Stubsack: weekly thread for sneers not worth an entire post, week ending 29th December 2024 - awful.systems
awful.systems
Need to let loose a primal scream without collecting footnotes first? Have a sneer percolating in your system but not enough time/energy to make a whole post about it? Go forth and be mid: Welcome to the Stubsack, your first port of call for learning fresh Awful youā€™ll near-instantly regret. Any awful.systems sub may be subsneered in this subthread, techtakes or no. If your sneer seems higher quality than you thought, feel free to cutā€™nā€™paste it into its own post ā€” thereā€™s no quota for posting and the bar really isnā€™t that high. > The post Xitter web has spawned soo many ā€œesotericā€ right wing freaks, but thereā€™s no appropriate sneer-space for them. Iā€™m talking redscare-ish, reality challenged ā€œculture criticsā€ who write about everything but understand nothing. Iā€™m talking about reply-guys who make the same 6 tweets about the same 3 subjects. Theyā€™re inescapable at this point, yet I donā€™t see them mocked (as much as they should be) > > Like, there was one dude a while back who insisted that women couldnā€™t be surgeons because they didnā€™t believe in the moon or in stars? I think each and every one of these guys is uniquely fucked up and if I canā€™t escape them, I would love to sneer at them. (Semi-obligatory thanks to @dgerard for starting this [https://awful.systems/post/1162442].)

Need to let loose a primal scream without collecting footnotes first? Have a sneer percolating in your system but not enough time/energy to make a whole post about it? Go forth and be mid: Welcome to the Stubsack, your first port of call for learning fresh Awful youā€™ll near-instantly regret.

Any awful.systems sub may be subsneered in this subthread, techtakes or no.

If your sneer seems higher quality than you thought, feel free to cutā€™nā€™paste it into its own post ā€” thereā€™s no quota for posting and the bar really isnā€™t that high.

The post Xitter web has spawned soo many ā€œesotericā€ right wing freaks, but thereā€™s no appropriate sneer-space for them. Iā€™m talking redscare-ish, reality challenged ā€œculture criticsā€ who write about everything but understand nothing. Iā€™m talking about reply-guys who make the same 6 tweets about the same 3 subjects. Theyā€™re inescapable at this point, yet I donā€™t see them mocked (as much as they should be)

Like, there was one dude a while back who insisted that women couldnā€™t be surgeons because they didnā€™t believe in the moon or in stars? I think each and every one of these guys is uniquely fucked up and if I canā€™t escape them, I would love to sneer at them.

(Semi-obligatory thanks to @dgerard for starting this, and happy new year in advance.)

  • skillissuer@discuss.tchncs.deEnglish
    5Ā·
    3 days ago

    now i wonder how much of that is blocked by firefox enhanced tracking protection. not all, of course, and itā€™s probably much more than needed for unique identifier. thereā€™s mozilla security blog post on this topic says that some anti-fingerprinting measures were built in all the way back in 2020 (firefox 72)

    • Sailor Sega Saturn@awful.systemsEnglish
      9Ā·
      3 days ago

      Above I listed a bunch of things which would help narrow down browser version, but thatā€™s hopeless anyway ā€“ an adversary will probably be able to figure out your rough browser version even if you fake the UA string, and that youā€™re running in anti-fingerprinting mode.

      So assuming thatā€™s out of scope I think these are probably the big categories:

      • Normalize any system information presented to webpage (e.g. remove minor version from UA header, remove OS from UA header, etc)
      • Canvas, WebGL, and WebGPU need to be implemented in software in a deterministic way. Similarly any compositing (including stuff like font shaping, SVG rendering, page layout) must be done in software (prevent GPU fingerprinting)
      • A fixed font set must be used rather than using the system font set (prevent fingerprinting font enthusiasts)
      • The device size / frame size (and position) must be lied about (e.g. rounded to a common resolution or a multiple of 100px), and layout adjusted appropriately (Mozilla calls this ā€œLetterboxingā€) (prevent fingerprinting psychos who donā€™t run their browser in fullscreen mode).
      • Page storage should be disabled or cleared (local / session storage, cookies, service workers, indexeddb, etc) (A cookie by any other name would taste as sweet)
      • Caching is a big problem, probably have to disable it entirely (including HTTP caching, HTTP caching at the ISP level*, DNS lookups, favicons, JavaScript compilation cache) (Pesky pesky global state).
      • Performance metrics are another big problem. Disabling JavaScript would go a long way here but you probably canā€™t prevent them entirely unless youā€™re prepared to go to unhealthy extremes** (this is like the past 10 years of cutting edge security research so weā€™re doomed)
      • Disable any plugins or other customizations which may provide a fingerprint accessible to the webpage (oops it turned out the FBI caught me because I configured my browser to inject pictures of cute bunnies into every webpage).
      • And of course IP address, which you presumably want to do something about (proxy?)

      That said while Iā€™ve worked with browsers, Iā€™m not in the biz of fingerprinting or anti-fingerprinting, so thereā€™s surely stuff I havenā€™t thought of.

      * Actually we should probably just disable non-HTTPS entirelyā€¦

      ** Running under a VM is probably the minimum required to mitigate the chances of cutting-edge side-channel timing attacks from James Bond level adversaries, but at that point maybe you just want a dedicated browsing computer heh. I did chuckle at the idea of someone trying to apply cryptographic constant-time algorithm techniques to writing a browser though.