Skip Navigation

InitialsDiceBearhttps://github.com/dicebear/dicebearhttps://creativecommons.org/publicdomain/zero/1.0/„Initials” (https://github.com/dicebear/dicebear) by „DiceBear”, licensed under „CC0 1.0” (https://creativecommons.org/publicdomain/zero/1.0/)D

debanqued

@ debanqued @beehaw.org

Posts
17
Comments
102
Joined
4 yr. ago

  • When the FSF Free Software Directory directs people to freedom-lacking places

    Jump

  • Sounds to me like this is the kind of abuse blocking any site would use not just cloudflair. Do you have any evidence that Cloudflair is unique in any way in this?

    That’s not a meaningful comparison. Blocking sites do indeed block differently in various different circumstances & discriminate against different groups of people. There are patterns (like Tor blocking) but the meaningful comparison is CF to inclusive sites. E.g. gnucash.org. Gnucash demonstrates how a website can be deployed in an inclusive manner that respects user’s rights.

    Cloudflare is unique in how it deceives its users (e.g. tells its users they have a “zero trust” model when in fact you must trust CF with visibility on all traffic payloads). CF holds the SSL keys, unlike other implementations. The recommendation to anti-feature tag CF sites would cover the vast majority of exclusive access-restricted projects. But if a link leads to a rare Siteground site, that should also get an anti-feature tag for being exclusive.

    I mention this because I am not sure not using Cloudflair would change much.

    Of course it would. Cloudflare brings in a long list of problems. Not using CF (like gnucash.org does) solves all those problems of exclusivity and privacy.

    You would have to use another CDN or build your own solution. Abuse is a real thing and is the reason we cannot have nice things.

    The Gnucash project disproves this. Furthermore, a CF link can often be replaced with an archive.org link.

  • When the FSF Free Software Directory directs people to freedom-lacking places

    Jump

  • Also, loading images has nothing to do with not passing the Cloudflare check.

    Cloudflare is anti-robot. It’s one of the things they’re not secretive about. Robots do not load images because they are scraping textual information into a DB. Not loading images is relevant to bot detection and triggers anti-bot blockades. So bot creators will sometimes code their bots to needlessly fetch images in order to appear more human.

    Like, phone screens could just display black for a blind user. But they don’t.

    But they should. The reason they don’t can only be attributed to no one making the effort to extend the battery life for blind users. If the option existed, why wouldn’t blind people use it?

    I have a few disabilities myself, and know a couple people who are blind. They just use Firefox.

    Certainly you can’t speak for blind people by finding a few who have not realized they can disable images. This does not mean more advanced blind people have not done that. My vision is fine and I still disable images in Firefox in part to not waste bandwidth. Obviously I would keep image loading disabled if I were to go blind. The only reason for a blind person to load images (apart from getting help from someone else) is the same reason bot authors do it: to avoid being treated like a bot.

  • When the FSF Free Software Directory directs people to freedom-lacking places

    Jump

  • Going way overboard to the point of being pure is one of the biggest issues the FSF has in terms of relevance and your suggesting they go further down the rabbit hole.

    Framing inclusion of all people as a “purist” agenda is a bit rich. The Universal Declaration of Human Rights doesn’t say it’s okay to deny equal access to some people. for example. And we don’t call the UDHR “purist” or extremist for being all inclusive. Being inclusive is where the bar should be set. It’s achievable and there are some projects that prove that.

    It is better to direct people to good FOSS they can and will use then some imagined pure breed that no one will ever use.

    You’re not grounded in reality. Tagging anti-features does not lead to “some imagined pure breed that no one will ever use.” Nor would anyone avoid listings which have no anti-feature tags. It’s the contrary. Projects that lack anti-features are superficially attractive.

    Biggest issue with github is that it mixes FOSS and non-FOSS and even worse not all projects have clear licensing.

    That is not the biggest issue with Github. Github is exclusive, feeds copilot, feeds a company that’s antithetical to the FSF mission, among other issues that were listed in the OP.

  • When the FSF Free Software Directory directs people to freedom-lacking places

    Jump

  • First of all Cloudflare does not disclose to excluded communities why they are excluded. This non-transparency keeps the marginalized in the dark about both the technical criteria for exclusion and also the business reason for exclusion.

    Why I personally have been excluded is irrelevant trivia. The full extent of CF’s exclusion is unknown but it’s evident that at a minimum these groups of people are excluded:

    • public libraries
    • Tor users
    • VPN users
    • CGNAT users (often poor people in impoverished regions whose ISPs have fewer IPv4 addresses to allocate than the number of users)
    • people who use scripts to access web resources (and interactive users who merely appear to be bots by using non-graphical FOSS tools, blind people IIRC as they are not loading images)
    • all people with a moral objection to exposing ~20—30% of their web traffic (metadata & payloads both) to one single centralized tech giant in a country without privacy safeguards.

    I personally experience exclusion by all of the above except CGNAT.

  • When the FSF Free Software Directory directs people to freedom-lacking places

    Jump

  • As far as Cloudflair… they are a CDN. relax. Nothing is locked there

    Nonsense. Cloudflare (a proxy not a CDN) is exclusive. People like myself are in the excluded group. If Cloudflare gives you no problems personally, then you are in the included group. It’s designed so those excluded are invisible to the included group. You can only see the barriers to entry if you are actually excluded.

  • When the FSF Free Software Directory directs people to freedom-lacking places

    Jump

  • Those mught look like freedom pitfalls but are actually not. On the one hand gitlab dot com is not reaaly bad for freedom as it has at least an open core and is very freedom friendly.

    You’re conflating a specific instance (the flagship one) with the software it uses, and also neglecting that it runs a non-free enterprise-licensed package, not free s/w. SaaS ≠ software. This particular instance scores poorly by FSF’s own freedom criteria.

    There are FOSS-based Gitlab community repos which have no notable freedom issues, but these are not what my comment refers to. The Gitlab CE instances would not need an anti-feature tag. But Gitlab dot com does.

    Cloudflare? Why are you even mentioning this?

    Restricted-access docs exclude people and also violates the Free Documentation License.

    Remember it stand for Free software first.

    Software as a service was rightfully cautioned by RMS himself and it is well inside the purview of FSF which has published various essays on the topic.

  • When the FSF Free Software Directory directs people to freedom-lacking places

    Jump

  • Bounty system for FOSS Github projects?

    Jump

  • The first bounty I would create for any project of interest is a bounty to move the bug tracker out of Github so those who boycott Microsoft can at least participate in the QA process.

    So having a bounty mechanism inside Github is a bad idea. As a MS boycotter, I would be excluded from contributing bounties via the mechanism you propose.

  • FOSS-Firmware for printers?

    Jump

  • No specific manufacturer in mind right now

    MFDs are being tossed into dumpsters in high numbers. I keep pulling out HPs and Canons. The scanner functionality always works. I think the focus should be on hardware that is getting thrown away for environmental reasons. Even if the printing is toast, printers could be repurposed for all kinds of things since they are all network-attached now.

    HP should be boycotted, so ideally FOSS f/w would only be developed for discontinued models so as to not incentivize procurement.

  • FOSS-Firmware for printers?

    Jump

  • Does it say “Internet required” on the box? If not, a good activist move might be to have a bunch of people buy them, set them up on a disconnected machine, then return them for a refund.

  • FOSS-Firmware for printers?

    Jump

  • Oki (formerly Okidata) is the lesser of evils. After doing a deep dive studying the ethical problems of all the printer makers, Oki was the one I found the least dirt on. But Oki has pulled out of the US market entirely; probably couldn’t survive in a competition of tricks & traps.

  • Some ATMs demand a PIN /before/ showing you options. Privacy issue?

    Jump

  • The magstripe is useless in my area. The bank also automatically blocks the use of the card in non-EMV regions. A travel notice is needed to make the card function in non-EMV areas. The magstripe encodes a flag that declares that an EMV chip is present so EMV-capable readers will reject the magstripe. So a skimmer would have to find out my travel plans to a non-EMV region. They will be waiting a very long time because I have a different card for non-EMV regions. I could just as well scrape the magstripe off if I thought skimming were a significant risk.

    The other exploit is trapping the card using a plastic sleeve then fetching it after you give up and leave. If my card gets stuck in a machine, I would operate under the assumption that that attack is in play. An attacker can drop off a compromised ATM.. a whole machine. Those are always free-standing. I don’t think free-standing ATMs exist in my area.

  • Some ATMs demand a PIN /before/ showing you options. Privacy issue?

    Jump

  • Every region has a different norm. Smartphone banking may not have caught on in the US but the European normal is quite different in the banking sector.

    Europe even has cashless banks (not joking). These are “banks” that actually have no vault, only computers, and do not handle cash. No cash deposits. Withdrawals only possible at ATMs. If your ATM card fails and you need cash, you go to the bank and a banker walks with you to the ATM so the banker can withdraw the cash using a special card. It’s normal in Scandinavia but I think it would be shocking if a US bank were to operate this way. A cashless US bank would be an embarrassment.

    The #WarOnCash have made bigger strides in Europe than the US.

    If you want to withdraw $15k in banknotes in the US, it’s normal. In Europe it’s not only abnormal but sends red flags. I know someone who tried to withdraw €15k from her bank account and the bank called the police and arrested her. She was not charged with anything but they fully documented the attempt and released her. That was in a country where cash transactions greater than €3k are illegal. Spain, France, and Belgium all have cash limits like this. Netherlands is next. (to be clear, I think a €15k withdrawal would not be illegal on the part of the consumer but it likely exceeded the ToS of the bank and also triggers suspicion.. some of the details are murky)

    In my region it’s illegal for a bank to offer 1FA logins. So the banks give you an RSA token of sorts.. a hardware device. Some banks have opted to use mobile phones for 2FA instead of buying and maintaining special purpose devices for everyone. Then they leaped to the assumption that everyone has a smartphone. From there it’s natural for them to figure there’s no longer need to maintain a website.

  • Some ATMs demand a PIN /before/ showing you options. Privacy issue?

    Jump

  • You don’t trust the bank’s app because of who they might have outsourced the code to

    You can safely scratch out the word “might”. It’s very unlikely that a bank would write their own app in-house.

    I don’t trust the outsourced entity, nor do I trust the bank. Banks use the cover of “KYC” to collect abusive amounts of information. Closed-source projects need to profit too & banks would be happy to reduce their cost by allowing 3rd party data collection. Most banking apps are outright tagged that they call for perms to collect your GPS location. I also don’t trust Google not to profit from information about where Google pawns do their banking -- that’s too valuable to debt collectors to let it go unexploited.

    but you will trust that the ATMs haven’t been tampered with by criminals?

    I trust consumer protections to be enforced. I’ve made use of those protections in an ID theft situation so I’ve seen 1st hand that they work. If you fear ATMs then you cannot easily fight the #warOnCash. Do you get your cash over the counter, or do you simply support the war on cash and all the data leeches banks feed? If you’re quite worried about it, I suggest using the indoor ATM at a bank that’s only accessible during business hours.

    You get no consumer protection from bank snooping that you agreed to in the ToS. You should read your bank’s ToS and privacy policy sometime. It’s interesting to see what they needlessly collect.

    Because the latter is by far more common than the exploitation of a security hole in a banking app.

    An outsider exploit is not the biggest threat. It’s the bank itself snooping lawfully (and monetizing that data to keep your fees down) that’s the most certain compromise. Though exploits cannot be ruled out either since closed-source blocks users from auditing the security.

  • Some ATMs demand a PIN /before/ showing you options. Privacy issue?

    Jump

  • The long-term plan is of course to ditch the account. At the moment I’m in a pinch and just need an ATM that works. It’s a bit alarming how little knowledge and information is available on ATMs. The non-transparency is in itself a privacy issue.

    I don’t think credit unions exist in my country. But it’s worth noting that credit unions in the US have a whole different set of pitfalls. They are typically too small to offer their own services. Credit unions outsource everything: bill pay, statement printing, the website, email.. They do nothing in-house. All that outsourcing means copious information sharing with giant centralized corporations that monetize your data.

  • Some ATMs demand a PIN /before/ showing you options. Privacy issue?

    Jump

  • You may consider giving Ally bank a try.

    My dumpster fire bank is not the US. But I would avoid Ally anyway since that bank’s website is tor-hostile and their privacy policy also scores below average on privacy. I suppose the low fees and high interest must be offset by data monetization.

    I question the merit of avoiding downloading their mobile app and instead sticking your card into lots of random unverified ATMs to try to get balance reports.

    Third party ATMs do not appear to exist in my region. All ATMs are bank-owned AFAICT.

    The app may not be great, but SSL is cryptographically sound and the bank has your social and your identity anyway.

    The app requires trusting whoever the bank outsourced the coding to. Does the bank even get to see the source code? I wouldn’t trust the bank or the profit-driven closed-source developers to not include spyware or to look after the consumer’s interests. Especially in the case of US banks. Apart from that I object to Google keeping track of where I bank (data which can ultimately be sold to debt collectors) -- which is inherent in being forced to use the Play Store. I also object to buying a new phone (hardware) in order to chase the version requirements. These abuses are certain, thus a non-starter compared to the mere bad luck chance of fraud by a dodgy ATM which at least have the remedy of consumer legal protections.

  • Some ATMs demand a PIN /before/ showing you options. Privacy issue?

    Jump

  • None of that is normal.

    I think it’s the new normal. Aren’t banks like n26 & Revolut purely by smartphone? This was a proper bank that became like the smartphone banks. I see how people all around me blindly trust smartphones & Google or Apple with reckless disregard. And they upgrade with reckless disregard. The Fedi crowd is more likely to see the absurdity in a bank-by-smartphone situation but the young generations would probably just as well have Snapchat handle their banking. It’s a terrible direction things are going in. I can’t even reserve public parking in my region offline anymore.

    One of the traditional banks in my area is gradually removing features from the web service & making them exclusively app services. They probably hope to eventually pull the plug on the website. I’m close to pulling the plug on banking.

  • Some ATMs demand a PIN /before/ showing you options. Privacy issue?

    Jump

  • The bank in this case has closed down their website. Paper statements are gone. They also closed their office & made it by appointment only. Calling & asking a human possibly incurs a fee. All access is exclusively via a proprietary closed-source app that’s exclusively available from surveillance capitalists (Google & Apple). The app is chronically upgraded and fussy about platform OS version & refuses to run inside a virtual machine, thus requires buying a new phone periodically.

  • There are now two types of PayPal dollars, and one is better than the other

    Jump