Posts by JohnFen

Re: The title is no longer required.

And don't forget 7) Never buy anything with a debit or credit card, and never use "loyalty" cards.

Re: Simply my ass

"What is your "simple" method going to do when they use IP addresses instead of hostnames to reference the ads"

That would actually make things a lot easier, because you could just configure your router to refuse to send traffic to those IP addresses.

Re: What we need

I'm currently using Waterfox with NoScript, so I'm with you there, but I wonder if these are long-term solutions. I'm already avoiding upgrading Waterfox because the new release includes changes that introduce compatibility issues with some old extensions.

Re: The title is no longer required.

I really, really wish it were that simple.

Re: Or, simply...

"move ad-blocking outside the browser to the DNS level."

There is quite a lot that must be done inside the browser, though, such as script blocking.

Re: SE no longer supported end of 2019

I run a custom ROM that omits all Google services, and I also run a firewall on it to ensure that nothing communicates out without me expressly allowing it. I backstop the on-phone firewall by using a VPN that I run out of my home, so all of my internet communications also goes through the firewall (and other defenses) I have there.

Re: Have you seen how much a Ferrari costs?

"It's a bit like moaning about the price Ferrari charges for one of their cars and then commenting that their [Ford/Toyota/Fiat/VW/etc] meets all their needs much better and at a much lower cost."

I don't moan about the price of a Ferrari. However, I do question the judgement of people who are willing to buy one.

Re: SE no longer supported end of 2019

" the Google store still apply its own updates for software such as the store, browser, etc."

Not on my phone.

"The US doesn't seek to restrict Huawei because of what they may do, but due to who is going to be doing it."

Although I think that's a bit of a distinction without a difference, it would be understandable if other nations start restricting the use of US technology based on the exact same reasoning.

Re: "hybrid Android"

"the ban on someone using Google's services while using any non-Google build would be proof enough."

There is no such ban as far as I'm aware. Google's services aren't open source and can't be distributed with non-Google builds due to licensing issues, but you can download the packages and install them yourself on non-Google builds and they'll work just fine.

Re: Anyone surprised?

I agree that this sort of thing is bipartisan, and predates the Trump administration by a lot of decades. The fact that a corrupt practice has a long history behind it, though, in no way means that we should accept it.

Re: Executives are allowed to ignore anything they want because they deserve it.

"Unfortunately it puts the Raspberry Pi, which is a device relying heavily on closed source firmware and software, in a position to spy on and modify all traffic leaving and entering your network."

I don't use Pi-hole, and I wasn't suggesting that this be used in conjunction with Pi-hole. If you've installed a proxy to MITM HTTPS connections, then the proxy itself can do what Pi-hole does. Or, you can set it up like I did -- have the proxy do the lookup using your normal resolver (even through a Pi-hole) that doesn't have access to the decrypted datastream.

That said, you don't have to actually use a Raspberry Pi to run Pi-hole. You can do it entirely with OSS software and platforms.

Re: Executives are allowed to ignore anything they want because they deserve it.

"How does it cope with hardcoded DoH addresses"

It doesn't, that's why it's an incomplete solution. But, in practice and if you're using Firefox (where you can specify what DoH server it will use), it will cover the majority of lookups. But that only covers the web, and only for lookups made by Firefox itself. It wouldn't cover hardcoded lookups by client-side scripts, for instance.

"And MITMing SSL is almost always a really REALLY bad idea!"

Yeah, I did that reluctantly. I put a lot of thought into it, balancing the pros and cons for my situation, and doing that was the least-bad alternative that I saw. If anyone can come up with a better solution, I'm extremely eager to hear it. I'd love to be able to remove the MITM.

I don't think I'll ever really forgive Mozilla for its energetic support of DoH.

Re: Executives are allowed to ignore anything they want because they deserve it.

"but DNS over HTTP basically breaks this by design"

This is true, but it's not an insurmountable problem.

The easiest (but incomplete) solution is what Pi-Hole has already done: include a DoH server, so it's the one doing DNS lookups.

The complete solution, really only possible for people who are into this sort of thing right now (but could be made into a normal-person-friendly product) is what I've done: install a proxy that acts as a man-in-the-middle for all HTTPS traffic and drops undesirable DoH requests.

Re: Executives are allowed to ignore anything they want because they deserve it.

To make the "crosswalk" thing even worse for American pedants is that legally in most states, the corners of every city block are a "crosswalk", whether they're marked as such or not.

"A lot are very good at blocking 4G signal's."

If they're very good at blocking 4G frequencies, they'll be fantastic at blocking 5G frequencies.

Re: Firefox's global market share dwindles ...

I think I did, too. I often find myself not unserious enough. Sorry!

"too frequent updates"

No kidding. Unfortunately, frequent updates are the latest fad industry-wide, so it's hard to single Mozilla out specifically for that nonsense. But it is terrible.

Re: Firefox's global market share dwindles ...

"100% of our devs use Chrome exclusively"

This isn't true where I work. I'd say about 2/3rds of the devs use a Chromium-based browser (none of them use Chrome proper), and the rest use some version of Firefox or a Firefox fork -- although I don't think I've seen any using a version later than 56.

Re: Firefox's global market share dwindles ...

"But, basically, the move away from plugins to native has given the biggest boost to stability."

Interesting. I've never had stability issues with the old Firefox, though, so I naturally haven't seen any stability improvement with the new.

Re: Firefox's global market share dwindles ...

"Sometimes you have to admit that an idea wasn't that great."

That "not great" idea was the single thing that made Firefox exceptional, though.

Re: Firefox's global market share dwindles ...

No, I don't consider people who have opinions that differ from mine to be idiots.

Re: Firefox's global market share dwindles ...

"If you preferred the Firefox UI you were using Firefox."

I actually didn't like the FIrefox UI -- but until the extension change, it was possible to use CTR to fix all the things that I hated, and so the UI wasn't a big issue. Now, that is no longer possible.

Re: Firefox's global market share dwindles ...

"How long do you think they should wait?"

I think they should wait until the new system is an adequate replacement for the old, which it still isn't.

Re: silence

I think that the PulseAudio requirement was the very problem he was talking about.

Re: False sense of security

"download the encrypted files and decrypt them on YOUR computer ?"

Yes, that's what "end to end encryption" means. It doesn't mean you necessarily have to do it manually, though. Applications that implement end-to-end encryption do this for you.

"if you use proprietary software provided by the cloud vendor, same, YOU ARE HAPPY TO SEND YOUR ENCRYPTION KEYS TO A THIRD PARTY."

Why would you use proprietary software provided by the cloud vendor? In any case, even if you do, it doesn't automatically mean you're sending your keys to a third party.

Re: It's tragic really

"I never found Chrome particularly intuitive."

Yes. Even if I had no trust issues with Google, I'd avoid Chrome just because I really, really hate the UI.

Re: Firefox's global market share dwindles ...

"Mozilla's developers need to stop worrying about injecting additional "features" and focus more on bugs and polish."

If Firefox didn't cripple the capabilities of extensions, they wouldn't have to worry about most of those features at all because they could be done with extensions (which is the proper place for most of the new features anyway), by non-Mozilla developers.

Re: OSS isn't Free Software

"If "the boss" is telling you to do something on or with a computer, it's one that your employer owns, and is used solely for that employer's business"

This.

My employer requires all sorts of things that I would never allow on my personal machines. That's fine -- my employer's machines aren't mine, and never interact with mine, so they can require whatever they wish.

Re: Can I pay for less?

Here you go: https://support.mozilla.org/en-US/kb/disable-or-re-enable-pocket-for-firefox

Re: Firefox's global market share dwindles ...

"here is an idiot's guide to why they broke them."

That "guide" is essentially a long-winded way of saying "we had to do it because it was the easiest thing for us to do."

Re: Possibble Owners

If it's Cloudflare, then I'd stop using the service. Mozilla would be a decent fit, though.

Re: There is no 'HIBP team', there's one guy keeping the whole thing afloat."

"No matter how optimistic, or resilient you are, this ratio just steady erodes your faith in, well, human nature in general."

This isn't a universal truth. I run a couple of services alone and for free and have done so for at least a decade. I've stopped running service before because of burnout -- but I have never been bothered by the ratio you're talking about, and it has certainly not eroded my faith in anything.

"The onus should be on the reckless ‘for profit’ companies to not spill peoples personal details all over the internet."

I agree (although it's not just for profit companies that fall down on this.)

But we should also keep in mind that breaches will continue to happen even if every company handles their security very well. There is no such thing as perfect security, after all. If something can be accessed legitimately, it can be accessed illegitimately. The only question is how much time and effort is required to do it.

Re: Hmmmm

" it could be argued that it's in the public arena already and hence is no longer "private" "

Yes, when it comes to the breach datasets. However, people who actively use his service are supplying information that may or may not be in any of those datasets, That would be the sensitive information.

Re: I tip my hat

He hasn't gone to KPMG -- he was already a KPMG customer.

I will admit, though, that the involvement of KPMG increases my nervousness about this.

Re: MFA

"All security is a trade-off with convenience."

Indeed so. When you're talking about why MFA hasn't been adopted widely by the average user, convenience is probably near, or at, the top of the list of reasons.

I think you covered all the options in your list. Of those, U2F is the most acceptable to me -- but I think that the requirement to buy and carry a U2F device, however cheap it is, puts off a lot of ordinary users.