Need to let loose a primal scream without collecting footnotes first? Have a sneer percolating in your system but not enough time/energy to make a whole post about it? Go forth and be mid: Welcome to the Stubsack, your first port of call for learning fresh Awful youā€™ll near-instantly regret.

Any awful.systems sub may be subsneered in this subthread, techtakes or no.

If your sneer seems higher quality than you thought, feel free to cutā€™nā€™paste it into its own post ā€” thereā€™s no quota for posting and the bar really isnā€™t that high.

The post Xitter web has spawned soo many ā€œesotericā€ right wing freaks, but thereā€™s no appropriate sneer-space for them. Iā€™m talking redscare-ish, reality challenged ā€œculture criticsā€ who write about everything but understand nothing. Iā€™m talking about reply-guys who make the same 6 tweets about the same 3 subjects. Theyā€™re inescapable at this point, yet I donā€™t see them mocked (as much as they should be)

Like, there was one dude a while back who insisted that women couldnā€™t be surgeons because they didnā€™t believe in the moon or in stars? I think each and every one of these guys is uniquely fucked up and if I canā€™t escape them, I would love to sneer at them.

(Semi-obligatory thanks to @dgerard for starting this, and happy new year in advance.)

  • Sailor Sega Saturn@awful.systems
    link
    fedilink
    English
    arrow-up
    7
    Ā·
    edit-2
    3 days ago

    Also Iā€™m having a fun time imagining an accurate device fingerprinting disclosure from someone who was really really thorough.

    Not-A-Cookie-I-Swear Technologies LTD may collect the following information:

    Don't worry none of it is a cookie :D
    • Your User-Agent
    • Your browsers language / locale
    • The state of the service-worker associated with Not-A-Cookie-I-Swear Technologies LTDā€™s website
    • Whether your ā€œmouseā€ movements look more like a mouse, trackpoint, gamepad, joystick or touchscreen according to our heuristics
    • The current JavaScript time
    • Whether your browser prefers dark mode or not
    • Whether your browser reports itself as screen or print media
    • The device size, device pixel ratio, frame size, and frame position reported by your browser
    • Your browserā€™s HTTP request headers
    • The success or failure of fetching a URL included in the Easylist ad-block list
    • Whether or not an element associated with the Easylist element hiding list was hidden or not
    • Your IP address
    • The result of tracerouting your IP address from one of our servers
    • Browser Local and/or Session Storage
    • The state of the WebSQL and/or IndexedDB database for our website
    • The state of the OPFS filesystem store associated with our website
    • Whether or not there was an HTTP cache hit for our website
    • Whether or not there was a DNS entry cached for our website
    • A hash of the pixels in a WebGL and/or WebGPU scene
    • The browserā€™s default styling
    • The browserā€™s minimum font size
    • The browserā€™s default font family
    • The font file chosen for a variety of character (or ligature) and font-family combinations
    • A hash of the pixels of a canvas with a variety of font families and shapes written into it
    • A report on the presence or absence of various browser CVEs in your browser
    • Information about any other open tabs that happen to include technologies from Not-A-Cookie-I-Swear Technologies LTD
    • What video, audio, and/or image codecs are supported by your browser
    • Whether or not your browser enables video auto play (and whether or not itā€™s muted by default)
    • Whether your browser supports MathGL or not
    • Whether your browser recognizes any origin trials that Not-A-Cookie-I-Swear Technologies LTD happens to have opted into at any given time
    • The behavior of your browser against various web standards edge cases or the presence or absense of features in draft web standards (e.g. Web Platform Tests or Can-I-Use tests)
    • Whether or not your browser supports Widevine video DRM
    • Various browser performance characteristics
    • All key press events
    • Various form auto-fill data (if triggered)
    • Any mouse down, mouse move, or mouse up events
    • A rough geolocation calculated by examining the relative latency of fetches to a number of geographically distributed web servers
    • The presence or absence of various browser plugins developed by, purchased by, or affilated with Not-A-Cookie-I-Swear Technlogies LTD (and any data therein as agreed to by the extension permissions dialog ā€“ up to and including microphone, webcam, or full page DOM)

    Some stuff in this list is me being silly, but overall it shows that the talk about ā€œprivacy-enhancing technologiesā€ is premature on the web platform. The web has been trying to have better privacy defaults over time; but thereā€™s a long legacy of features from before this was considered as much, as well as Google tossing around their weight in the web standards and browser space.

    • skillissuer
      link
      fedilink
      English
      arrow-up
      6
      Ā·
      3 days ago

      now i wonder how much of that is blocked by firefox enhanced tracking protection. not all, of course, and itā€™s probably much more than needed for unique identifier. thereā€™s mozilla security blog post on this topic says that some anti-fingerprinting measures were built in all the way back in 2020 (firefox 72)

      • Sailor Sega Saturn@awful.systems
        link
        fedilink
        English
        arrow-up
        9
        Ā·
        edit-2
        3 days ago

        Above I listed a bunch of things which would help narrow down browser version, but thatā€™s hopeless anyway ā€“ an adversary will probably be able to figure out your rough browser version even if you fake the UA string, and that youā€™re running in anti-fingerprinting mode.

        So assuming thatā€™s out of scope I think these are probably the big categories:

        • Normalize any system information presented to webpage (e.g. remove minor version from UA header, remove OS from UA header, etc)
        • Canvas, WebGL, and WebGPU need to be implemented in software in a deterministic way. Similarly any compositing (including stuff like font shaping, SVG rendering, page layout) must be done in software (prevent GPU fingerprinting)
        • A fixed font set must be used rather than using the system font set (prevent fingerprinting font enthusiasts)
        • The device size / frame size (and position) must be lied about (e.g. rounded to a common resolution or a multiple of 100px), and layout adjusted appropriately (Mozilla calls this ā€œLetterboxingā€) (prevent fingerprinting psychos who donā€™t run their browser in fullscreen mode).
        • Page storage should be disabled or cleared (local / session storage, cookies, service workers, indexeddb, etc) (A cookie by any other name would taste as sweet)
        • Caching is a big problem, probably have to disable it entirely (including HTTP caching, HTTP caching at the ISP level*, DNS lookups, favicons, JavaScript compilation cache) (Pesky pesky global state).
        • Performance metrics are another big problem. Disabling JavaScript would go a long way here but you probably canā€™t prevent them entirely unless youā€™re prepared to go to unhealthy extremes** (this is like the past 10 years of cutting edge security research so weā€™re doomed)
        • Disable any plugins or other customizations which may provide a fingerprint accessible to the webpage (oops it turned out the FBI caught me because I configured my browser to inject pictures of cute bunnies into every webpage).
        • And of course IP address, which you presumably want to do something about (proxy?)

        That said while Iā€™ve worked with browsers, Iā€™m not in the biz of fingerprinting or anti-fingerprinting, so thereā€™s surely stuff I havenā€™t thought of.

        * Actually we should probably just disable non-HTTPS entirelyā€¦

        ** Running under a VM is probably the minimum required to mitigate the chances of cutting-edge side-channel timing attacks from James Bond level adversaries, but at that point maybe you just want a dedicated browsing computer heh. I did chuckle at the idea of someone trying to apply cryptographic constant-time algorithm techniques to writing a browser though.