Need to let loose a primal scream without collecting footnotes first? Have a sneer percolating in your system but not enough time/energy to make a whole post about it? Go forth and be mid: Welcome to the Stubsack, your first port of call for learning fresh Awful youā€™ll near-instantly regret.

Any awful.systems sub may be subsneered in this subthread, techtakes or no.

If your sneer seems higher quality than you thought, feel free to cutā€™nā€™paste it into its own post ā€” thereā€™s no quota for posting and the bar really isnā€™t that high.

The post Xitter web has spawned soo many ā€œesotericā€ right wing freaks, but thereā€™s no appropriate sneer-space for them. Iā€™m talking redscare-ish, reality challenged ā€œculture criticsā€ who write about everything but understand nothing. Iā€™m talking about reply-guys who make the same 6 tweets about the same 3 subjects. Theyā€™re inescapable at this point, yet I donā€™t see them mocked (as much as they should be)

Like, there was one dude a while back who insisted that women couldnā€™t be surgeons because they didnā€™t believe in the moon or in stars? I think each and every one of these guys is uniquely fucked up and if I canā€™t escape them, I would love to sneer at them.

(Semi-obligatory thanks to @dgerard for starting this, and happy new year in advance.)

  • froztbyte@awful.systems
    link
    fedilink
    English
    arrow-up
    6
    Ā·
    3 days ago

    you just gotta love how vacuously pointless the wording is

    You must disclose

    google-rfc ā€œmustā€: ā€œwe want something we can bend you over a barrel with if youā€™re caught out by one, but thatā€™s all weā€™ll bother committing because otherwise it eats into our lovely extortion profitsā€

    • Sailor Sega Saturn@awful.systems
      link
      fedilink
      English
      arrow-up
      7
      Ā·
      edit-2
      3 days ago

      Also Iā€™m having a fun time imagining an accurate device fingerprinting disclosure from someone who was really really thorough.

      Not-A-Cookie-I-Swear Technologies LTD may collect the following information:

      Don't worry none of it is a cookie :D
      • Your User-Agent
      • Your browsers language / locale
      • The state of the service-worker associated with Not-A-Cookie-I-Swear Technologies LTDā€™s website
      • Whether your ā€œmouseā€ movements look more like a mouse, trackpoint, gamepad, joystick or touchscreen according to our heuristics
      • The current JavaScript time
      • Whether your browser prefers dark mode or not
      • Whether your browser reports itself as screen or print media
      • The device size, device pixel ratio, frame size, and frame position reported by your browser
      • Your browserā€™s HTTP request headers
      • The success or failure of fetching a URL included in the Easylist ad-block list
      • Whether or not an element associated with the Easylist element hiding list was hidden or not
      • Your IP address
      • The result of tracerouting your IP address from one of our servers
      • Browser Local and/or Session Storage
      • The state of the WebSQL and/or IndexedDB database for our website
      • The state of the OPFS filesystem store associated with our website
      • Whether or not there was an HTTP cache hit for our website
      • Whether or not there was a DNS entry cached for our website
      • A hash of the pixels in a WebGL and/or WebGPU scene
      • The browserā€™s default styling
      • The browserā€™s minimum font size
      • The browserā€™s default font family
      • The font file chosen for a variety of character (or ligature) and font-family combinations
      • A hash of the pixels of a canvas with a variety of font families and shapes written into it
      • A report on the presence or absence of various browser CVEs in your browser
      • Information about any other open tabs that happen to include technologies from Not-A-Cookie-I-Swear Technologies LTD
      • What video, audio, and/or image codecs are supported by your browser
      • Whether or not your browser enables video auto play (and whether or not itā€™s muted by default)
      • Whether your browser supports MathGL or not
      • Whether your browser recognizes any origin trials that Not-A-Cookie-I-Swear Technologies LTD happens to have opted into at any given time
      • The behavior of your browser against various web standards edge cases or the presence or absense of features in draft web standards (e.g. Web Platform Tests or Can-I-Use tests)
      • Whether or not your browser supports Widevine video DRM
      • Various browser performance characteristics
      • All key press events
      • Various form auto-fill data (if triggered)
      • Any mouse down, mouse move, or mouse up events
      • A rough geolocation calculated by examining the relative latency of fetches to a number of geographically distributed web servers
      • The presence or absence of various browser plugins developed by, purchased by, or affilated with Not-A-Cookie-I-Swear Technlogies LTD (and any data therein as agreed to by the extension permissions dialog ā€“ up to and including microphone, webcam, or full page DOM)

      Some stuff in this list is me being silly, but overall it shows that the talk about ā€œprivacy-enhancing technologiesā€ is premature on the web platform. The web has been trying to have better privacy defaults over time; but thereā€™s a long legacy of features from before this was considered as much, as well as Google tossing around their weight in the web standards and browser space.

      • skillissuer
        link
        fedilink
        English
        arrow-up
        6
        Ā·
        3 days ago

        now i wonder how much of that is blocked by firefox enhanced tracking protection. not all, of course, and itā€™s probably much more than needed for unique identifier. thereā€™s mozilla security blog post on this topic says that some anti-fingerprinting measures were built in all the way back in 2020 (firefox 72)

        • Sailor Sega Saturn@awful.systems
          link
          fedilink
          English
          arrow-up
          9
          Ā·
          edit-2
          3 days ago

          Above I listed a bunch of things which would help narrow down browser version, but thatā€™s hopeless anyway ā€“ an adversary will probably be able to figure out your rough browser version even if you fake the UA string, and that youā€™re running in anti-fingerprinting mode.

          So assuming thatā€™s out of scope I think these are probably the big categories:

          • Normalize any system information presented to webpage (e.g. remove minor version from UA header, remove OS from UA header, etc)
          • Canvas, WebGL, and WebGPU need to be implemented in software in a deterministic way. Similarly any compositing (including stuff like font shaping, SVG rendering, page layout) must be done in software (prevent GPU fingerprinting)
          • A fixed font set must be used rather than using the system font set (prevent fingerprinting font enthusiasts)
          • The device size / frame size (and position) must be lied about (e.g. rounded to a common resolution or a multiple of 100px), and layout adjusted appropriately (Mozilla calls this ā€œLetterboxingā€) (prevent fingerprinting psychos who donā€™t run their browser in fullscreen mode).
          • Page storage should be disabled or cleared (local / session storage, cookies, service workers, indexeddb, etc) (A cookie by any other name would taste as sweet)
          • Caching is a big problem, probably have to disable it entirely (including HTTP caching, HTTP caching at the ISP level*, DNS lookups, favicons, JavaScript compilation cache) (Pesky pesky global state).
          • Performance metrics are another big problem. Disabling JavaScript would go a long way here but you probably canā€™t prevent them entirely unless youā€™re prepared to go to unhealthy extremes** (this is like the past 10 years of cutting edge security research so weā€™re doomed)
          • Disable any plugins or other customizations which may provide a fingerprint accessible to the webpage (oops it turned out the FBI caught me because I configured my browser to inject pictures of cute bunnies into every webpage).
          • And of course IP address, which you presumably want to do something about (proxy?)

          That said while Iā€™ve worked with browsers, Iā€™m not in the biz of fingerprinting or anti-fingerprinting, so thereā€™s surely stuff I havenā€™t thought of.

          * Actually we should probably just disable non-HTTPS entirelyā€¦

          ** Running under a VM is probably the minimum required to mitigate the chances of cutting-edge side-channel timing attacks from James Bond level adversaries, but at that point maybe you just want a dedicated browsing computer heh. I did chuckle at the idea of someone trying to apply cryptographic constant-time algorithm techniques to writing a browser though.