Waterfox - a new privacy-oriented search engine option

Friday, May 23rd, 2025 12:00 am
Tags:

"Ask Copilot" in Windows Explorer context menu

Tuesday, May 20th, 2025 11:48 pm
darkoshi: (Default)
On both my work and personal laptops (Windows 10 and 11), I have noticed that the file context menu in Windows Explorer now includes an "Ask Copilot" option.

I have privacy and security concerns about that. If I accidentally select this option, will the file or its contents potentially be uploaded to the web somewhere? Will Microsoft use the contents of the file for other purposes? I didn't find clear answers on that. If I wanted Copilot to analyze a file, I would prefer to select the file thru other means. I don't need extra items in my context menu; mine is already lengthy due to other custom entries (which I actually use on a frequent basis) that I've added to it. So I will edit my registry to remove the entry from the menu.

Windows 11: Microsoft is adding Ask Copilot to right-click menu, how to remove it

Windows 11’s Copilot in Context Menus: Benefits, Concerns, and How to Remove It
Tags:

Interesting articles from Techspot.com

Saturday, December 16th, 2023 04:21 pm
darkoshi: (Default)
ChatGPT achieves the pinnacle of human intelligence, laziness, and developers are baffled (2023/12/12)

This AI can pick up passwords from the sound of your keystrokes (2023/12/10)
This is something I've been slightly concerned about for some time already. From that article, it doesn't sound very advanced yet - the AI needs to be trained on each specific keyboard's sounds first. But I am sure they will get better at it over time, so as not to need that initial training in the future. And I bet some government security agencies have more advanced versions like that already.

Utah Supreme Court says suspects can refuse to hand over phone passwords to the police. Other state Supreme Courts disagree and the case would wind up before the US Supreme Court (2023/12/16)
The state Supreme Court also noted that the case raises important questions about how the Fifth Amendment extends to law enforcement efforts to unlock smartphones. The justices noted, as an example, law enforcement obtaining an order to compel a suspect to provide an unlocked device, thus circumventing the necessity of having them disclose the password.

With the Valdez case, the police asked him to verbally provide his password and did not get an order to compel him to unlock the device. ...
Tags:

masked phone numbers

Saturday, September 2nd, 2023 04:41 am
darkoshi: (Default)
The masked phone number part of this sounds useful for sites like Google that nowadays require a phone number for setting up an account.

https://relay.firefox.com/
Protect your identity with secure phone and email masking

Our secure, easy-to-use email and phone masks help keep your identity private so you can sign up for new accounts anonymously, stop spam texts and junk calls, and get only the emails you want in your inbox.
...
Limited-time only: ⁨Relay Premium⁩ + ⁨Mozilla VPN⁩ for ⁨$6.99⁩/month

⁨Mozilla VPN⁩ protects you from tracking & surveillance while you’re gaming, online banking, or getting work done. Add it to ⁨Firefox Relay⁩ for ⁨40%⁩ off.

Your 1-year plan includes:
Email masking
Phone masking
Mozilla VPN
...
Use ⁨Relay⁩ email masks and phone masks everywhere

Get secure, random email masks and a unique, masked phone number to use any time a website, app, store, or restaurant asks for your information.

...
We’ll forward emails, phone calls, and texts to you

Rest assured, senders will never know your real email address or real number. You can even reply to texts and emails without sharing your real identity.


Ah, but based on the wording on that page, it sounds like you only get a single masked phone number to use. So you couldn't generate multiple ones for different sites. Unless you pay for multiple instances of the service, I suppose.

But still, I've been thinking about signing up for a VPN service, and getting a masked phone number along with it would be useful, maybe.

I wonder about the "stop junk calls" part though. It seems that whenever you get a new phone number, you're bound to get junk calls trying to reach previous people who had that phone number. Add to that any new junk calls caused by you giving websites that number. Presumably all those calls get forwarded to your real phone. So I don't see how it would reduce junk calls. Are you able to discard one masked number and get another at will? If so, how often?

I would need to look into the details of this some more.
Tags:

Facebook friended me to a stranger, on its own

Monday, February 15th, 2021 07:12 pm
darkoshi: (Default)
A few days ago I got a Facebook notification email that so-and-so "confirmed your Facebook friend request", where so-and-so was a name I did not recognize. Nor do I remember having sent any FB friend requests in a long time.

I logged into the FB account and sure enough, that person had been added to my friends list. I browsed their timeline and photos, and it looked like a real account, but nothing rang a bell. Nothing about their posts seemed related to my own interests. The only thing that made me feel uncertain was that that their profile pic looked vaaaaaaguely familiar; it was of a woman wearing a straw hat, and a guy, apparently at a beach but only the heads visible. I feel like I may have seen that photo before, but have no idea when, and maybe it only looks similar to some other photo I've seen in the past.

When I clicked the link to see who else they were friends with, it showed no one, so I guess they have their friends list set to private.

So then I downloaded all my Facebook data, and scanned it for her name. Nothing found.
I ran a search on all my emails and my FB notes (where I usually note down when I've sent or accepted a Friends request), and again found nothing.
I even checked my browser history; nope.
So I unfriended her.

But I still feel odd about it. Could it be someone whom I sent a friends request to a long time ago, and maybe they changed their display name (and profile URL) on FB since then?

I'm more of the belief that it was either a FB glitch, or some entity is using this method (hack Facebook to add their own fake accounts as friends to other people's accounts) to spy on people's non-public posts.

I've just thought why the profile photo might look familiar to me... maybe it was one of the "suggested connections" that FB always shows. Like a friend of a friend. So conceivably (or arguably from a hacker's point of view) I could have accidentally clicked on that part of the page sometime, resulting in a friends request being sent? But surely it would give a confirmation window before sending an actual request? Surely I wouldn't accidentally click twice, without remembering any of it?
Tags:

apparently Gmail now requires you give them a phone number?

Saturday, January 2nd, 2021 02:41 am
darkoshi: (Default)
I have a few Gmail accounts with "darkoshi" in the name, which like my other "darkoshi" accounts such as this Dreamwidth one, I don't want associated to my legal name and address.

So I don't believe I've ever entered a phone number for those accounts. Whenever their pages have prompted me to enter one, I've chosen the option to skip it.

I have these Gmail accounts set up via IMAP in my Thunderbird, so I'm still able to receive and send mail thru them.

I logged into one of these accounts without a problem today via the web. But when logging into another of the accounts (in a fresh browser window with cookies cleared, like always), after entering my email and password, I was prompted to verify it's me by entering my recovery email address, which I did. But then it prompted me to verify it's me again in another way:

"Verify it's you. This device isn't recognized. For your security, Google wants to make sure it's really you. Enter a phone number to get a text message with a verification code."

This smacks of downright deceit to me. Entering a phone number doesn't let them verify it is me, as I've never given them a phone number before. I can only presume Google wants to have a phone number associated with my account, and this is their way of obtaining it.

I am quite annoyed that they don't instead simply say "We now require a phone number to be associated with your account. Please enter one."

I still wouldn't want to enter one, but at least they'd be being honest.
Gmail didn't even send a verification code to my recovery email address to verify that I can access it; they only made me enter the email address to show that I know what it is.

What they did send to both the email account that I'm trying to log in to, as well as the recovery email account, is an email saying:
"Critical Security Alert. Sign-in attempt was blocked. Someone just used your password to try to sign in to your account. Google blocked them, but you should check what happened."

Yes, I used my password to try to sign into my account, DUH.

https://www.wikihow.com/Bypass-Gmail-Phone-Verification
"It is no longer possible to create a new Gmail account without verifying a mobile phone number."

https://support.google.com/accounts/answer/114129
"To help protect you from abuse, we will sometimes ask you to prove you’re not a robot before you can create or sign in to your account. This extra confirmation by phone helps keep spammers from abusing our systems.
Note: To verify your account, you need a mobile device. "

So I think I will have to stop using Gmail for my Darkoshi accounts.

But what email providers let you be anonymous and don't require a phone number?
I'm ok with it being a paid service, if I can pay anonymously; that may be reason for me to try out bitcoin. Although bitcoin's not really anonymous, is it?

So I just don't know.

::sigh:: It's always something.

Now I spent hours researching that instead of what I wanted to spend my post-midnight / pre-bed time on.
But GMX mail and ProtonMail look like good contenders.
Tags:

smart reply

Friday, December 13th, 2019 03:40 pm
darkoshi: (Default)
I've been impressed lately with how pertinent some of the text reply suggestions are on my phone. (Although sometimes they aren't.) It makes replying easier and also seems a good way to learn "what is a good normal response to xyz" if a reply doesn't come easily to one's mind.

But I thought I had turned suggestions off before; hadn't I been concerned about it sending my texts to a server some where, to be analyzed, in order to return the suggestions? So I went into the settings, and found this... the "on-device intelligence part" surprised me:

Messages app - Settings - "Suggestions in chat"
(Google Assistant, Smart Reply, Suggested Actions)

"Smart Reply, suggested actions, and Assistant suggestions are generated with on-device intelligence by Messages.

Suggestions are not shared with Google nor anyone else until you tap them.

If you allow Messages to access your device's location, you'll see more local suggestions."


But what about that "until you tap them" part. I guess that means that once you select and use one of the suggested replies, then it probably sends both the other person's text as well as the selected reply to some server. So I guess my original concern remains.
Tags:

phone camera, Google Lens

Thursday, July 11th, 2019 12:51 am
darkoshi: (Default)
I let my phone's stock camera app update recently, and the updated Settings screen has a new option for enabling/disabling Google Lens. I had to look up what that is. When it is enabled, the camera UI has a button for selecting Google Lens mode. In that mode, when you point your phone at something and tap the screen, the app will search for and show you info on the item you were pointing at.

At first, the thought of this was quite concerning to me, from a privacy point of view and from a data usage point of view. Does it upload the images to some server on the web? Does the app on the phone determine (on its own) what is in the photo, or is that processing done on a server somewhere else, and the results are sent back to the phone? I wasn't able to find an answer to that yet.

(I've also wondered, when you give an app permission to take photos and record video, etc., is it able to use those permissions even when the app is not in the foreground? What if you swipe the app out of your Recent Apps view - is that a sure way to make sure it isn't still spying on you in the background, or not?)

But the Google Lens functionality also sounded appealing, so I tried it out today. It presented an initial informational screen that said your images and search info would be uploaded/saved to your "Web Activity" unless you turned that option off in your Google Account. So I checked and verified that I have that turned off.

I tested it by pointing the camera at one of our drink coasters, and it came back with a product image and link to where the exact same coasters were for sale. That was pretty neat.

The next few things I tried didn't have as specific results. But it still seems a promising and useful tool. As long as I can be sure that it won't be sending image data somewhere on the internet without my knowledge.

Update: I tested using it with both wifi and data turned off. This way it doesn't give any error message, but doesn't show any results (even when scanning something simple like text). So I guess it must require uploading the images somewhere and then processing them there, not only on the phone.

.

Not long back, I installed a separate non-stock camera app, Open Camera:
https://play.google.com/store/apps/details?id=net.sourceforge.opencamera

My main reason for getting a separate camera app was that I wanted one with a manual focus option. Auto-focus sometimes focuses on the wrong thing, especially when taking close-ups of plants in windy weather.
Tags:

No, Google, no.

Sunday, December 2nd, 2018 05:01 pm
darkoshi: (Default)
My phone is annoying me. I want to disable "OK Google" detection, so that it won't listen for those trigger words; I don't want it potentially recording my voice all the time. But I don't want to completely disable microphone access for Google searches. I would like the microphone to be used *after* I click the microphone icon in the Google search box.

Yet no matter what settings I change, when my home screen is displayed (which has the search box at the top), when I say "OK Google", it still always brings up the "Listening..." screen and will then search on the next thing I say.

I've never even enabled the Google assistant; I wonder if that has something to do with it. Whenever the screens come up where one would enable it, I click to Cancel, as I don't want to give it all the permissions it asks for. It seems like maybe you have to enable the assistant in order to subsequently and effectively disable it? But that doesn't really make sense.

The phone settings screens confuse me. After clicking more than a few items deep into them, I lose track of where I came from. Some of the screens can be accessed more than one way, which adds to the confusion.

Some of the settings I've updated:

Phone Settings - Google - Search, Assistant & Voice - Voice - Voice Match
"Access with Voice Match" is disabled
"While driving" is disabled
Everything else on this page is greyed out/disabled

Google Maps - Settings - Navigation Settings - "Ok Google" detection
"While driving" is disabled

Phone Settings - Apps - (gear icon) Configure apps - Assist & Voice Input
"Assist App" - is set to None.

Phone Settings - Google - Google Account - Data & Personalization - Activity Controls
"Voice & Audio Activity" (and all the other items) are "Paused"

Did you know that you can change the voice used when search results are spoken? This setting is enabled for me, even though I haven't enabled the Assistant:
Phone Settings - Google - Search, Assistant & Voice - Google Assistant / Settings - Preferences - Assistant Voice

.

Yesterday, it was Google Maps that annoyed me. While out shopping, I tried to bring up my offline map, but couldn't as it had expired. What's the point of having an offline map, if it expires all the time so that I can't use it!? I only get reminded that it's expiring ahead of time if I go into Maps. Why should I have to re-download it every 3 months? Yes, Google provides them as a free service, so they can make their own rules. But it feels like they are taking away something from me that I downloaded fair and square. I'd be willing to pay a single time fee, to be able to keep my maps downloaded permanently, and to choose when to update them.

.

I've been wanting to switch to CyanogenMod or do something which would let me have more control over things like this. Haven't gotten around to it yet. The last thing I did was to unlock my boot loader.

.

Something else odd:
Phone Settings - Google - Connected apps
This showed "McClatchy Social Signin" as a connected app. I have no idea what that was for or where it came from, so I disconnected it.
The only other connected app listed on that screen is "Android device".
Tags:

GDPR overload

Saturday, May 26th, 2018 02:24 pm
darkoshi: (Default)
I've been feeling a bit overwhelmed by all the notifications I've been getting about changes to my accounts' terms of service and privacy policies, as normally I like to skim through them to see what has been changed. Now I'm having to ignore them, until I feel up to the task... which is usually how I handle it, but not with so many at once.

Just while typing this short post, another one came in! "Updates to the eBay User Agreement".
Tags:

privacy policy - Google vs Yahoo/OATH

Sunday, April 29th, 2018 11:56 pm
darkoshi: (Default)
Yahoo Mail (aka OATH) has a new Terms of Service and Privacy Policy starting May 25. The parts of the privacy policy which pertain to how Yahoo may access the information contained in emails disturbs me.

This page appears to have Yahoo's legacy privacy policy, dated June 2017. Based on what that page says, some or all of the policies listed below may not be new, but I'm not sure.

I was wondering if Yahoo's policies are really much different from Google's TOS and Privacy Policy. So I checked.



Google:
Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored.


Yahoo/OATH:
OATH Privacy Center, main
Oath analyzes and stores all communications content, including email content from incoming and outgoing mail. This allows us to deliver, personalize and develop relevant features, content, advertising and Services.


OATH FAQ for Communications Products
Oath’s automated systems may analyze all content (such as Mail and Messenger content including instant messages and SMS messages) to detect, among other things, certain words and phrases (we call them "keywords") within these communications. This analysis may occur on all content as it is sent, received, and when it is stored, including communications content from Services synced with your account.

...
Our automated systems may analyze all communications content (such as Mail and Messenger content including instant messages and SMS messages) and all photos and other content uploaded to your account

...
For example, after automatically removing any information that on its own could reasonably identify the recipient, we may manually review certain commercial communications to develop tools to assist the automated scanning process, improve segmentation and other automated functions and create generic templates of such documents (e.g., using common language to identify the elements of an airline receipt). Oath employees may review the templates to improve our services and our personalization of your experience.

The automated analysis and storage of all content can include information within or about the content you provide, such as photos, attachments and other communications. We may collect information about the photos and videos uploaded, including EXIF data. Exchangeable Image File Format (“EXIF”) data is a record of the settings and other relevant metadata inserted by a camera or device when you take a photo or video, such as camera or device type, aperture, shutter speed, focal length, and location , among other information.

We also may use image recognition algorithms for the purposes bulleted above. For example, the algorithms might identify and tag scenes, color, best crop coordinates, text, actions, objects, or public figures.



It also disturbs me to read how much information Yahoo may be collecting about me from multiple sources:

OATH Privacy Center, main
We collect information from your devices (computers, mobile phones, tablets, etc.), including information about how you interact with our Services and those of our third-party partners and information that allows us to recognize and associate your activity across devices and Services. This information includes device specific identifiers and information such as IP address, cookie information, mobile device and advertising identifiers, browser version, operating system type and version, mobile network information, device settings, and software data. We may recognize your devices to provide you with personalized experiences and advertising across the devices you use.

...
This information also includes the kind of content or ads served, viewed or clicked on; the frequency and duration of your activities; the sites or apps you used before accessing our Services and where you went next; whether you engaged with specific content or ads; and whether you went on to visit an advertiser's website, downloaded an advertiser’s app, purchased a product or service advertised, or took other actions.
...
Information from Others. We collect information about you when we receive it from other users, third-parties, and affiliates, such as:

When you connect your account to third-party services or sign in using a third-party partner (like Facebook or Twitter).
From publicly-available sources.
From advertisers about your experiences or interactions with their offerings.
When we obtain information from third-parties or other companies, such as those that use our Services. This may include your activity on other sites and apps as well as information those third-parties provide to you or us.
We may also receive information from Verizon and will honor the choices Verizon customers have made about the uses of this information when we receive and use this data.

...
We also may use the information we have about you for the following purposes:
...
Associate your activity across our Services and your different devices as well as associate any accounts you may use across Oath Services together. We may associate activity and accounts under a single user ID.



Automated scanning emails for certain keywords is something I was aware that Google has been doing for quite a while. But the idea of mail providers scanning email image attachments, and applying facial recognition to see who is in the images, etc., is new to me*. I know that Facebook does that for images uploaded to its site, but I didn't know that email providers would do it too, for images attached to emails. And I hadn't thought much about how much info so many different companies may be sharing with each other to get a "big picture" about a person's activities, as opposed to each company just maintaining its own small set of data for its own analysis, of what people do on their particular website.

*Updated, 2018/05/20: OATH's pages only specifically mention "image recognition", which must mean to see what is in the photos. So they may or may not use "facial recognition" to see who is in photos. But based on the above, the image recognition may recognize "public figures", so it probably does include facial recognition too.
Tags:

uMatrix difficulty

Saturday, January 20th, 2018 12:40 am
darkoshi: (Default)
I've been trying to learn how to use the uMatrix add-on in Firefox with scripts blocked by default for most pages.

For the most part, I think I understand how it works now, and I can get most pages to display ok. But it seems more frustrating than NoScript ever was for me.

A few days ago the links on a certain page weren't working, no matter what I allowed in the uMatrix grid. Even after disabling all matrix filtering, the links still didn't work. But in my other browser without uMatrix, they did work.

I found this info: About "the page is still broken after I created all necessary rules". It mentions that you may need to press the Shift button while reloading the page, to get it to work. I tried that, and it fixed that particular page.

Today I'm having a problem on this page: The 29 Stages Of A Twitterstorm In 2018.
No matter what I do, including shift-reload, including with matrix filtering disabled for both the buzzfeed domain *and* the global scope, the video in #18 does not display. In my other browser with NoScript, I only have to allow scripts for a few domains, and the video displays ok. The last domain I had to allow was "twimg.com". But "twimg.com" isn't even listed in the uMatrix grid. Do any of you use uMatrix? What am I doing wrong?

Update, 2018/01/21: In my testing this afternoon, twimg.com does get listed in the uMatrix grid, and the video does display. I did reinstall my browser and set up a new profile, but I think I'm using the same uMatrix settings as before, so I don't know what fixed it. Maybe I had Firefox's Tracking Protection turned on in my old profile (see my comment below).
Tags:

Keyboard on keyboard. Spoofing user agent strings.

Monday, November 27th, 2017 10:56 pm
darkoshi: (Default)
Over at Qiao's house, I hooked up a bluetooth mouse and keyboard to my laptop, as typing directly on the laptop gets frustrating after a while.

The laptop sits on a movable cart. First I tried putting the keyboard on another little table/stand in front of the cart. But that way, the screen was too far away. Then I tried turning the laptop sideways on the cart, so the keyboard could fit in front. But that way, the mouse didn't fit. Then I thought to try placing the keyboard right on top of the laptop's keyboard. I thought that would cause the laptop's keys to accidentally get pressed. But it doesn't. It works perfectly fine that way. Hah.

..

While searching for add-ons that work in Firefox 57, I found uMatrix. It's similar to NoScript, in that you can select what items are allowed to run for each web page. But it's a little different. For example, I think uMatrix can be configured to only allow Facebook scripts to run on Facebook pages. Setting up those kind of rules in NoScript isn't easy. Each add-on can do certain things that the other doesn't, and many people use both. So now I'm trying out uMatrix.

uMatrix can spoof your browser's user-agent string by randomly changing it every x minutes. You can customize the list of strings that are used. The next link has a dynamically created list of the most common user agents strings, based on the people who have visited that site. A comment on the page explains that the numbers are somewhat skewed to older browser versions, as it takes some time for the older entries to drop off.

As long as I'm still using Firefox, I think it is best to only spoof using other Firefox user-agent strings. Firefox's market share is low enough that I don't want to make it seem even lower by pretending to be using a different browser.

So, below is a list of the most common Firefox user agent strings, taken from that page today, along with their percentage. Each individual string is fairly uncommon, but sum is about 17%. That's actually pretty high, compared to the numbers on the Wikipedia browser usage share page.

2.7% .. Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
2.3% .. Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
1.5% .. Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
1.3% .. Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
1.2% .. Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0
1.1% .. Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
0.8% .. Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:56.0) Gecko/20100101 Firefox/56.0
0.6% .. Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
0.6% .. Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
0.5% .. Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:57.0) Gecko/20100101 Firefox/57.0
0.5% .. Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:57.0) Gecko/20100101 Firefox/57.0
0.4% .. Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
0.3% .. Mozilla/5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0
0.3% .. Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:56.0) Gecko/20100101 Firefox/56.0
0.3% .. Mozilla/5.0 (Windows NT 6.1; rv:56.0) Gecko/20100101 Firefox/56.0
0.3% .. Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:56.0) Gecko/20100101 Firefox/56.0
0.3% .. Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
0.3% .. Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
0.3% .. Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
0.2% .. Mozilla/5.0 (Windows NT 6.1; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
0.2% .. Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:57.0) Gecko/20100101 Firefox/57.0
0.2% .. Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0
0.2% .. Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0
0.2% .. Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
0.2% .. Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
0.2% .. Mozilla/5.0 (Windows NT 6.1; rv:57.0) Gecko/20100101 Firefox/57.0
0.2% .. Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0
Tags:

national security letters

Sunday, June 4th, 2017 05:45 pm
darkoshi: (Default)
This page on the Apple.com site: Government Information Requests
states: In the second half of 2016, Apple received between 5,750 and 5,999 National Security Orders.

Apple's Transparency Reports - contain details on the various customer information requests received by Apple from 2013 through 2016. The number of national security orders received by Apple increased from less than 500 in 2013, to between 8500 and 9000 in 2016.

See below for the difference between "National Security Orders/Requests" versus National Security Letters.

In this prior post, I linked to another article which stated: the FBI issued nearly 13,000 NSLs in 2015 alone. But that number must have been way under-estimated. Indeed, one of the below articles indicates that over 48,000 NSLs were sent in 2015.

A Decade-Old Gag Order, Lifted (November 2015):
relying on changes made by the Patriot Act, the FBI began issuing hundreds of NSLs demanding credit reports, banking information, or records relating to Internet activity. Some of the NSLs sought information about terrorism suspects, but most sought information about people who were one, two, three, or more degrees removed from anyone suspected of having done anything wrong. According to the Justice Department’s inspector general, the FBI issued a staggering 143,074 NSLs between 2003 and 2005. And every NSL was accompanied by a categorical and permanent gag order.


That link and this one: Doe v. Holder describe a decade-long court battle to get a single gag order lifted. It mentions some changes made to the laws regarding the gag orders during that time, but I'm not clear on the final outcome. I assume that most other NSL recipients are still under similar gag orders which haven't been changed.


Newly published FBI request shines light on National Security Letters (November 2015):

In 2007, the Office of the Inspector General reported that the FBI issued approximately 40,000 to 60,000 letters per year. President Obama’s Intelligence Review Group reported more recently in 2013 that the government issued an average of nearly 60 NSLs per day.
..
Companies can only report NSLs in bands of 1,000, if they're separated from FISA court order requests, or in bands of 250 if reported as a broader "national security request."


The "national security orders" referenced on the Apple.com page must be the broader category, including FISA requests in addition to NSLs, as they are listed in bands of 250. But the last link below indicates there are less than 2000 FISA request per year, so that doesn't explain the large discrepancy in numbers.

Even the above article implies that in 2013, a total of 365*60 = 25,550 NSLs were issued, while twice as many were issued 6 years prior. I doubt the number would have decreased that much over time, if there were no legal changes governing the issuance of the requests.

US foreign intelligence court did not deny any surveillance requests last year :
The court received 1,457 requests last year [in 2015] on behalf of the National Security Agency and the FBI for authority to intercept communications, including email and phone calls. ... The court did not reject any of the applications in whole or in part, the memo showed.

The total represented a slight uptick from 2014, when the court received 1,379 applications and rejected none.
..
The memo also stated that 48,642 national security letter (NSL) requests were made in 2015 by the FBI.
..
The majority of NSL requests, 31,863, made in 2015 sought information on foreigners, regarding a total of 2,053 individuals, the memo stated.

The FBI made 9,418 requests for national security letters in 2015 for information about US citizens and legal immigrants, regarding a total of 3,746 individuals, it showed.

The FBI also made 7,361 NSL requests for only “subscriber information”, typically names, addresses and billing records, of Americans and foreigners regarding 3,347 different people.
Tags:

how to avoid Android contacts being synchronized with Gmail

Sunday, June 4th, 2017 12:53 am
darkoshi: (Default)
My new cellphone has Android Marshmallow. I brought my contacts over from my old phone by exporting them to a vcf file, copying the file to my computer and then to the new SD card, and then importing them to the new phone.

One thing that surprised me is that when I clicked to add a new Contact on the new phone, I got the message "Your new contact will be synchronized with [my Gmail address]". Even after turning Sync OFF for Contacts in the Account Settings (for which I first had to *enable* sync in general, as I had it previously turned it completely off), it still gave me that message, with no option of adding the contact without synchronizing.

Now I no longer get the message - maybe because I edited one contact, and it only shows the message before you save any update. But the Add Contact screen still shows "Google Account" along with my Gmail address at the top of the screen, making it appear that the Contact belongs to the Gmail account, rather than simply belonging to the contact list on the phone, as it did on my old phone.

Logging into Gmail on the computer, under Contacts it showed all my phone contacts (which I had never added in Gmail), so it must have synced them when I originally added the Gmail account to the phone (for using the Play Store), before I turned off the auto-sync setting.

Or it is slightly possible they got synced from my old phone, and I never realized it, as I hadn't checked the contacts for that Gmail account before. I never had any reason to think my phone would be syncing my contacts to my Gmail account. But I think I had sync turned off on the old phone too.

Now I tested adding a new contact on the phone, and so far, it does not show up in Gmail on the computer. So hopefully it is working as desired now. I was able to select all the Gmail Contacts on the computer, to delete them all at once from there. I don't email anyone from that account, so it doesn't need contacts anyway.

The apparent lesson for me is:
Make sure Sync is turned off for Contacts in the Google Account settings on the phone, *before* importing contacts.
Or, if I import the contacts before adding the Google Account, put phone into airplane mode and then add the account, and then make sure it is set not to sync Contacts before taking it out of airplane mode.

And now, after reading this: Why can't I save new contacts to my phone or SIM?, I will try out this app which hopefully will let me import and save contacts to the phone without them being linked to any Google account: MyLocalAccount
Tags:

Ghost

Sunday, February 26th, 2017 02:47 am
darkoshi: (Default)
Ghost in the Shell (1995 version).

Cool opening sound effects/music.

The opening sequence of the naked female body seemed to go on way too long. I suppose they made the anime movie for teenage boys?

I started out watching it with the English dialogue. But that was hard to follow. So I switched to Japanese with English subtitles, and started it back from the beginning.

In the English dialogue, her answer to "What's with all the noise in your brain today?" was "Must be a loose wire".
In the English subtitles, her answer was "It's that time of the month." I wonder if that matches the Japanese version, even though it makes less sense.

The sequence of her disrobing and letting herself fall backwards over the edge of the building... I've seen that before, haven't I? Ah... right, there is a live-action version of this movie coming out, the one with that cool trailer. I wonder how long I've had this item in my Netflix queue.

"The Puppet Master. That phantom hacker, right?" .. "Internationally wanted on dozens of charges of stock manipulation, spying, political engineering, terrorism, and violation of cyber-brain privacy. "

Hmm. "Political engineering". That reference sure doesn't sound like the Wikipedia definition of political engineering. It sounds more like this: The Rise of the Weaponized AI Propaganda Machine. That's not the first article I've read about Cambridge Analytica. I already posted a link to another article about them back in November. This one is even more disturbing than the last one though.

When I searched Google on "political engineering", the ad shown at the top of the page was "How Liberal Are You? - theadvocates.org‎. Take the World's Smallest Political Quiz and find out in minutes." Mmm, no. I don't need to take a quiz to know how liberal I am. Someone *else* wants to know how liberal I am. So that they can build their profile on me, and feed me personalized ads as mentioned in the above article.

The Google results also had 3 other ads, at the *bottom* of the page. Having ads at the bottom seems new. Or maybe not? Maybe they've been there before.

..

"Hope? In the darkness of the sea?"

..

Oh well. It's too late now to watch the whole movie tonight.

..

Two Saturdays in a row that I've worked from home, after working extra hours on Friday too. At least it is enjoyable work, debugging and researching issues. That's why I did it... nobody specifically requested me to, but I have the feeling that I should, as we are near the planned release date and still having all these problems.
Tags:

web of untrust

Monday, November 21st, 2016 02:07 am
Tags:

more cookie adventures

Saturday, September 24th, 2016 01:09 am
darkoshi: (Default)
Yesterday while trying to get my LJ login to persist, I accidentally deleted all cookies. And now today it was Dreamwidth that kept logging me out! Even though I didn't change my Dreamwidth exception, which was working before.

Obviously I didn't completely understand how the cookie exceptions work, so I read up on them, and did some more testing.

Cookie settings - from http://blog.teamtreehouse.com/how-to-create-totally-secure-cookies :

Path: The default value of “/” means every request will get the cookie, while “/forums/” would limit the cookie to just that path.

Domain: Setting “www.example.com” will mean only the exact domain “www.example.com” will be matched, while “.example.com” will also match again any subdomain (forums.example.com, blog.example.com).

Secure: tells the browser (or other http clients) to only send the cookie over SSL connections.

HttpOnly: tells the browser that it should not allow JavaScript to access the contents of the cookie. This is primarily a defense against cross site scripting.


(so apparently "HttpOnly" has nothing to do with HTTP vs HTTPS, but "Secure" does.)

The DW cookies have Path = "/", Domain = ".dreamwidth.org", HttpOnly = true, Send for = "any type of connection" (which must mean Secure=false). So the cookies are sent from the browser to the DW server when any DW page on any subdomain is opened, and for both http and https.

But the Exceptions are what control how long the cookies are stored.

Based on the following pages, you don't have to enter subdomains (and you shouldn't use wildcards) in the URLs for Exceptions - all subdomains are included by default. Ie. "yahoo.com" includes "mail.yahoo.com".
https://bugzilla.mozilla.org/show_bug.cgi?id=336207
https://bugzilla.mozilla.org/show_bug.cgi?id=286499

Based on my testing, HTTP and HTTPS exceptions are mutually exclusive. Adding an "http://" exception will only work on pages using HTTP. Adding an "https://" exception will only work on pages using HTTPS. So if you've set your cookies to be deleted when closing the browser, but you want your "ljloggedin" cookie to persist whether you've logging in from an HTTP *or* an HTTPS dreamwidth page, you need to have "Allow" exceptions for both "http://dreamwidth.org" and "https://dreamwidth.org". Whereas if you are careful to only login from the HTTPS pages, you should only need the latter.
Tags:

staying logged in to LiveJournal

Thursday, September 22nd, 2016 10:13 pm
darkoshi: (Default)
I'm configuring my "new" laptop. 13 months after getting it, I've finally moved my files over to it, and started using it as my main computer. I realized I might never finish doing all those other things I wanted to do before moving the files, so finally just went ahead and did the move.

Now, I kept being logged out of LiveJournal, even though I was selecting the checkbox to stay logged in.

My Firefox configuration is set to delete cookies when I close the browser, but I had added an exception for http://livejournal.com. I added another exception for http://www.livejournal.com, but still kept being logged out. Looking at the cookies after logging in showed that they were still set to expire at the end of the session.

Finally, I tried adding an exception for https://livejournal.com. That did the trick. So even though the LiveJournal login page shows "http" in the URL bar, it must be using https behind the scenes.

I didn't have the same trouble with Dreamwidth, as I had added its exception using "https" to begin with, thinking that the Dreamwidth pages used https by default. But now I see that the Dreamwidth pages show "http" in the URL bar too. I must have configured my old laptop to redirect to https for Dreamwidth. Still need to do that here.

I don't see anything on Firefox's Cookies page to indicate whether a cookie was added via HTTP vs HTTPS. I wonder if there is any way to know which version of the URL you need to add as an exception, other than trial and error.
Tags:

Firefox history

Sunday, October 18th, 2015 11:17 pm
darkoshi: (Default)
I accidentally deleted my Firefox browsing history today. I have a backup from a few months ago, so only a few months are lost.

I only intended to delete the cache, cookies, and active logins. It didn't seem to be working (it wasn't logging me out of Dreamwidth) so I tried several times. On maybe the 3rd attempt, Firefox locked up at 50% CPU for a long time, so I terminated Firefox. Only then did I realize my mistake, and that maybe it was using a lot of CPU while trying to delete a decade's worth of history.

Then I checked my profile folder. My places.sqlite file was 71 MB in size, exactly the same size as my last backup. I wondered if maybe my history wasn't really deleted, even though it was no longer showing up in the History view.

So I installed the SQLite Manager add-on and opened the sqlite file.

Surprisingly, the moz_places table still seems to have all my history entries. The only thing which shows that they are deleted is that visit_count is zero, and last_visit_date is blank.
So the site history is still there, just not the dates of when I visited what. Yet, each entry has an ID, and the IDs are in increasing order based on the dates that I had visited the sites.

I have to assume that the entries are still there only because I terminated Firefox while it was in the middle of doing its deletes. According to this bug: Clearing firefox's browser history doesn't change places.sqlite file size, the deleted data should be getting zero-filled even if the file size remains the same. But that comment is 8 years old. The last comment seems to indicate the data may not be actually getting deleted or zero-filled, only hidden.

In comparing the current places.sqlite with the backup, the IDs of the old entries don't match up... the current one seems to be missing entries compared to the old one, even though the total number of entries is only different by 46. So... I guess old entries have been getting deleted automatically by Firefox anyway in the last months, due to the maximum allowed history size.

Hmm.

Let me try the delete again, without terminating it this time. I'll take my shower in the meanwhile. Then I'll check if the entries really get deleted.

Update: Allrighty, over an hour later and the Firefox window still hasn't refreshed, and Firefox is still using 50% CPU. (I'm posting this from a different browser). It can't take that long to clear out 71 MB of data. Or rather 61 MB, as I had earlier decreased the size by running the places maintenance add-on. So it must be looping, or have a serious performance issue. Oh well. I don't have the time to research it more. I'll just revert to my old backed up history.

... After closing Firefox, the places.sqlite file didn't change in size, but the places.sqlite-wal file was over 465 MB! Now after restarting Firefox, the latter file is back down to 37 MB. SQLite Manager is showing that the moz_places table now has about 1000 fewer entries in it (out of 104k) than before. Serious performance issue.
Tags:

Profile

darkoshi: (Default)
Darkoshi
Darkoshi's Enchantment

June 2025

S M T W T F S
1234567
8910 1112 1314
15161718192021
222324 25 262728
2930     

Syndicate

RSS Atom

Most Popular Tags

Page Summary

Active Entries

Style Credit

Expand Cut Tags

No cut tags
Page generated Thursday, July 3rd, 2025 11:55 am
Powered by Dreamwidth Studios