He/him. Chinese born, Canadian citizen. University student studying environmental science, hobbyist programmer. Marxist-Leninist.

  • 16 Posts
Joined duela 2 urte
Cake day: abe. 04, 2020


Suddenly the cryptobros don’t like the fact that anyone can use it anymore.

Pedophiles paying for CP and murderers paying for hitmen? That’s just the cost of currency freedom, apparently (not making it up, I’ve seen cryptobros defending both under the guise of if you suppress them you suppress everyone). But a country the US hates paying to feed its people? Now that goes too far!

cross-posted from: https://lemmygrad.ml/post/239508 > A story that unfolded on the EFF Twitter. > > > Protecting your data from data brokers is an important component of the fight to protect reproductive rights. One example—though far from the only one—is data broker @Safegraph, whose disingenuous framing masks the real risks of location data sales. Thread:https://www.eff.org/deeplinks/2022/05/safegraphs-disingenuous-claims-about-location-data-mask-dangerous-industry​ > > > Tuesday, Motherboard reported that data broker SafeGraph was selling location information “related to visits to clinics that provide abortions including Planned Parenthood facilities,” including where visitors came from and where they went. https://www.vice.com/en/article/m7vzjb/location-data-abortion-clinics-safegraph-planned-parenthood​ > > > In response, SafeGraph agreed to stop selling data about Planned Parenthood visitors. It also defended its behavior, claiming that SafeGraph “only sell[s] data about physical places (not individuals.)” https://www.vice.com/en/article/88gyn5/data-broker-safegraph-stops-selling-location-data-of-people-who-visit-planned-parenthood​ > > > But SafeGraph absolutely has sold individualized data in the past. Last year, EFF reported how SafeGraph had sold 2 years worth of “disaggregated, device-specific” location data about millions of people to the Illinois government, starting in January 2019. https://www.eff.org/deeplinks/2021/08/illinois-bought-invasive-phone-location-data-banned-broker-safegraph https://t.co/CQ6XXgYTOM​ > > > Older materials about SafeGraph also indicate that it used to offer a product called “Movement Panel.” A 2017 blog post by two people from Safegraph describes it as a “database of ultra-accurate GPS-location data that comes from anonymized mobile devices.” https://medium.com/@natasha_18377/less-than-10-of-bid-stream-location-data-is-high-quality-and-we-know-how-to-find-it-3a2c0df35475#---198-453​ > > > It also describes how SafeGraph used “the bidstream” - data siphoned from the millions of apps that solicit ads through real-time bidding. Use of bidstream data is considered ethically dubious even within marketing circles. https://www.toolbox.com/marketing/customer-data/guest-article/data-privacy-the-next-jumpshot-like-controversy-is-lurking-in-the-bidstream/​ > > > It’s possible that SafeGraph itself no longer sells this kind of data. But that’s not the whole story. > > > In 2019, SafeGraph spun off a company called Veraset. In 2020, Quartz reported that “[SafeGraph] says it gets mobility data from providers like its spin-off Veraset, which own the relationships with the apps that gather its data [.]” https://qz.com/1934587/who-is-safegraph-the-company-giving-your-location-data-to-covid-researchers/​ > > > Also, founder Auren Hoffman and other SafeGraph employees have used SafeGraph forums to direct potential customers to Veraset for specific data needs. > https://www.safegraph.com/community/t/i-am-looking-for-mobility-data-for-africa-most-specifically-sub-saharan-africa/407​ > https://www.safegraph.com/community/t/news-and-geolocated-social-media-accurately-measure-protest-size-variation/1794​ > > > Veraset sells raw, disaggregated, per-device location data. Last year, EFF received records showing how Veraset gave a free trial of such data to Washington, DC, as well as other unnamed agencies. https://www.eff.org/deeplinks/2021/11/data-broker-veraset-gave-bulk-device-level-gps-data-dc-government​ > > > And Veraset offers a product called “Movement.” It “delivers the most granular and frequent GPS signals available in a third-party dataset,” and sources from “thousands of apps and SDKs”. https://www.veraset.com/products/movement/​ > > > In sum, Veraset is in the business of selling precise, ping-level location data from the smart phones of millions of people. Safegraph itself was in this business until it spun it off to Veraset. And Safegraph continued to acquire data from Veraset and steer business there.

Why include it as a default though? If they simply dropped a recommendation, or asked to install it letting you know it’s proprietary, sure people might still complain but it won’t be seen as nearly as serious a violation of FLOSS principles.

Can you elaborate? This is the first time I’ve heard that, then again I’ve never used Grapheme and never interacted with any communities dedicated to the project.

TIL that’s a thing.

And TBH it’s really suspicious they don’t tell you which one.

I do wonder what their one proprietary app is

I vaguely remember there was this weird PDF reader app I’d never heard of the last time I used /e/. Going to bet it was that. Never used it, installed Book Reader from F-droid in its place.

Now, why that would be a default, I don’t know. The only non “it’s sponsored” theory I can come up with is that vanilla AOSP, by itself, has no actual ability to read PDFs. There is no default app for it and none of the common browsers can open them either. This is actually a problem in LineageOS because it only ships the AOSP default apps.

Or maybe it’s their custom app store that connects to Google Play without signing in? It doesn’t seem it’s based on Yalp/Aurora Store.

/e/OS currently has an alpha image for the FP4, I imagine LineageOS will soon too. Both are well-known degoogled ROMs.

It’s expensive yes, unfortunately prohibitively so for many, but that expense goes into sustainable, conflict-free materials, many years of continuous support, and the engineering required for a semi-modular phone. It will more than likely last you a very long time, longer than any other Android phone, especially since the battery, the first thing to fail in a phone, can be freely replaced.

I’m definitely an advocate for low level memory safe languages like Rust, over C/C++

No, this is worse. With the cURL thing, you know what you’re doing because you literally entered the command, and then you have to enter a password, and you can make your own assessment as to whether it’s a good idea. Also, assuming you’re on an HTTPS connection and trust the source (i.e. reputable software author versus shady pirate site), it’s not actually unsafe.

Whereas with sandbox breaks in Electron, someone can’t reasonably know that a feature is vulrnable (hell it can take the people who wrote the damn thing years to realize there’s a bug). If you need to open an HTML file in VSCode, are you going to manually audit the previewer implementation? It’s much easier to check your terminal commands for insecure pipes than to check an electron app for sandbox violations.

Is there a specific reason or example for why we say it has terrible security here?

From what I’ve heard, it’s trivial to accidentally execute an external webapp with the same privileges as the app itself, so you’re one bug away from potentially giving a random website access to your system APIs. For example, an improperly implemented HTML previewer would probably be the easiest way to get pwned in this way, especially since Electron supports the entire Node.js environment and not just browser based JS.

I’d be less hateful of Electron if it simply allowed me to use Mozilla Gecko instead of Chromium as the rendering engine.

I always liked the saying “just because I have the RAM doesn’t mean it’s for you!”

Privacy wise: It uses Chromium, which has been shown to have plenty of phone homes back to Google. Even though it’s open source, even projects specifically intended to “de-Google” it, like the Ungoogled Chromium project, are adamant that they’re never sure that they’ve gotten all of it because it’s so pervasive – and Electron uses the vanilla Chromium code straight from Google.

Other than that, the other, bigger reason is that Electron is extremely inefficient. @dessalines@lemmy.ml mentioned an Electron chat app using 4GB of RAM, and that’s not an exaggeration. You can easily get multi-GB RAM usage on even simple Electron apps. It uses a lot of CPU power too, like when Visual Studio Code used 13% of a CPU just to make the cursor blink.

Basically, almost anything is a better app platform than Electron. A fully native app in a low-level language is obviously the standard for performance, but even if you don’t want to go through the trouble, languages like Java and Kotlin are still way better than Electron. Hell, even other interpreted languages like Python run circles around Electron, see Blender.

Memory corruption vulns are the devil.