https://archive.is/20250422041720/https://www.ft.com/content/95851035-ab6d-4fca-9121-b4665da1f72e

There only problem being that 90% of webpages fail to load properly without JS, not to mention the ones that depend on features that aren’t available LW enhanced protection enabled. Each page I visit, I have to create exceptions or they sit there blank.

I agree that I was confused at first, until I remembered that any of the coalition countries (7 eyes?) has access to anything secret, they share with others that don’t.

Going to check out rethink now, Thx for the name drop!

We see it over and over. When consequences for malfeasance are barely noticeable compared to profits, there is no incentive to comply with laws. Just pay the tiny fine is our lawyers don’t exhaust them first.

I never told anyone else the URL so no one will find it.

Who wants to tell them about DNS records and web crawlers?

My past employers have said the same, until I showed them they were already using apache, nginx, postgresql, MariaDB, and OpenWRT among other things.

A lot of shops think that using proprietary tools means they can demand fixes for critical vulnerabilities, but in my experience, even proprietary dev teams just reply that the code maintainers are aware and working on a fix.

Apache vuln? Here’s the link to their acknowledgment of that CVE and exactly what modules are affected.

That may show that the flaw is in an unused module, like node.js, but even when it is applicable, they just wait for the code maintainers to address it. They take no responsibility themselves.

that’s why I opened with “I wouldn’t call it writing on the wall.”

Damn; you’re right. My bad. I somehow missed your opener saying exactly the opposite of what you were saying.

Everything you said is true and verifiable, and worth considering when you decide which service to use. It’s a lot of reasons to favor the .onion/tor version of their service to limit what they have access to depending on your privacy stance.

In combination with tracker control, you can see who they connect to and block piecemeal, or simply block their connection completely (you don’t need an app for that, though).

These are useful data for making decisions about using their service, but not exactly indicative of support for a right wing authoritarian leader who lies more in one day than he has hairs on his entire body.

Edit: typo

A new data set obtained from a US data broker reveals for the first time about 40,000 apps from which users‘ data is being traded. The data set was obtained by a journalist from netzpolitik.org as a free preview sample for a paid subscription. It is dated to a single day in the summer of 2024.

Among other things, the data set contains 47 million “Mobile Advertising IDs”, to which 380 million location data from 137 countries are assigned. In addition, the data set contains information on devices, operating systems and telecommunication providers.

Ths investigation is part of an international cooperation by the following media: Bayerischer Rundfunk/ARD (Germany), BNR Nieuwsradio (Netherlands), Dagens Nyheter (Sweden), Le Monde (France), netzpolitik.org (Germany), NRK (Norway), SRF/RTS (Switzerland) and WIRED (USA).

Overview of our findings

• The approximately 40,000 apps in the new dataset cover a wide range of categories, from gaming, dating and shopping to news and education. They include some of the most popular apps worldwide, with millions of downloads in some cases.

• For a smaller number of apps, the data set contains alarmingly precise location data. This data can help to identify a person’s place of residence. These apps include the queer dating app Hornet with more than 35 million users; the messaging app Kik with more than 100 million downloads in the Google Play Store alone; Germany’s most popular weather app Wetter Online, which also has more than 100 million downloads in the Google Play Store; and the flight tracking app Flightradar24 with more than 50 million downloads in the Googles Play Store; the app of German news site Focus Online and classifieds apps for German users (Kleinanzeigen) and French users (leboncoin).

• For a bigger number of apps, less precise locations which appear to have been derived from IP addresses can be found in the data set. This list includes popular apps such as Candy Crush, Grindr, Vinted, Happy Color, dating apps Lovoo and Jaumo, news aggregator Upday, German email apps gmx.de and web.de as well as the popular dutch weather app Buienalarm.

• Since the sample only covers one day, it is difficult to identify people based on their locations from this data set alone. However, in combination with other data sets from the advertising industry, which the research team obtained from data brokers, it’s possible to identify and track people on a large scale. The location data might for example provide clues to their home and work addresses.

• Thus, the team was able to identify users of Wetter Online in Germany and Kik in Norway. The individuals confirmed that the data must belong to their devices and their use of the respective apps.

• Location data aside, the mere information about who uses which apps can already be dangerous. For example the data set includes numerous Muslim and Christian prayer apps, health apps (blood pressure, menstruation trackers) and queer dating apps, which hint at special categories of personal data under GDPR.

Where did the data set come from?

The research team obtained the data set from US data broker Datastream Group, which now uses the name Datasys. The company did not respond to multiple requests for comment.

Contact with the data broker was established through Berlin-based data marketplace Datarade. The company states in response to inquiries that it does not host any data itself. According to a spokesperson „Data providers use Datarade to publish profiles and listings, enabling users to contact them directly“. Datarade „requires data providers to obtain valid consent in case they’re processing personal data and to aggregate or anonymize data in case they’re processing sensitive personal data“.

Where does the data originate?

According to our analysis, the data originates from Real Time Bidding (RTB), which is a process in the online advertising ecosystem. These are auctions in which advertising inventory of apps and websites is sold. In the process, apps and websites send data about their users to hundreds or thousands of companies. These data contains the information that we can see in our dataset. There have already been multiple warnings that advertising companies are collecting the data from RTB in order to sell it – often without the knowledge or explicit consent of the users or their apps.

What the apps say

None of the apps we confronted so far states they had business relations with Datastream Group / Datasys. The apps Hornet and Vinted for example wrote, that they cannot explain how their users‘ data ended up with data brokers. Queer dating app Hornet emphasizes that it does not share actual location data with third parties and announces an investigation. Other companies such as Kik, Wetter Online, Kleinanzeigen, Flightradar, Grindr and King, the company behind the game Candy Crush, did not respond to press inquiries.

Do it! Make the sources and buyers public!

You can make your own decisions, but if you just grab any random arguments, you’ll find a reason to doubt everything.

Agreed. Especially if your source is Dessalines. 🙄

Important excerpt:

“Introducing a scanning application on every mobile phone, with its associated infrastructure and management solutions, leads to an extensive and very complex system. Such a complex system grants access to a large number of mobile devices & the personal data thereon. The resulting situation is regarded by AIVD as too large a risk for our digital resilience. (…) Applying detection orders to providers of end-to-end encrypted communications entails too large a security risk for our digital resilience”.

I agree that most websites don’t load without JavaScript, but you don’t need seven or more different domains with java allowed for the main site to work. Most sites have their own, plus six google domains, including tag manager, Facebook, etc. I whitelist the website and leave the analytics and tracking domains off.

Who would of guessed

…would have guessed. You may be thinking of the sound of the contraction, “would’ve,” a joining of would and have that sounds similar to “would of.”

I’m nor a cash-only convert, but I have some anecdotal evidence for you.

I’ve visited Boston five times in the past thirty years. Every single time I used my debit card at Thanuel Hall for food, my card was later used for fraud. Always caught and never a big inconvenience beyond replacing my card, but still not ideal. I only ever use cash there now.

Online shopping, before the Amazon monopoly on e-commerce, my card would get compromised every few months.

Now I use privacy.com for all transactions that allow it, and its amazing how often those cards are stolen. Thanks to the way the service works, the stolen cards are useless to scammers or thieves, but my declined transaction filter has a few charges declined each month.

My point being that if you want to avoid fraud, and you can do it, cash is king.

Librewolf supports Mozilla sync

Okay, I do recall that our software had a feature that could classify on "DHCP requested options’, but it was low-fidelity, unreliable. Ultimately, the software works best with known devices, and isn’t very good at reliably classing unknowns.

As you say, just the first few seconds of actual traffic from a device is so rich in terms of ID characteristics compared to DHCP.

I used to provide commercial end-user support for a network intelligence product that used as much metadata as possible to help classify endpoints, shuffling them off to the right captive portals for the right segment based on that data.

I can tell you that the things you’re saying are transmitted in a DHCP request/offer are just not. If they were, my job would’ve been a LOT easier. The only information you can count on are a MAC address.

I can’t view that link you shared, but I’ve viewed my share of packet captures diagnosing misidentified endpoints. Not only does a DHCP request/offer not include other metadata, it can’t. There’s no place for OS metrics. Clients just ask for any address, or ask to renew one they think they can use. That only requires a MAC and an IP address.

I suppose DHCP option flags could maybe lead to some kind of data gathering, but that’s usually sent by the server,not the client.

I think, at the end of the day, fighting so that random actors can’t find out who manufactured my WiFi radio just isn’t up there on my list of “worth its” to worry about.