Announcement

Collapse
No announcement yet.

The Android Runtime On Chrome OS Makes Use Of Wayland

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • liam
    replied
    Originally posted by ssokolow View Post

    Fair enough. To some extent, I think I might have been using "you'd be surprised" as a rhetorical device.



    Doesn't mean I can't try.



    That's why I said "a little paranoia"... because what is paranoia is defined by the overton window and, before the Snowden leaks, anyone who even approached what they showed would have been called paranoid.



    Maybe you're using different services than I am, but I see a lot of services where the only option offered is "give us your SMS number and we'll text you the next step".



    My nick is my domain name. It's not as if I'm trying to play at being a spy. My goal is just to not give them a free lunch by tying everything into a single ID cookie for them.
    This looks to be largely semantic ("a little paranoid"=cautious about leaking identity) and a matter of expectations (for the most part, I don't really care what they know about me as long as they keep it secure; I also have no reason to believe any human at Google has ever seen my personal info and connected with my identity---again, they shouldn't care about that, and not knowing it gives them a few advantages: plausible deniability and less chance for identity being matched to personal info).
    Google, for instance, doesn't appear to require SMS for two factor (https://www.google.com/landing/2step/#tab=how-it-works).

    Leave a comment:


  • ssokolow
    replied
    1. no, i would't ---- there's a neat little tool that eff developed, which you may have heard of, called Panopticlick, that provides a glimpse of this sort of thing (BTW, Always Be Bayesian)
    Fair enough. To some extent, I think I might have been using "you'd be surprised" as a rhetorical device.

    2. no, Google can probably map it to a real person pretty much every time
    Doesn't mean I can't try.

    3. ok, except for the paranoia (almost never ok, by definition, and, in this case, not warranted, IMHO)
    That's why I said "a little paranoia"... because what is paranoia is defined by the overton window and, before the Snowden leaks, anyone who even approached what they showed would have been called paranoid.

    4. well, that's a theory, but it doesn't account for why you can choose alternate methods of setup (besides, sms can be routed over the internet, and you can always create a temp number----almost no one will, but, for people who are either sufficiently paranoid or have a good reason to hide their identity, sms isn't a serious hurdle)
    Maybe you're using different services than I am, but I see a lot of services where the only option offered is "give us your SMS number and we'll text you the next step".

    I'm not arguing that Google couldn't determine who you are (name/SS#/whatever), but I don't really see why they'd care so long as they can extract maximum data from your presence, and, again, it's in Google's best interest to keep their data as secure as possible (they are also not known to be one of the companies that so readily rolls over for a badge).
    My nick is my domain name. It's not as if I'm trying to play at being a spy. My goal is just to not give them a free lunch by tying everything into a single ID cookie for them.

    Leave a comment:


  • liam
    replied
    Originally posted by starshipeleven View Post
    I always wonder what the hell is a "proprietary" service at all.

    I mean, a service is a "job" that is done by third parties. Not an object, but a sequence of actions, done by workers or machines.

    How can a service be "open"? You can open the tools if it makes sense to do so (and that is what they do usually), but opening the servers or their configurations or the procedures they follow in the company (as not all services are 100% digital in nature) is a bit batshit hardcore communism for no benefit.

    I mean, why should say youtube open their server software to all? It's not like it is doing totally revolutionary stuff in there, there are zillions of video sharing services that can do more or less the same.

    Or google's location infrastructure. It's not like you can replace google's with yours already (if you have a few tens of billion dollars laying around), you don't need to get a full dump of their software to do so.
    Yup. What makes the service useful is the infrastructure, data and UX (possibly in that order).
    Opening these services wouldn't provide much benefit without the community around them and the data they already have.
    The rise of "AI" isn't going to make this any easier, though.

    Leave a comment:


  • liam
    replied
    Originally posted by ssokolow View Post

    1. You'd be surprised how few "anonymous" pieces of data you need to intersect to uniquely identify someone. (Unlike woodpeckers, who need to know when to try another tree, our probability instincts are garbage)

    2. Google has everything they need to map your ad-targeting ID to a Google account (which the NSA can learn a lot more from) if you log into it on your Android phone. Even if they can't map it to a real person in an automated fashion, who knows what a disgruntled employee could find useful. (I see blinding Google as equivalent to having an automatic timer for your lights and pickup for your newspapers when you go on vacation.)

    3. We've already seen Google get mad once because the NSA tapped their trunks without telling them, and, last I heard, the NSA is build a data center to store everything they snoop for future reference and, if necessary, possible later decryption when technology is more powerful. I think a little paranoia is justified there.

    4. The whole reason everyone is pushing two-factor auth that is either SMS-based or requires SMS for setup, despite the former being horribly insecure, is so they can map your account to a mobile number, which they consider to be the holy grail of correlating targeting information across accounts.

    That sort of thing is why I've been working to divide my services across as many providers as possible and to only use 2FA if I can get access to the TOTP seed without using SMS or a proprietary app.
    Sorry for the suuuuuuuper late response.

    1. no, i would't ---- there's a neat little tool that eff developed, which you may have heard of, called Panopticlick, that provides a glimpse of this sort of thing (BTW, Always Be Bayesian)
    2. no, Google can probably map it to a real person pretty much every time
    3. ok, except for the paranoia (almost never ok, by definition, and, in this case, not warranted, IMHO)
    4. well, that's a theory, but it doesn't account for why you can choose alternate methods of setup (besides, sms can be routed over the internet, and you can always create a temp number----almost no one will, but, for people who are either sufficiently paranoid or have a good reason to hide their identity, sms isn't a serious hurdle)

    I'm not arguing that Google couldn't determine who you are (name/SS#/whatever), but I don't really see why they'd care so long as they can extract maximum data from your presence, and, again, it's in Google's best interest to keep their data as secure as possible (they are also not known to be one of the companies that so readily rolls over for a badge).

    https://www.google.com/transparencyr.../legalprocess/

    Leave a comment:


  • ssokolow
    replied
    TL;DR: I get a "confident in his ignorance" vibe from your post and don't feel like defending what is widely agreed upon among those who are actually knowledgable. I've cited some sources and you can take up any issues with them. Enjoy having the last word because I don't have any more time for this.

    Originally posted by starshipeleven View Post
    viewing habits aren't exactly the best. Consider that they don't snoop passwords or have access to what you actually look at, they only know a guy (or the same guy) visited site X and looked at Y page at the Z time.
    If the site integrates the google analytics, so it wants to track you, they provide telemetry on what you do on their site by keywords, like "user clicked on Article1", or "user is reading page 2", they don't dump the whole page with any private info to the Google's servers (mostly because they don't give a fuck, the service is supposed to track your buying habits, not to collect info for NSA to home on you dirty un-american non-white terrorist)
    33 bits of uniquely-identify information is all you need and, back in 2010, they successfully managed to match NetFlix users with their accounts on other sites purely based on similarities in their ratings.

    I could cite more, but I've got better things to do with my time.

    Originally posted by starshipeleven View Post
    Animals in general use smell. They have much better smell, not some handwavium "probability instincts".
    By probability instincts, I mean that, a woodpecker's intutive sense of "What are the odds that I'll find a bug if I keep trying this tree vs. moving on to a new one" is much more in line with actual reality than our intuitive sense of how probability works. (See, for example, Gambler's fallacy and Birthday problem.)

    I'd give a link for the woodpecker part, but I read it in print and I can't remember whether it was in Mean Genes, The Third Chimpanzee, or one of my other heavily-cited books by professors.

    Originally posted by starshipeleven View Post
    Wrong. By default your ID is mapped to the account already, you can choose to not have that from a setting in google play services settings on Android (I assume there is something online too but I never checked).

    Seriously people why every paranoid people shouting hot air on teh internet fails to know the basics of the services he is paranoid about?
    *facepalm* I'm honestly not sure how to begin here, given what a fundamental misunderstanding of my argument it represents.

    Originally posted by starshipeleven View Post
    People not understanding the concept of big data are the most fun. To get anything moderately useful out of their multi-hundred-TB databases you need advanced search algorithms and time and security clearance, a "disgruntled employee" isn't going to have access to that.
    advanced search algorithms and time: With nothing more than the most basic of indexing and search that you'd be a moron not to have in your big data setup, I could easily grab data I'd hate to see used by people who just want to muddy the waters and introduce reasonable doubt and I don't consider myself uncommonly smart or knowledgeable.

    time and security clearance: Or they might just need to be in the right place to exploit a hole in the system, as Edward Snowden was when he took advantage of Hawaii being exempt from the NSA's anti-leaker security because their Internet situation compared to the continental U.S. kept triggering lockouts.

    I'd rather not take the risk.

    Originally posted by starshipeleven View Post
    Wrong, the whole reason everyone is pushing two-factor auth is that people uses shit passwords because they are dumb cows, so service providers are sick of having idiots that "got their account stolen" pester their support teams and give them bad PR with "massive hackings happened" news.

    Phone numbers are stored in the same way as passwords, the service owner can't have access to them (otherwise you must be all over the place with letting a site owner know the password for your account too). This because privacy laws, because they don't want NSA to annoy them to get the numbers, and because any hack or leak that exposes phone numbers would be a major PR hit, much more than the usual email leak.

    And please explain how sms is "horribly insecure", as there is no way in hell someone can intercept a SMS AND correlate that to the specific session of the program that asked for it without having pwned the device already.
    I'm having trouble coaxing my browser history to cough up the most authoritative URLs I read regarding the "correlating for advertising" part, but here are some relevant ones I did manage to dig back up:

    * How many mobile phone accounts will be hijacked this summer? (and his earlier post)
    * SMSRouter README (See "DISCLAIMER" and "SMS / SMPP limitations")

    Originally posted by starshipeleven View Post
    Wrong again. You can pretty much have your own cloud using open software on a device you own.
    You can even put up a mail server and it's not even hard.
    1. Having my own cloud is orthogonal to whether I divide my services up between different providers. (eg. I have accounts at more than one VPS provider)

    2. There are cases like Google Talk, which don't federate. I can't self-host those.

    3. Some things, like hosting my code on sites like GitHub/BitBucket/GitLab/etc., are specifically about not self-hosting because I want to minimize the chance of downtime after my death.

    Leave a comment:


  • anda_skoa
    replied
    Originally posted by starshipeleven View Post
    How can a service be "open"?
    There are a couple of approaches to find viable definitions for this.
    Usually they revolve around the possibilty of being able to replicate it.

    E.g. is the API specified, is the reference implementation openly available, can your own data and meta data be transferred, etc.

    But there are often additional concerns, e.g. do the terms of service require you to give up rights, etc.

    Cheers,
    _

    Leave a comment:


  • starshipeleven
    replied
    Originally posted by liam View Post
    As for their services being "proprietary":
    I always wonder what the hell is a "proprietary" service at all.

    I mean, a service is a "job" that is done by third parties. Not an object, but a sequence of actions, done by workers or machines.

    How can a service be "open"? You can open the tools if it makes sense to do so (and that is what they do usually), but opening the servers or their configurations or the procedures they follow in the company (as not all services are 100% digital in nature) is a bit batshit hardcore communism for no benefit.

    I mean, why should say youtube open their server software to all? It's not like it is doing totally revolutionary stuff in there, there are zillions of video sharing services that can do more or less the same.

    Or google's location infrastructure. It's not like you can replace google's with yours already (if you have a few tens of billion dollars laying around), you don't need to get a full dump of their software to do so.

    Leave a comment:


  • starshipeleven
    replied
    Originally posted by ssokolow View Post
    1. You'd be surprised how few "anonymous" pieces of data you need to intersect to uniquely identify someone.
    viewing habits aren't exactly the best. Consider that they don't snoop passwords or have access to what you actually look at, they only know a guy (or the same guy) visited site X and looked at Y page at the Z time.
    If the site integrates the google analytics, so it wants to track you, they provide telemetry on what you do on their site by keywords, like "user clicked on Article1", or "user is reading page 2", they don't dump the whole page with any private info to the Google's servers (mostly because they don't give a fuck, the service is supposed to track your buying habits, not to collect info for NSA to home on you dirty un-american non-white terrorist)

    (Unlike woodpeckers, who need to know when to try another tree, our probability instincts are garbage)
    Animals in general use smell. They have much better smell, not some handwavium "probability instincts".

    2. Google has everything they need to map your ad-targeting ID to a Google account
    Wrong. By default your ID is mapped to the account already, you can choose to not have that from a setting in google play services settings on Android (I assume there is something online too but I never checked).

    Seriously people why every paranoid people shouting hot air on teh internet fails to know the basics of the services he is paranoid about?

    Even if they can't map it to a real person in an automated fashion, who knows what a disgruntled employee could find useful.
    People not understanding the concept of big data are the most fun. To get anything moderately useful out of their multi-hundred-TB databases you need advanced search algorithms and time and security clearance, a "disgruntled employee" isn't going to have access to that.

    4. The whole reason everyone is pushing two-factor auth that is either SMS-based or requires SMS for setup, despite the former being horribly insecure, is so they can map your account to a mobile number, which they consider to be the holy grail of correlating targeting information across accounts.
    Wrong, the whole reason everyone is pushing two-factor auth is that people uses shit passwords because they are dumb cows, so service providers are sick of having idiots that "got their account stolen" pester their support teams and give them bad PR with "massive hackings happened" news.

    Phone numbers are stored in the same way as passwords, the service owner can't have access to them (otherwise you must be all over the place with letting a site owner know the password for your account too). This because privacy laws, because they don't want NSA to annoy them to get the numbers, and because any hack or leak that exposes phone numbers would be a major PR hit, much more than the usual email leak.

    And please explain how sms is "horribly insecure", as there is no way in hell someone can intercept a SMS AND correlate that to the specific session of the program that asked for it without having pwned the device already.

    That sort of thing is why I've been working to divide my services across as many providers as possible and to only use 2FA if I can get access to the TOTP seed without using SMS or a proprietary app.
    Wrong again. You can pretty much have your own cloud using open software on a device you own.
    You can even put up a mail server and it's not even hard.

    Leave a comment:


  • ssokolow
    replied
    Originally posted by liam View Post

    This was very nicely said, and I wish I hadn't forgotten to add some of these points in my response to that poster.

    ss11, imho, people who get really upset about google are "triggered" b/c of a few things: 1)general distrust of for profit entities and government, 2)they fear, but more importantly believe that a $Pick_Your_Own dystopian nightmare of "Big Brother" is basically already here (related to these folks are the ones who(seriously) scream SKYNET in the comments section of almost any article about "AI", 3)well, there is no 3

    The first one pulls in disparate groups so there's not much we can generalize about them (in this area).
    The second is a rather huge compaction of ideas such that meaningfully breaking it apart would take more effort than I now feel myself willing to exert.

    Hopefully this is somewhat coherent
    1. You'd be surprised how few "anonymous" pieces of data you need to intersect to uniquely identify someone. (Unlike woodpeckers, who need to know when to try another tree, our probability instincts are garbage)

    2. Google has everything they need to map your ad-targeting ID to a Google account (which the NSA can learn a lot more from) if you log into it on your Android phone. Even if they can't map it to a real person in an automated fashion, who knows what a disgruntled employee could find useful. (I see blinding Google as equivalent to having an automatic timer for your lights and pickup for your newspapers when you go on vacation.)

    3. We've already seen Google get mad once because the NSA tapped their trunks without telling them, and, last I heard, the NSA is build a data center to store everything they snoop for future reference and, if necessary, possible later decryption when technology is more powerful. I think a little paranoia is justified there.

    4. The whole reason everyone is pushing two-factor auth that is either SMS-based or requires SMS for setup, despite the former being horribly insecure, is so they can map your account to a mobile number, which they consider to be the holy grail of correlating targeting information across accounts.

    That sort of thing is why I've been working to divide my services across as many providers as possible and to only use 2FA if I can get access to the TOTP seed without using SMS or a proprietary app.

    Leave a comment:


  • liam
    replied
    Originally posted by starshipeleven View Post
    Please note, they don't genuinely give a fuck about who you are (name and stuff) and who are your friends and where you live (more precisely than city name). They track you by asking the device its google ID or something, which is either in a cookie or in a special facility (for Android), and if you change that by tapping around in settings or if you delete cookies and/or block google tracking in your browser (kinda easy) you enjoy 100% stealth from them.
    They gather data to profile you to send ads, which means knowing where you have been and what you bought, but not knowing who you are.
    Even if NSA called Google they would have a hard time telling them any useful info to track you down (unless you posted such stuff yourself).
    This was very nicely said, and I wish I hadn't forgotten to add some of these points in my response to that poster.

    ss11, imho, people who get really upset about google are "triggered" b/c of a few things: 1)general distrust of for profit entities and government, 2)they fear, but more importantly believe that a $Pick_Your_Own dystopian nightmare of "Big Brother" is basically already here (related to these folks are the ones who(seriously) scream SKYNET in the comments section of almost any article about "AI", 3)well, there is no 3

    The first one pulls in disparate groups so there's not much we can generalize about them (in this area).
    The second is a rather huge compaction of ideas such that meaningfully breaking it apart would take more effort than I now feel myself willing to exert.

    Hopefully this is somewhat coherent

    Leave a comment:

Working...
X