(morning writing, privacy)
TL;DR if you have an Android phone go turn off the tracking ID: https://www.eff.org/deeplinks/2022/05/how-disable-ad-id-tracking-ios-and-android-and-why-you-should-do-it-now
Yay we have fiber. This has gone as well as possible, really. Except now all our LAN (local area network) lives in the cloud. My threat perimeter has just become as big as a publicly traded company i never heard of called Calix. I am well aware all my network traffic went through ShinyFast's little paws and, y'know, wasn't thrilled. I'm sure enough of that traffic is revealing. Certainly linking me to this identity through the hostname in the URL. But now every device that is on our local network is visible to Calix and ShinyFast, that is every phone, computer, tablet, and network device - -which printer, etc etc. And inventory of what systems might be hacked, if you will.
I've spent time being irritated and getting little comfort from reddit folks about Calix security. Sure, no CVE for Calix but if all the equipment is managed by the telecoms why would the CVEs need to be public. And bleeping searches for Calix and security bring up pages and pages from Calix. On the other hand, the public filings have reasonable security risk disclaimers and the security reporting agreement doesn't seem particularly problematic: i like the explicit call out that security research is important and they grant permission within the terms of the agreement. So that's a plus.
Still. Ew. If i had a choice about broadband providers i might not be so -- irritated. Not having a choice and finding ShinyBright so railroading of decisions, incorrect in various assertions (lying?), doesn't help restore trust that i'm trying to ground in the premise, "Their copper service is the pits because they are focusing on fiber; fiber is their focus."
Good news after some power blinks when apparently some trees hit the lines in town: the network stayed up!
Current research is into getting an additional router to have on our side of the fancy shiny Calix router. Keep the now-VOIP phone which requires Calix's router -- an additional number is useful since marketers have twigged that you might have many email addresses but phone numbers are surely good correlates for an identity [1] -- and see about using a VPN to isolate traffic, including DNS, from ShinyFast.
Security perimeter:
With new router, information about specific devices stays at home. Eg: right now my phone is on the home network and in airplane mode. If we had a router, external observation wouldn't know whether the phone was here or not.
However, ShinyFast would still see lots of chatter with Samsung, presumably to hosts that are correlated with phone service, and that chatter stops at times correlated to when my phone leaves the house.
With a router based VPN and careful routing of DNS requests, ShinyFast would just see use of that VPN (and ideally the work VPN would not go through the household VPN). It's also possible we would let the TV be exempt from the VPN, because i am not sure i trust any of the media services anyhow so, fine, ShinyFast, you have at that data too (reducing any VPN bandwidth charges, latency, or throttling).
--== ∞ ==--
I am so aware of just how visible so much of my digital life is, how little protection there is for that in the US. In New Jersey there's a law to protect the addresses, phone numbers of law enforcement and the judiciary, and marketers slurping up this data don't follow it. Probably fail to follow California and laws in a few other states. And evidence in Europe -- i don't think i saved the reference -- is that even when you make a clear assertion to a website, no thank you, no tracking -- they do it anyway because they consent code isn't wired in correctly to the site code.
https://krebsonsecurity.com/2024/10/the-global-surveillance-free-for-all-in-mobile-ad-data/
I'm preparing to present how Google's change in plans regarding third party cookies will affect authentication flows for research and higher ed, so i am in the deep end of tracking information this week. My searches to find out if Google has announced the new consent mode now? what about now? (to distract a little from the Justice department break-up recommendation?) turn up so many articles about how marketers can continue to track post third party cookies. (Slides are due before the end of the month for a ..10 December?... presentation. I'm guessing a slide for "and the latest news" that's blank is going to be how this goes down.)
Anyhow, it's all depressing and it's depressing to live in a country where i don't begin to believe any civil liberties rules will be passed that make it less easy for anyone to surveil and spy, and any tech bro who can think to make an exploitive buck... OK, i gotta go to work.
I will say i really think the Chrome engineers i am working with really do want to make a safer, more private internet. On the other hand, the UK's been enforcing a unfair marketing competition decision about Chrome and Google for a while, so Chrome can't just quit doing things like Safari and Firefox can. So stop using that browser and switch to Firefox. Or Safari, but that's Apple as a benevolent overlord.
[1] I am happy to expand on this if you ask
post-tags: morning writing, privacy
Yay we have fiber. This has gone as well as possible, really. Except now all our LAN (local area network) lives in the cloud. My threat perimeter has just become as big as a publicly traded company i never heard of called Calix. I am well aware all my network traffic went through ShinyFast's little paws and, y'know, wasn't thrilled. I'm sure enough of that traffic is revealing. Certainly linking me to this identity through the hostname in the URL. But now every device that is on our local network is visible to Calix and ShinyFast, that is every phone, computer, tablet, and network device - -which printer, etc etc. And inventory of what systems might be hacked, if you will.
I've spent time being irritated and getting little comfort from reddit folks about Calix security. Sure, no CVE for Calix but if all the equipment is managed by the telecoms why would the CVEs need to be public. And bleeping searches for Calix and security bring up pages and pages from Calix. On the other hand, the public filings have reasonable security risk disclaimers and the security reporting agreement doesn't seem particularly problematic: i like the explicit call out that security research is important and they grant permission within the terms of the agreement. So that's a plus.
Still. Ew. If i had a choice about broadband providers i might not be so -- irritated. Not having a choice and finding ShinyBright so railroading of decisions, incorrect in various assertions (lying?), doesn't help restore trust that i'm trying to ground in the premise, "Their copper service is the pits because they are focusing on fiber; fiber is their focus."
Good news after some power blinks when apparently some trees hit the lines in town: the network stayed up!
Current research is into getting an additional router to have on our side of the fancy shiny Calix router. Keep the now-VOIP phone which requires Calix's router -- an additional number is useful since marketers have twigged that you might have many email addresses but phone numbers are surely good correlates for an identity [1] -- and see about using a VPN to isolate traffic, including DNS, from ShinyFast.
Security perimeter:
With new router, information about specific devices stays at home. Eg: right now my phone is on the home network and in airplane mode. If we had a router, external observation wouldn't know whether the phone was here or not.
However, ShinyFast would still see lots of chatter with Samsung, presumably to hosts that are correlated with phone service, and that chatter stops at times correlated to when my phone leaves the house.
With a router based VPN and careful routing of DNS requests, ShinyFast would just see use of that VPN (and ideally the work VPN would not go through the household VPN). It's also possible we would let the TV be exempt from the VPN, because i am not sure i trust any of the media services anyhow so, fine, ShinyFast, you have at that data too (reducing any VPN bandwidth charges, latency, or throttling).
--== ∞ ==--
I am so aware of just how visible so much of my digital life is, how little protection there is for that in the US. In New Jersey there's a law to protect the addresses, phone numbers of law enforcement and the judiciary, and marketers slurping up this data don't follow it. Probably fail to follow California and laws in a few other states. And evidence in Europe -- i don't think i saved the reference -- is that even when you make a clear assertion to a website, no thank you, no tracking -- they do it anyway because they consent code isn't wired in correctly to the site code.
https://krebsonsecurity.com/2024/10/the-global-surveillance-free-for-all-in-mobile-ad-data/
I'm preparing to present how Google's change in plans regarding third party cookies will affect authentication flows for research and higher ed, so i am in the deep end of tracking information this week. My searches to find out if Google has announced the new consent mode now? what about now? (to distract a little from the Justice department break-up recommendation?) turn up so many articles about how marketers can continue to track post third party cookies. (Slides are due before the end of the month for a ..10 December?... presentation. I'm guessing a slide for "and the latest news" that's blank is going to be how this goes down.)
Anyhow, it's all depressing and it's depressing to live in a country where i don't begin to believe any civil liberties rules will be passed that make it less easy for anyone to surveil and spy, and any tech bro who can think to make an exploitive buck... OK, i gotta go to work.
I will say i really think the Chrome engineers i am working with really do want to make a safer, more private internet. On the other hand, the UK's been enforcing a unfair marketing competition decision about Chrome and Google for a while, so Chrome can't just quit doing things like Safari and Firefox can. So stop using that browser and switch to Firefox. Or Safari, but that's Apple as a benevolent overlord.
[1] I am happy to expand on this if you ask
post-tags: morning writing, privacy