• 99 Posts
  • 10 Comments
Joined 4 years ago
cake
Cake day: March 6th, 2021

help-circle










  • So not what their running debt is but only whether they can take on a new, specific one.

    I knew the criteria was out of the hands of EU-based lenders, but didn’t realise the data is also out of reach to the lender. I suppose it makes sense that the lender would get no info other than a yes or no, if lenders have no discretion.

    I noticed A shop had a rediculously priced phone (like €800+, something I would never buy) but advertised something like €9 if you take a contract. So it’s effectively a loan factored into a locked-in phone service plan. IIUC, the phone shop must arrange that with a bank and does not have the option of taking on risk, and then the bank asks the central bank if customer X can handle that loan, correct?

    You can reverse payments through the bank in the EU as well but it’s seldom necessary, since the companies tend to revert the charge willingly when confronted by the consumer protection bureaus.

    I’ve only had to resort to bank reverse a couple if times.

    One was when I ordered a pair of shoes of what appeared to be an Italian website. It later turned out it was a scam site that listed popular models that were not made anymore and then sent you a ridiculously poorly made knock-off copy from China. I explained the issue to my bank and showed the knockoffs I got and a week or so later the charge was reversed.

    That’s quite a surprise. I heard SWIFT/IBAN transfers were permanent and irreversable. I heard of mistakes being corrected but it required the two banks to collude and the bank of the recipient to do a money grab on their account, which I suppose would be impossible if a criminal closes their account. I wonder if your bank took a loss or if they colluded with the other bank. IIRC, banks have a minimum “investigation” fee of like €25 plus an hourly rate to pay bankers to deal with bad transactions. Did your bank offer that service for free?



















  • Your residential address is not private. Even if you do not vote.

    Of course your residential address is private. It’s sensitive information because it can be used against you in countless ways. Do you mean to say that you personally don’t care if your residential address is published? Anyone who is street-wise treats it as private. Note that this is different from mailing address. Residential address is where you can physically be found… where you sleep at night.

    Your political party is self reported. I don’t believe the primaries have anything to do with actual government protection and are run by each party. Therefore they can make the rules on who can and cannot vote. As it’s self reported, you can always lie.

    By “self-reported”, do you mean that registrants are entering it on the voter reg. form themselves? Yes they have a choice whether or not to provide that, but it depends on the state whether it’s a precondition to participation in primaries. (see the earlier discussion below).

    Voting activity is a strange one. I have never gotten those postcards.

    I haven’t either. Just heard about it going on. The bigger issue is that the information to do that is /available publicly/. The postcards aren’t coming from the gov. The fact that people are exploiting the info is expected. The non-voter shaming is a bit eye opening but then again so are so many abusive tactics we encounter in the election run-up you could fill a book with all the ways voters are manipulated and exploited. AI of course supercharges it. Cambridge Analytica is merely the beginning.

    Cloudflare, is well, cloudflare. Because of how they do their ddos protection they do have the ability to decrypt traffic, but it’s highly unlikely that they do.

    That’s not true. The ability is used inherently in how they operate. Of course they decrypt the traffic; that’s a precondition to the DDoS protection. How do you think CF offloads the user’s server workload without directly processing payloads? Any packets they don’t decrypt cannot be treated and must be passed through to the customer who cannot afford the bandwidth to handle all the traffic which is why they use CF to begin with.

    To give you a concrete example, you use #lemmyWorld, a Cloudflare instance. Your username and password is revealed to Cloudflare every time you login, along with all your actions including actions that do not manifest in a public way. Cloudflare inherently sees that all in the clear (to them). Whether they abuse it is guesswork. But it’s obviously not a wise move to choose a centralized CF’d instance when there are non-CF instances to choose from. You compromise privacy and support an anti-netneutrality tech giant for nothing.

    The option to allow the customer to have their own key is a premium option (non-gratis), which makes it rare, not to mention it defeats the DDoS protection. The use of that is obviously quite niche.

    Anything done along the wire would destroy their reputation.

    If they are caught abusing that data, it may or may not matter considering what they’ve gotten away with so far. One would be a fool to not assume CF is feeding 3 letter orgs just like the other tech giants. Of course they are. There just hasn’t been a specific leak in that regard yet.

    CF’s reputation should be in the shitter because they doxxed a CSAM whistle blower to a CSAM host they were protecting, who then published the identity of the whistle blower so users could retaliate. If that’s not startling enough evidence of Cloudflare’s untrustworthyness, consider as well that the (manchild) CEO said the whistle blower “should have used a fake name” when reporting the CSAM to CF. Effectively, the CEO admitted that CF cannot be trusted with people’s real identities. That should have been a PR nightmare for them but most people don’t give a shit or don’t even know enough to understand it, which enables CF to grow. They’ve taken ~25-30% of all the world’s websites so far and it’s rapidly increasing. Cloudbleed should have been an alarming disaster for them but people shrugged it off and a couple weeks later it was back to business as usual.

    Find me a PRISM corp whose reputation was destroyed by the Snowden leaks. Microsoft… Google… Facebook… Apple… They are all doing well.

    It is a big issue regarding consolidation of Internet resources into the hands of a few large companies, but just because traffic goes through them doesn’t mean that privacy is violated.

    That’s not how wise infosec works. You do not wait until your data gets exploited before deciding not to do a reckless disclosure. That would be like leaving the keys in your car on the basis that your car has never been stolen. Not to mention Cloudflare has proven to be untrustworthy anyway. Just like Facebook. It doesn’t stop people using them. And the nature of the beast is the admin is putting other unwitting people at risk. Mallory solves her problems by transferring risk onto Alice.

    I’m curious, can you expand on what demographics they block?

    By default, Cloudflare blocks access to the following groups of people:

    • users whose ISP uses CGNAT to distribute a limited range of IPv4 addresses (this generally impacts poor people in impoverished regions)
    • the Tor community
    • VPN users
    • users of public libraries (consequently people who can’t afford a PC and internet subscription), and generally networks where IP addresses are shared
    • privacy enthusiasts who will not disclose ~25% of their web traffic to one single corporation in a country without privacy safeguards
    • blind people who disable images in their browsers (which triggers false positives for robots, as scripts are generally not interested in images either)
    • environmentalists and the permacomputing community and people on limited internet connections, who also disable browser images to reduce bandwidth which consequently makes them appear as bots
    • people who actually run bots – Cloudflare is outspokenly anti-robot and treats beneficial bots the same as malicious bots

    … and that’s just what has been noticed and complained about. It’s likely a bigger list but they are non-transparent. Cloudflare does not publicize who they marginalize. They just say they block the baddies, and then proceed to assume all those they block are baddies in a circular logic fashion. Marketing works wonders on people.


  • It is possible to avoid Cloudflare (the worst offender), proven by instances that are run by more competent experts. For example:

    ^ Those are good instances where users’ traffic is not recklessly exposed to Cloudflare.

    These instances below not only expose their users to Cloudflare, but they’re not even decent enough to inform their own users about it:

    • lemmy.world ← Cloudflare
    • sh.itjust.works ← Cloudflare
    • zerobytes.monster ← Cloudflare
    • lemmy.ca ← Cloudflare
    • lemm.ee ← Cloudflare
    • programming.dev ← Cloudflare
    • lemmy.zip ← Cloudflare

    If you probe admins of the above list, some will say in effect that they regret pawning all their users to CF but claim they have no choice - that they do not know how to defend from attack. Some admins have no regrets and simply do not give a shit. Many admins are actually ignorant to the extent of not even knowing Cloudflare sees the traffic (yes, many times admins were appalled to learn this from me; who to them is just some random pleb). Probably the most despicable aspect to this is that no Cloudflare admin is socially responsible enough to post a banner msg making sure users are informed about their exposure. If they are proud of their choice and feel they have no choice, then why neglect to disclose it (esp. on a non-profit activity)?

    Regardless of their reasons/excuses, it really does not matter to the user. What matters to users is that there are privacy-disrespecting choices and relatively privacy-respecting choices. Obviously street-wise users select from the first list I posted and not the 2nd list.

    Only CFd government sites are unavoidable

    The only Cloudflare sites that are unavoidable AFAICT are government sites. You can always boycott the private sector, but there are 6 or so states in the US where voter registration goes through Cloudflare. Even if you register on paper, the data entry worker likely goes to the Cloudflare site. I became a non-voter for this reason.