Need to let loose a primal scream without collecting footnotes first? Have a sneer percolating in your system but not enough time/energy to make a whole post about it? Go forth and be mid: Welcome to the Stubsack, your first port of call for learning fresh Awful youā€™ll near-instantly regret.

Any awful.systems sub may be subsneered in this subthread, techtakes or no.

If your sneer seems higher quality than you thought, feel free to cutā€™nā€™paste it into its own post ā€” thereā€™s no quota for posting and the bar really isnā€™t that high.

The post Xitter web has spawned soo many ā€œesotericā€ right wing freaks, but thereā€™s no appropriate sneer-space for them. Iā€™m talking redscare-ish, reality challenged ā€œculture criticsā€ who write about everything but understand nothing. Iā€™m talking about reply-guys who make the same 6 tweets about the same 3 subjects. Theyā€™re inescapable at this point, yet I donā€™t see them mocked (as much as they should be)

Like, there was one dude a while back who insisted that women couldnā€™t be surgeons because they didnā€™t believe in the moon or in stars? I think each and every one of these guys is uniquely fucked up and if I canā€™t escape them, I would love to sneer at them.

(Credit and/or blame to David Gerard for starting this.)

  • self@awful.systemsEnglish
    7Ā·
    7 hours ago

    thatā€™s one of the problems Iā€™ve noticed in almost every online privacy community since I was young: a lot of it is just rich asshole security cosplay, where the point is to show off what you have the privilege to afford and free time to do, even if it doesnā€™t work.

    I bought a used phone to try GrapheneOS, but it only runs on 6th-9th gen Pixels specifically due to the absolute state of Android security and backported patches. itā€™s surprisingly ok so far? itā€™s definitely a lot less painful than expected coming from iOS, and itā€™s got some interesting options to use even potentially spyware-laden apps more privately and some interesting upcoming virtualization features. but also its core dev team comes off as pretty toxic and some of their userland decisions partially inspired my rant about privacy communities; the other big inspiration was privacyguides.

    and the whole time my brainā€™s like, ā€œthis is seriously the best weā€™ve got?ā€ cause neither graphene nor privacyguides seem to take the real threats facing vulnerable people particularly seriously ā€” or theyā€™d definitely be making much different recommendations and running much different communities. but online privacy has unfortunately always been like this: itā€™s privileged people telling the vulnerable they must be wrong about the danger theyā€™re in.

    • BlueMonday1984@awful.systemsOPEnglish
      4Ā·
      6 hours ago

      some of their userland decisions partially inspired my rant about privacy communities; the other big inspiration was privacyguides.

      I need to see this rant. If you can link it here, Iā€™d be glad.

      • self@awful.systemsEnglish
        5Ā·
        6 hours ago

        oh I meant the rant that started this thread, but fuck it, letā€™s go, welcome to the awful.systems privacy guide

        grapheneOS review!

        pros:

        • provably highly Cellebrite-resistant due to obsessive amounts of dev attention given to low-level security and practices enforced around phone login
        • almost barebones AOSP! for better or worse
        • sandboxed Google Play Services so you can use the damn phone practically without feeding all your data into Googleā€™s maw
        • buggy but usable support for Android user profiles and private spaces so you can isolate spyware apps to a fairly high degree
        • thereā€™s support coming for some very cool virtualization features for securely using your phone as one of them convertible desktops or for maybe virtualizing graphene under graphene
        • itā€™s probably the only relatively serious choice for a secure mobile OS? and thatā€™s depressing as fuck actually, how did we get here

        cons:

        • the devs seem toxic
        • the community is toxic
        • almost barebones AOSP! so good fucking luck when the AOSP implementation of something is broken or buggy or missing cause the graphene devs will tell you to fuck off
        • the project has weird priorities and seems to just forget to do parts of their roadmap when their devs lose interest
        • their browser vanadium seems like a good chromium fork and a fine webview implementation but lacks an effective ad blocker, which makes it unsafe to use if your threat model includes, you know, the fucking obvious. the graphene devs will shame you for using anything but it or brave though, and officially recommend using either a VPN with ad blocking or a service like NextDNS since they donā€™t seem to acknowledge that network-level blocking isnā€™t sufficient
        • thereā€™s just a lot of userland low hanging fruit it doesnā€™t have. like, youā€™re not supposed to root a grapheneOS phone cause that breaks Androidā€™s security model wide open. cool! do they ship any apps to do even the basic shit youā€™d want root for? of course not.
        • youā€™ll have 4 different app stores (per profile) and not know which one to use for anything. if you choose wrong the project devs will shame you.
        • the docs are wildly out of date, of course, why wouldnā€™t they be. presumably Iā€™m supposed to be on Matrix or Discord but Iā€™m not going to do that

        and now the NextDNS rant:

        this is just spyware as a service. why in fuck do privacyguides and the graphene community both recommend a service that uniquely correlates your DNS traffic with your account (even the ā€œtry without an accountā€ button on their site generates a 7 day trial account and a DNS instance so your usage can be tracked) and recommend configuring it in such a way that said traffic can be correlated with VPN traffic? this is incredibly valuable data especially when tagged with an individualā€™s identity, and the only guarantee you have that they donā€™t do this is a promise from a US-based corporation that will be broken the instant they receive a court order. privacyguides should be ashamed for recommending this unserious clown shit.

        • sinedpick@awful.systemsEnglish
          3Ā·
          5 hours ago

          their browser vanadium seems like a good chromium fork and a fine webview implementation but lacks an effective ad blocker, which makes it unsafe to use if your threat model includes, you know, the fucking obvious. the graphene devs will shame you for using anything but it or brave though, and officially recommend using either a VPN with ad blocking or a service like NextDNS since they donā€™t seem to acknowledge that network-level blocking isnā€™t sufficient

          No firefox with ublock origin? Seems like that would be the obvious choice here (or maybe not due to Mozillaā€™s recent antics)

          • self@awful.systemsEnglish
            4Ā·
            5 hours ago

            the GrapheneOS developers would like you to know that switching to Ironfox, the only Android Firefox fork (to my knowledge) that implements process sandboxing (and also ships ublock origin for convenience) (also also, the Firefox situation on Android looks so much like intentional Mozilla sabotage, cause they have a perfectly good sandbox sitting there disabled) is utterly unsafe because it doesnā€™t work with a lesser Android sandbox named isolatedProcess or have the V8 sandbox (because it isnā€™t V8) and its usage will result in your immediate death

            so anyway Iā€™m currently switching from vanadium to ironfox and itā€™s a lot better so far

            • nightsky@awful.systemsEnglish
              5Ā·
              4 hours ago

              and its usage will result in your immediate death

              This all-or-nothing approach, where compromises are never allowed, is my biggest annoyance with some privacy/security advocates, and also it unfortunately influences many software design choices. Since this is a nice thread for ranting, hereā€™s a few examples:

              • LibreWolf enables by default ā€œresist fingerprintingā€. Thatā€™s nice. However, that setting also hard-enables ā€œsmooth scrollingā€, because apparently having non-smooth scrolling can be fingerprinted (that being possible is IMO reason alone to burn down the modern web altogether). Too bad that smooth scrolling sometimes makes me feel dizzy, and then I have to disable it. So I donā€™t get to have ā€œresist fingerprintingā€. Cool.
              • Some of the modern Linux software distribution formats like Snap or Flatpak, which are so super secure that some things just donā€™t work. After all, the safest software is the one you canā€™t even run.
              • Locking down permissions on desktop operating systems, because I, the sole user and owner of the machine, should not simply be allowed to do things. Things like using a scanner or a serial port. Which is of course only for my own protection. Also, I should constantly have to prove my identity to the machine by entering credentials, because what if someone broke into my home and was able to type ā€œdmesgā€ without sudo to view my machineā€™s kernel log without proving that they are me, that would be horrible. Every desktop machine must be locked down to the highest extent as if it was a high security server.
              • Enforcement of strong password complexity rules in local only devices or services which will never be exposed to potential attackers unless they gain physical access to my home
              • Possibly controversial, but Iā€™ll say it: web browsers being so annoying about self-signed certificates. Please at least give me a checkbox to allow it for hosts with rfc1918 addresses. Doesnā€™t have to be on by default, but why canā€™t that be a setting.
              • The entire reality of secure boot on most platforms. The idea is of course great, I want it. But implementations are typically very user-hostile. If you want to have some fun, figure out how to set up a PC with a Linux where you use your own certificate for signing. (I havenā€™t done it yet, I looked at the documentation and decided there are nicer things in this world.)

              This has gotten pretty long already, I will stop now. To be clear, this is not a rant against securityā€¦ I treat security of my devices seriously. But Iā€™m annoyed that I am forced to have protections in place against threat models that are irrelevant, or at least sufficiently negligible, for my personal use cases. (IMO one root cause is that too much software these days is written for the needs of enterprise IT environments, because thatā€™s where the real money is, but thatā€™s a different rant altogether.)

              • self@awful.systemsEnglish
                2Ā·
                2 hours ago

                To be clear, this is not a rant against securityā€¦ I treat security of my devices seriously.

                exactly! and taking this shit seriously is why this overbearing shit sucks, especially when itā€™s theater or enforced for threats that arenā€™t realistic for your threat model. unlike some of these fuckers, we both actually intend to daily the devices weā€™re locking down.

                because apparently having non-smooth scrolling can be fingerprinted (that being possible is IMO reason alone to burn down the modern web altogether)

                oh I fucking hate this. itā€™s the same shit as forcing dark mode off/on as part of fingerprinting protection. not only is this the absolute wrong way to fix that shit, itā€™s pretty monstrous for anyone who needs dark mode or light mode to use their device in anything resembling comfort ā€” your user may have a visual impairment or severe light sensitivity, and now theyā€™re fucked cause the developers couldnā€™t accept a minor fingerprinting risk (and light/dark mode and smooth scrolling are both utterly minor, to be real)

                Possibly controversial, but Iā€™ll say it: web browsers being so annoying about self-signed certificates.

                motherfucker yes! the CA infrastructure is nowhere near usable for all cases and we all know it, but locking down the web and making development and self-hosting fucking annoying is the game for the browser vendors and Google in particular. to add to this: why the fuck is my browser acting like me not having a cert for localhost is a tragedy? why does the browser sandbox not allow certain shit unless Iā€™m using https of all things to access localhost? where precisely is the fucking threat here? (Iā€™m sure some well-paid security asshole at one of the browser vendors could snark a list of unlikely shit as reasons why local host needs to be treated as insecure with no toggle or dev tools option to treat it otherwiseā€¦ and I just donā€™t give a fuck)

                The entire reality of secure boot on most platforms

                Iā€™d love good secure boot! the one on PCs ainā€™t it at all, and unfortunately the secure ones tend to be used to lock out device owners from modifying what they own and implement shit like attestation thatā€™s just there to violate your rights and make sure youā€™re not blocking ads, so unfortunately good secure boot might be incompatible with capitalism. for now though at least graphene seems to benefit from a secure secure boot chain that hasnā€™t been locked down yet?

              • froztbyte@awful.systemsEnglish
                3Ā·
                3 hours ago

                hey those are my gripes with much of modern computing, give them back! Iā€™m gonna tell mom

                so much more software needs a ā€œI know what Iā€™m doing, shut the fuck upā€ button

          • BlueMonday1984@awful.systemsOPEnglish
            2Ā·
            5 hours ago

            No firefox with ublock origin? Seems like that would be the obvious choice here (or maybe not due to Mozillaā€™s recent antics)

            Librewolf with uBlock Originā€™s probably the go-to right now.