, ‘online school’, ‘good peaceful things’) over another (‘war’, ‘drone strikes’).

jard, 9 months ago

I’ll clarify that while there’s a whole legal/political aspect of “net neutrality,” I mean more so the general principle of it, in that ISPs shouldn’t be limiting or blocking traffic over any other. Obviously, Ukraine can’t go against the one providing them with their Internet and almost certainly doesn’t have anything enforcing ISP net neutrality, but still, if I were a Ukrainian on the front lines and knew that the erratic dude providing vital internet connectivity to my country can just throw a tantrum about how “Starlink shouldn’t be used for wars and drone strikes” and then coincidentally my drones just stop working… I’d be pretty angry.

jard, 9 months ago

The problem is there’s nothing to criticize Apple about here. The notion that it’s Apple’s fault that people are writing malware targeting macOS is just as stupid as it being Google’s fault that people are writing Android malware. It comes across as misguided “I hate Apple”-ism that adds nothing of substance to the discussion and intrinsically can’t be discussed without it turning into some shit-flinging argument. (case in point: the 18+ comment chain that resulted)

That’s why those comments are downvoted: people are using the feature as intended to hide the visibility of low effort troll garbage. You’ll find there are plenty of threads here with people genuinely criticizing Apple and their comments are upvoted just fine.

jard, 10 months ago

Not really…? They’re probably trying to see how others integrated gym equipment into a (WFH) office space. That’s a far cry from being an odd inquiry.

jard, 10 months ago

Army sergeant engages with a sniper shaolin monk in a brutal battle to the death. Multiple times in a row.

jard, 10 months ago (edited 10 months ago)

Intel isn’t buying SiFive. That deal fell through almost 2 years ago.

jard, 10 months ago

Despite the anecdotal N=1 example, which of course can’t be reproduced and corroborated because the OP felt the need to omit the search query they used for some reason, Google results have generally been garbage for years — yes, to an extent that it becomes useless.

Hell, one of the suggestions for “google results” on Google itself is “google results are getting worse”, with lots of articles explaining why when you search it.

jard, 11 months ago

That fits the textbook definition of targeted ads, which is the use of personally identifying data to select who to deliver specific ads to. Google is selling not data directly, but rather the promise to advertisers that they can deliver that baking ad to the right audience (bakers who watch youtube). It’s a disguised form of indirectly selling your identity.

jard, 11 months ago

If you have 1st gen Airpods Pro and aren’t afraid of a little DIY, you can always do the USB-C swap.

jard, 11 months ago

I’ve been so scared I don’t trust protonmail either.

I mean, compared to what you’ve been dealing with before (the biggest adware company in the world) Proton is an angelic saint. You’ll be fine in their hands.