evenwicht

joined 4 months ago
MODERATOR OF
[–] evenwicht@lemmy.sdf.org 0 points 1 day ago* (last edited 1 day ago)

Yeah I’ll have to deal with it at some point one way or another. I’m sure I will close the account at the first opportunity but it’s impossible to find a non-shitty bank or CU. It’s not something I can do at the drop of a hat. It seems not a single bank or CU targets the market of consumers who have some self-respect and a bit of street wisdom.

Why are you so bothered by your bank sending you an email using extremely common informatics technology,

I don’t give a shit how popular tracker pixels are. It doesn’t justify them being in my comms, so I have a duty to not trigger them and I’m happy to treat pushers of these trackers as adversaries and threat actors. They are being dishonest and sneaky. The honest thing to do is to follow the RFC on return receipts, which is transparent and gives the customer appropriate control over their own disclosures.

especially after you already planned for this and literally aren’t sending them any of the data you’re concerned about?

I use a text mail client for other reasons but incidentally it’s good for avoiding tracker pixels. Actually I have to check on something.. I not 100% that spamassassin does not trigger tracker pixels. SA has some vulns, like the DNS leak vuln. But if SA does not trigger the tracker pixels, then indeed I’m secure enough.

[–] evenwicht@lemmy.sdf.org 2 points 1 day ago* (last edited 1 day ago) (2 children)

I did not think of the marketing angle -- although even then, knowing the times that each individual opens their mail and their location has value for personalized marketing.

We are talking about banks in the case at hand. It’s unclear how many people have not come to the realization that bankers are now doing the job of cops. KYC/AML. In this particular sector, anonymization is unlikely. Banks have no limits on their snooping. They have a blank check and no consequences for overcollection. No restraint. When they get breached, they just sign people up for credit monitoring and any overcollection has the immunity of KYC law.

At best, perhaps a marketing division would choose some canned bulk mailing service which happens to give them low resolution on engagement. But even that’s a stretch because anyone in the marketing business also wants to market their own service as making the most of data collection.

[–] evenwicht@lemmy.sdf.org 3 points 1 day ago (1 children)

No that’s not it. My address is unique to the bank, full headers & path match up with other mail from them, and the means to reach them back correct (yes I examine every character for imposters using od -c).

[–] evenwicht@lemmy.sdf.org 1 points 1 day ago (5 children)

Can you explain why they would want to anonymise the tracker pixels? Doesn’t that defeat the purpose?

 

Got an email from a bank saying my account has been put in a restricted state because they have been unable to reach me. Their emails reach me fine. They rarely send paper mail but when they do I can see that they have the correct address on file.

Then I looked closer at their email, examined the HTML, and found that they insert a tracker pixel in their messages. So if I were to use a graphical mail client with default configs, they would surreptitiously get a signal telling them my IP (thus whereabouts) and time of day every time I open my email from them. I use a text client so the tracker pixels get ignored.

Would a bank conclude from lack of tracker pixels signals that they are not reaching a customer, and then lock down their account?

I’m not going to call them and ask.. fuck them for interrupting my day and making me dance. I don’t lick boots like that. I just wonder if anyone else who does not trigger tracker pixels has encountered this situation.

 

Some email that was sent to me via a burnermail.io account never reached me. The sender got no bounce, so the message just went into a silent black hole. Of course whenever this happens there is no way to know whether the msgs were lost by the forwarding service or the email hosting provider. Hence why I am asking.. would like to see if there is a pattern.

Worth noting that spamgourmet.com is very unreliable. Messages get dropped silently all the time. But until recently I was unaware of any possible issues with burnermail.

 

My current rig:

  • old android phone with GPS disabled
  • external GPS device (NMEA over bluetooth)
  • OSMand from f-droid for offline maps and navigation
  • BlueGPS to connect to the bluetooth GPS device, grab the NMEA signal, and feed it as a mock location
  • developer options » mock locations enabled

The idea is to save on phone battery so I can navigate more than an hour. The phone’s internal GPS is energy intensive because of all the GPS calculations. By offloading the GPS work to an external bluetooth GPS, the phone’s battery can be somewhat devoted to the screen because bluetooth uses much less energy than GPS. And NMEA carries lat/long so the phone need not do the calculations.

Not sure it actually works though.. been waiting for satellites for a while now. Anyway, I would like to know if this config can work on any FOSS platforms, like pmOS. Can OSMand run on pmOS or is there a better option? IIUC, Android apps are a huge CPU hog on pmOS because of emulation.

Ideally I would like to buy something 2nd-hand like a BQ Aquaris X5 and put pmOS on it. I’ll need a quite lean mapping and nav app that runs on pmOS, and also has the ability to use an external GPS.

For the first 15 minutes when satellites are taking forever to appear, I would like to use something like WiGLE WiFi Wardriving which makes use of wifi APs and cell towers the same way Google location does, but without feeding Google. Is there anything like that on pmOS, or any other FOSS phone platform?

Updates

Every mobile FOSS platform listed by the OSM project have been abandoned as far as I can tell. But perhaps OSM is just poorly tracking this because osmin and pure maps apparently both run on Postmarket OS:

There is a network-dependent nav app called Mepo, but that would not interest me.

There is also Organic Maps which comes as a flatpak for aarch64. It requires the whole KDE framework which is fat in terms of size but probably not relying on emulation so it could perform well enough.

 

If you visit: https://12ft.io/$URL_to_pdf.pdf using a GUI browser, the raw PDF binary is dumped to the screen. There is no way to capture this. If you use wget it just gets an HTML wrapper. If you hit F12»inspect»element, you can derive a proper URL to a PDF and use wget on that. E.g.

wget 'https://12ft.io/api/proxy?q=https%3A%2F%2Fmswista.files.wordpress.com%2F2015%2F04%2Ftypesofmemory_updated.pdf'

But the PDF is corrupt. There is no user-side hack here. The service is broken. Apparently the server is doing a character set conversion as if it’s ascii text.

(BTW, that sample URL above works fine without 12ft.io. It’s just an example to demo the 12ft.io problem. Of course when a PDF is walled off and I am forced to use 12ft.io, then I’m hosed)

The admin is only reachable in Twitter and Gmail, nethier of which work for me. The is a Mastodon bot at @thmsmlr@bird.makeup but that’s only good for following him. No way to report it to him AFAIK. Hence why I am posting this here.

 

I would never use the typical kind of shared bike that you can just leave anywhere because AFAIK those are exclusively for Google pawns. But the kind that have stations do not need an app. So I scraped all the bicycle station locations into a db & used an openstreetmaps API to grab the elevation of each station. If the destination station was a higher elevation than the source station, my lazy ass would take the tram. Hey, gimme a break.. these shared bikes are heavy as fuck because they’re made to take abuse from the general public.

It was fun to just cruise these muscle bikes downhill. I was probably a big contributor of high bicycle availability at low elevations and shortages in high places. The bike org then started a policy to give people a bonus credit if they park in a high station to try to incentivize more people going uphill.

[–] evenwicht@lemmy.sdf.org 3 points 1 week ago* (last edited 1 week ago) (1 children)

Yeah I’m with you.. it was more of an attempt at humor. Although if you search around it’s actually common for people to ask how to check if their spouse is on dating sites.. which may be inspired by the whole Ashley Madison databreach.

 

I recall an inspirational story where a woman tried many dating sites and they all lacked the filters and features she needed to find the right guy. So she wrote a scraper bot to harvest profiles and wrote software that narrowed down the selection and propose a candidate. She ended up marrying him.

It’s a great story. I have no link ATM, and search came up dry but I found this story:

https://www.ted.com/talks/amy_webb_how_i_hacked_online_dating/transcript?subtitle=en

I can’t watch videos right now. It could even be the right story but I can’t verify.

I wonder if she made a version 2.0 which would periodically scrape new profiles and check whether her husband re-appears on a dating site, which could then alert her about the anomaly.

Anyway, the point in this new community is to showcase beneficial bots and demonstrate that there is a need to get people off the flawed idea that all bots are malicious. We need more advocacy for beneficial bots.

[–] evenwicht@lemmy.sdf.org 2 points 1 week ago* (last edited 1 week ago)

Does pdfinfo give any indication of the application used to create the document?

Oracle Documaker PDF Driver
PDF version: 1.3

If it chokes on the Java bit up front, can you extract just the PDF from the file and look at that?

Not sure how to do that but I did just try pdfimages -all which was not useful since it’s a vector PDF. pdfdetach -list shows 0 attachments. It just occurred to me that pdftocairo could be useful as far as a CLI way to neuter the doc and make it useable, but that’s a kind of a lossy meat-grinder option that doesn’t help with analysis.

You might also dig through the PDF a bit using Dider Stevens 's Tools,

Thanks for the tip. I might have to look into that. No readme.. I guess this is a /use the source, Luke/ scenario. (edit: found this).

I appreciate all the tips. I might be tempted to dig into some of those options.

[–] evenwicht@lemmy.sdf.org 3 points 1 week ago* (last edited 1 week ago)

Your assertion that the document is malicious without any evidence is what I’m concerned about.

I did not assert malice. I asked questions. I’m open to evidence proving or disproving malice.

At some point you have to decide to trust someone. The comment above gave you reason to trust that the document was in a standard, non-malicious format. But you outright rejected their advice in a hostile tone. You base your hostility on a youtube video.

There was too much uncertainty there to inspire trust. Getoffmylan had no idea why the data was organised as serialised java.

You should read the essay “on trusting trust” and then make a decision on whether you are going to participate in digital society or live under a bridge with a tinfoil hat.

I’ll need a more direct reference because that phrase gives copious references. Do you mean this study? Judging from the abstract:

To what extent should one trust a statement that a program is free of Trojan horses? Perhaps it is more important to trust the people who wrote the software.

I seem to have received software pretending to be a document. Trust would naturally not be a sensible reaction to that. In the infosec discipline we would be incompetent fools to loosely trust whatever comes at us. We make it a point to avoid trust and when trust cannot be avoided we seek justfiication for trust. We have a zero-trust principle. We also have the rule of leaste privilige which means not to extend trust/permissions where it’s not necessary for the mission. Why would I trust a PDF when I can take steps to access the PDF in a way that does not need excessive trust?

The masses (security naive folks) operate in the reverse-- they trust by default and look for reasons to distrust. That’s not wise.

In Canada, and elsewhere, insurance companies know everything about you before you even apply, and it’s likely true elsewhere too.

When you move, how do they find out if you don’t tell them? Tracking would be one way.

Privacy is about control. When you call it paranoia, the concept of agency has escaped you. If you have privacy, you can choose what you disclose. What would be good rationale for giving up control?

Even if they don’t have personally identifiable information, you’ll be in a data bucket with your neighbours, with risk profiles based on neighbourhood, items being insuring, claim rates for people with similar profiles, etc. Very likely every interaction you have with them has been going into a LLM even prior to the advent of ChatGPT, and they will have scored those interactions against a model.

If we assume that’s true, what do you gain by giving them more solid data to reinforce surreptitious snooping? You can’t control everything but It’s not in your interest to sacrifice control for nothing.

But what you will end up doing instead is triggering fraudulent behaviour flags. There’s something called “address fraud”, where people go out of their way to disguise their location, because some lower risk address has better rates or whatever.

Indeed for some types of insurance policies the insurer has a legitimate need to know where you reside. But that’s the insurer’s problem. This does not rationalize a consumer who recklessly feeds surreptitious surveillance. Street wise consumers protect themselves of surveillance. Of course they can (and should) disclose their new address if they move via proper channels.

Why? Because someone might take a vacation somewhere and interact from another state. How long is a vacation? It’s for the consumer to declare where they intend to live, e.g. via “declaration of domicile”. Insurance companies will harrass people if their intel has an inconsistency. Where is that trust you were talking about? There is no reciprocity here.

When you do everything you can to scrub your location, this itself is a signal that you are operating as a highly paranoid individual and that might put you in a bucket.

Sure, you could end up in that bucket if you are in a strong minority of street wise consumers. If the insurer wants to waste their time chasing false positives, the time waste is on them. I would rather laugh at that than join the street unwise club that makes the street wise consumers stand out more.

[–] evenwicht@lemmy.sdf.org 3 points 1 week ago

It’s interesting to note that some research “discovered thousands of vulnerabilities in 693 banking apps, which indicates these apps are not as secure as we expected.”

[–] evenwicht@lemmy.sdf.org 6 points 1 week ago* (last edited 1 week ago) (3 children)

Don’t Canadian insurance companies want to know where their customers are? Or are the Canadian privacy safeguards good on this?

In the US, Europe (despite the GDPR), and other places, banks and insurance companies snoop on their customers to track their whereabouts as a normal common way of doing business. They insert surreptitious tracker pixels in email to not only track the fact that you read their msg but also when you read the msg and your IP (which gives whereabouts). If they suspect you are not where they expect you to be, they take action. They modify your policy. It’s perfectly legal in the US to use sneaky underhanded tracking techniques rather than the transparent mechanism described in RFC 2298. If your suppliers are using RFC 2298 and not involuntary tracking mechanisms, lucky you.

[–] evenwicht@lemmy.sdf.org 14 points 1 week ago* (last edited 1 week ago) (6 children)

You’re kind of freaking out about nothing.

I highly recommend Youtube video l6eaiBIQH8k, if you can track it down. You seem to have no general idea about PDF security problems.

And I’m not sure why an application would output a pdf this way. But there’s nothing harmful going on.

If you can’t explain it, then you don’t understand it. Thus you don’t have answers.

It’s a bad practice to just open a PDF you did not produce without safeguards. Shame on me for doing it.. I got sloppy but it won’t happen again.

 

cross-posted from: https://lemmy.sdf.org/post/24645301

They emailed me a PDF. It opened fine with evince and looked like a simple doc at first. Then I clicked on a field in the form. Strangely, instead of simply populating the field with my text, a PDF note window popped up so my text entry went into a PDF note, which many viewers present as a sticky note icon.

If I were to fax this PDF, the PDF comments would just get lost. So to fill out the form I fed it to LaTeX and used the overpic pkg to write text wherever I choose. LaTeX rejected the file.. could not handle this PDF. Then I used the file command to see what I am dealing with:

$ file signature_page.pdf
signature_page.pdf: Java serialization data, version 5

WTF is that? I know PDF supports JavaScript (shitty indeed). Is that what this is? “Java” is not JavaScript, so I’m baffled. Why is java in a PDF? (edit: explainer on java serialization, and some analysis)

My workaround was to use evince to print the PDF to PDF (using a PDF-building printer driver or whatever evince uses), then feed that into LaTeX. That worked.

My question is, how common is this? Is it going to become a mechanism to embed a tracking pixel like corporate assholes do with HTML email?

I probably need to change my habits. I know PDF docs can serve as carriers of copious malware anyway. Some people go to the extreme of creating a one-time use virtual machine with PDF viewer which then prints a PDF to a PDF before destroying the VM which is assumed to be compromised.

My temptation is to take a less tedious approach. E.g. something like:

$ firejail --net=none evince untrusted.pdf

I should be able to improve on that by doing something non-interactive. My first guess:

$ firejail --net=none gs -sDEVICE=pdfwrite -q -dFIXEDMEDIA -dSCALE=1 -o is_this_output_safe.pdf -- /usr/share/ghostscript/*/lib/viewpbm.ps untrusted_input.pdf

output:

Error: /invalidfileaccess in --file--
Operand stack:
   (untrusted_input.pdf)   (r)
Execution stack:
   %interp_exit   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   --nostringval--   --nostringval--   false   1   %stopped_push   1990   1   3   %oparray_pop   1989   1   3   %oparray_pop   1977   1   3   %oparray_pop   1833   1   3   %oparray_pop   --nostringval--   %errorexec_pop   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   --nostringval--   --nostringval--   %array_continue   --nostringval--
Dictionary stack:
   --dict:769/1123(ro)(G)--   --dict:0/20(G)--   --dict:87/200(L)--   --dict:0/20(L)--
Current allocation mode is local
Last OS error: Permission denied
Current file position is 10479
GPL Ghostscript 10.00.0: Unrecoverable error, exit code 1

What’s my problem? Better ideas? I would love it if attempts to reach the cloud could be trapped and recorded to a log file in the course of neutering the PDF.

(note: I also wonder what happens when Firefox opens this PDF considering Mozilla is happy to blindly execute whatever code it receives no matter the context.)

 

They emailed me a PDF. It opened fine with evince and looked like a simple doc at first. Then I clicked on a field in the form. Strangely, instead of simply populating the field with my text, a PDF note window popped up so my text entry went into a PDF note, which many viewers present as a sticky note icon.

If I were to fax this PDF, the PDF comments would just get lost. So to fill out the form I fed it to LaTeX and used the overpic pkg to write text wherever I choose. LaTeX rejected the file.. could not handle this PDF. Then I used the file command to see what I am dealing with:

$ file signature_page.pdf
signature_page.pdf: Java serialization data, version 5

WTF is that? I know PDF supports JavaScript (shitty indeed). Is that what this is? “Java” is not JavaScript, so I’m baffled. Why is java in a PDF? (edit: explainer on java serialization, and some analysis)

My workaround was to use evince to print the PDF to PDF (using a PDF-building printer driver or whatever evince uses), then feed that into LaTeX. That worked.

My question is, how common is this? Is it going to become a mechanism to embed a tracking pixel like corporate assholes do with HTML email?

I probably need to change my habits. I know PDF docs can serve as carriers of copious malware anyway. Some people go to the extreme of creating a one-time use virtual machine with PDF viewer which then prints a PDF to a PDF before destroying the VM which is assumed to be compromised.

My temptation is to take a less tedious approach. E.g. something like:

$ firejail --net=none evince untrusted.pdf

I should be able to improve on that by doing something non-interactive. My first guess:

$ firejail --net=none gs -sDEVICE=pdfwrite -q -dFIXEDMEDIA -dSCALE=1 -o is_this_output_safe.pdf -- /usr/share/ghostscript/*/lib/viewpbm.ps untrusted_input.pdf

output:

Error: /invalidfileaccess in --file--
Operand stack:
   (untrusted_input.pdf)   (r)
Execution stack:
   %interp_exit   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   --nostringval--   --nostringval--   false   1   %stopped_push   1990   1   3   %oparray_pop   1989   1   3   %oparray_pop   1977   1   3   %oparray_pop   1833   1   3   %oparray_pop   --nostringval--   %errorexec_pop   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   --nostringval--   --nostringval--   %array_continue   --nostringval--
Dictionary stack:
   --dict:769/1123(ro)(G)--   --dict:0/20(G)--   --dict:87/200(L)--   --dict:0/20(L)--
Current allocation mode is local
Last OS error: Permission denied
Current file position is 10479
GPL Ghostscript 10.00.0: Unrecoverable error, exit code 1

What’s my problem? Better ideas? I would love it if attempts to reach the cloud could be trapped and recorded to a log file in the course of neutering the PDF.

(note: I also wonder what happens when Firefox opens this PDF, because Mozilla is happy to blindly execute whatever code it receives no matter the context.)

[–] evenwicht@lemmy.sdf.org 4 points 1 week ago

Not sure if this is relevant, but service manuals for cars older than 2014 can be found here: charm.li (no cost and enshification-free).

[–] evenwicht@lemmy.sdf.org 1 points 1 week ago

Also worth noting Brother uses that trick where empty cartridges are detected by a laser which is exactly not positioned as low on the cartridge as it could be, forcing people to toss not-so-empty cartridges.

BTW, regarding the trackers dots I’ll drop a link here for anyone who wants to verify Brother’s role in it:

https://www.eff.org/pages/list-printers-which-do-or-do-not-display-tracking-dots

 

So here’s a repugnant move by right-wing assholes. Taxans: you can counter that shit. If a hospital asks you whether you are in the country legally, instead of saying “yes” the right answer is “I decline to answer”. Don’t give the dicks their stats.

-3
submitted 2 weeks ago* (last edited 2 weeks ago) by evenwicht@lemmy.sdf.org to c/Finance@lemmy.sdf.org
 

According to BBC World News, the stocks in the US that are expected to do well under Trump are surging. I think those stocks are surely over-valued. Their value will be corrected after Trump loses.

~~In the US it’s illegal to bet on elections~~(see update), but betting on the stock market is fair game. I would love it if the some short-sellers would exploit this situation.

(update) It’s now legal to bet on elections in the US, as of a few weeks ago

 

I’ve noticed this problem on infosec.pub as well. If I edit a post and submit, the form is accepted but then the edits are simply scrapped. When I re-review my msg, the edits did not stick. This is a very old Lemmy bug I think going back over a year, but it’s bizarre how it’s non-reproducable. Some instances never have this problem but sdf and infosec trigger this bug unpredictably.

0.19.3 is currently the best Lemmy version but it still has this bug (just as 0.19.5 does). A good remedy would be to install an alternative front end, like alexandrite.

 

Political parties around the world have flocked to nationbuilder.com for some reason. This tor-hostile Cloudflare site is blocking Tor users from accessing election info. This kind of sloppy lazy web administration is common.

But what’s a bit disturbing is that when I contact a political party to say I cannot reach their page because of the nationbuilder block page, they sound surprised, like it’s the first time they are hearing about web problems. So Tor users are lazy too. That’s the problem.

view more: next ›