Thanks for the ransom note tips.
I’m also thinking the ransom note could be a PDF w/metadata removed, posted anonymously to a framadrop box, and the physical note could be made with your dominant hand but only as a hand-written QR code to the PDF URL. Perhaps magic marker with making dots on a graph paper.
Printer makers have no legal obligation to surreptitiously fingerprint every page printed.
Frankly, you are simply stupid if you believe this.
Citation needed on the legal statute. Also, please show us cases where printer models /without/ tracker dots led to prosecution of the printer maker.
That’s not the worst of it. If you fill out a USPS change of address form, they surreptitiously sell that information others.
So you should never fill out that form. Buy stamps if necessary to tell each entity your new address. It’s the only way to get some control over the disclosure.
equifax/transunion: oh, look! we don’t care why, but there are “too many different phone numbers” being reported for you. we’re lowering your credit score
I treat all members of the credit bureau (all banks, insurance companies, etc) the same when it comes to info sharing, just as if it’s all the same org. Because they all share the info via the credit bureau. If you give a different number to every bank, every bank can see all the numbers you gave to other banks through the credit bureau.
I give just one useless number to all of them. A FAX number. Banks have no hope of getting me on the phone. But fuck them… they create this mess by joining the credit bureau. They’ve demonstrated that they cannot be trusted with useful info. So for self-defense, consider making every bit of info you give as useless as possible.
You might be interested to know that the phone numbers on your credit report never mention the source who reported the phone number, which is unlawful. I wrote this thread about it:
Indeed I had some back in the pre-bluetooth days as a way to play MP3s to a car’s ill-equipped sound system. That would be a useful way around devices that have no AUX input. Good idea!
Though it wouldn’t solve the problem of a cycling party like that of Critical Mass.
Thanks for the tip. I’m not enthusiastic because I find that all the !privacy@* communities attract plenty of privacy opponents along with many ½-hearted moderates. I quit using the communities simply named “privacy” since they tend to have enough hecklers to sabotage discussions amid a crowd who is not really committed to privacy (a lot of comments come from Cloudflare nodes).
The moderators of !privacy@* communities themselves fall short of being full-throated privacy advocates. One of them even /censored/ a thread about German police searching people who cross a Shangen border, claiming it’s unrelated to privacy. These moderators don’t have a firm grasp on history. They don’t know that the today’s global privacy movement is largely driven very specifically by German police demanding papers.
Regarding the topic at hand (refusing to put email traffic over MS and Google mail servers), I seem to recall this ethical stance triggering copious downvotes in a plain !privacy@* forum somewhere. It’s part of why I think I am alone on this.
Anyway, the failures of !privacy@* forums is in part why I created a series of communities for specific aspects of privacy.
It would be useful to have a general “privacy” forum, but it must be very tricky to bounce hecklers and maintain a constructive environment but without excessive nannying and creating a total echo chamber/bubble. Fedi tech falls short but I don’t really have a solution either.
If bank incompetence costs you time (because someone like me won’t let incompetence fly), consider changing banks, if you’re not trapped.
In no way are you trapped with a shitty bank.
You’ve obviously never been a vegabond. And probably also don’t have much of a grasp on the KYC shit-show pushed by banks now.
No customer service isnt cheap, and you’re the guy making wait times over an hour.
Happy to do so. There is a shortage of consumers who won’t let incompetence fly. Like I said, it’s a shit bank. If the service downgrades because of something I did and other customers bounce because of it, this is a good thing. I couldn’t hope for more.
OTOH, the banker learned from me how checks work, and thus will be more competent the next time a customer would otherwise get boned by a banker who thinks debts vanish when a check expires. The banker’s training came from a customer taking up a phone slot, but that banker will be more effecient on this topic and faster going forward.
Of course being ethical is almost always at odds with convenience. Corporations know this, and they exploit it. Most people have not read Tim Wu’s “Tyranny of Convenience” essay. If folks were not so clung on to convenience, corporations would get away with fewer shenanigans.
If you think it’s over the money, you’ve missed the plot.
There is an ethical problem with how they operate. If you let them get away with their shenanigans, you support them. I will not. Fuck banks. And fuck their shenanigans. When they pulled this shit, it became my ethical duty to cost them. Their postage cost exceeds the value of the check, and their phone operator costs are high. So I’m happy to ensure their profit-driven exploitation backfires fully.
Mobile deposits: most banks have scrapped remote deposits via web. Most banks are happy to exclude those not on their exclusive smartphone ecosystem and try to push you into Google’s walled garden to obtain their forced-obsolescence app (so Google can know where you bank after getting a mobile phone subscription in order to activate a Google acct). Anything to cattle-herd boot lickers onto the bank’s closed-source spyware app is part of their game. The ethical problems with this could fill a book.
I tried hacking together an Android emulator to take a JPG of a check and emulate the camera within the android v/m using the linux gstreamer tool. I tried that back when I was willing to briefly experiment with a closed-source bank app I exfiltrated using Raccoon. Shit didn’t work with the banking app… it was too defensive. I was lucky the app even ran on the emulator. Many banking apps detect the emulator and refuse to run.
Can’t reach an ATM for deposits from overseas. But also, when I am in the country, it’s a long drive from the house to an ATM.
So deposits by mail are the most sensible in my situation.
They fucked up. They made you whole.
The idiot who charged the interest was just the first fuckup. And it’s not a significant fuckup. The notable fuckup here is the deliberate corporate-wide policy in how they deal with small credits that leads to a paper check in the mail. It’s the shitty policy that disables them from fixing their fuckups. A fuckup is fine if they can fix sensibly. But this is not the case here.
IIUC, it’s what the Scots call a running goat fuck… which is fuck up after fuck up on top of fuck ups.
Thanks! That’s quite useful.
Before emailing someone or deciding whether they get my email address, I run a script that does an MX lookup which then looks for PRISM corps in the results. It also checks the PGP keyrings to see if they have a pubkey. I’ll have to expand the script to check the TXT records as well now.
Thanks for the tip. I never studied the SPF stuff. Is that practical to check?
Well, in that case I guess I should target Barracuda, Proofpoint, and MX Logic in the same way, since 90+% of the world is on MS or Google platforms. That’s probably my practical answer… to distrust any MX servers that are known to be proxies. So, I need a list of proxies like that.
I think I’ve been stung by the same server twice. I vaguely recall another address that resolved to barracudanetworks.com, where msgs from that other user to me had MS outlook in the headers. So I wonder if barracudanetworks is setup to be a proxy or façade of sorts for MS, in which case I could track this.
So what if for every email I receive, I have a program that checks for MS in the headers and (if MS matches) it does an MX lookup on the sender address, which it could then store in a DB to track patterns. This could also be a shared DB so a group of people could benefit from associating non-MS MX servers (like barracudanetworks) to MS. Imperfect of course, but perhaps accurate enough?
Ultimately this is GDPR issue. Data subjects are supposed to be able to know who gets their info and legally they have control over it. Email is somewhat incompatible with the GDPR in this regard.
I realise a guarantee is impossible. Even a Protonmail user could receive a msg from me and then use an MS service to reply manually.
My question was more asking if MX lookups are the /only/ mechanism we have. Have I overlooked another test that would detect more cases?
Certainly it would be feasible to deploy a mail server that blocks inbound MS. This would at least cut off repetitious msgs to me that traverse MS assets. But it’s just theoretical… I don’t think any email service exists with this kind of deliberate configuration.
I’m w/you on the e2ee, of course. But this requires both people to partake, so the suggestion is broken in most non-p2p situations. In a world where govs, NGOs, and most people are incompetent, e2ee is not generally available. From there, do you want to function at all? You can be 100% dysfunctional if you insist on e2ee. I am almost there, actually. Countless businesses lose my business because they are not on the ball w/security. And gov offices get paper correspondence from me because their digital attempt stinks.
But there are situations where e2ee is not strictly important for a particular situation. Yet I will be damned if I have to dance for Google or MS to get their servers to accept my msgs, all to help the scumbags profit from seeing my payload. So I will send an in-the-clear email to non-FAANG recipients in some cases.
But this is the InfoSec community and your reasons are probably entirely separate.
Infosec broadly covers:
Your problem as you describe it boils down to availability (which some would say is the most important infosec factor). I also have a serious availability with Microsoft. When I send email to an MS recipient (back in the days when I was willing to), MS’s servers refuse my msg because MS aggressively implements a strict IP reputation policy. And to be clear, you need not ever send any spam to have a bad IP reputation. You can simply subscribe to an ISP that gives you an IP address which the ISP has published as “residential”. And just like that, the discrimination machine kicks in.
MS does not want mail from self-hosters like myself. They want to force me to dance for them. Even though my email is RFC-compliant, MS wants me to subscribe to a more costly business class of internet service, or to pawn myself to another email service provider.
Either way, MS can fuck off. I will not lick MS’s boots.
Out of curiosity, why are you declining to transit Microsoft servers? Worried about inspection or something?
First of all, I boycott MS. The boycott is mostly driven by factors unrelated to infosec. Boycotting is no longer just refusal to buy their junk – boycotting also means to not feed them data because they profit from the data (otherwise, why are they gratis?) I am not generally worried about info in my payloads being specifically exploited in some kind of attack by MS, but I will not feed MS data that it can profit from. I also protest non-US govs throwing away their digital sovereignty and making all their people lick the boots of a privacy-abusing US surveillance advertiser.
I’m not sure how much research you’ve done, but a quick search of “Facebook addiction peer reviewed”
Thanks… indeed adding /peer reviewed/ helps.
It’s also probably worth digging into dark patterns used by Facebook and others to keep users coming back/focused on their feed.
Glad you mentioned that… I might have overlooked it otherwise. The gov might argue (perhaps internally) that social networking is naturally addictive and that it’s an unavoidable nature of the beast. But Facebook (and likely Twitter) deliberately designs their platforms to artificially supercharge the addictiveness. So I will make that the focus of the addiction discussion, to separate Facebook from Lemmyverse.
I’d also be prepared for the counter argument: “governments are only using Facebook because that’s where the people are”.
I’m not sure my compaign will get any express feedback from opposition, but I will stress that the “network effect” feeds into the addiction as well as creates the power imbalance.
I skimmed through it and agree with everything up until the idea of a general ban on smartphones. That’s crazy talk. Banning young children from having smartphone access is various circumstances is probably a good idea.
But for adults, I would just be happy with a ban on forcing others to use smartphones. E.g. some banks have closed their doors and shut down their web portal to wholly force all their customers to lick Google’s boots to obtain the bank’s closed-source proprietary app, which then forces chronic phone hardware upgrades. Then people who do not conform to the bank’s demands lose access to their money. That shit should be banned.
It’s a good “cover for action”, considering most of the printers that have the stego are naturally incapable of achieving the high quality needed to counterfeit banknotes. And those that are high enough quality are artificially crippled to be incapable of producing an exact match on the colors used in banknotes. Printers are generally lousy at matching colors. IIRC, Epson supplied software that would alter the photo displayed on your screen to best match what the printer could do, because demanding that the printer precisely match the source color is unrealistic.
Self-regulation out of fear of regulation is a tough sell. What regulation do they risk if they don’t self-regulate, other than the very same outcome: tracker dots?
Like a lot of surveillance, there is the cover story and then there is the real reason.
Nonetheless, I appreciate the comment… it’s always good to be aware of the /official narrative/ regardless.