cross-posted from: https://lemmy.sdf.org/post/40709622

Getting burnt by repair-hostile makers of washing machines who refuse to share documentation inspired this form letter (in LaTeX):

\documentclass[DIV=16]{scrlttr2}

%\LoadLetterOption{NF}              % uncomment for French standard windowed envelope
%\LoadLetterOption{DIN}             % uncomment for German standard windowed envelope
%\LoadLetterOption{UScommercial9DW} % uncomment for US standard double-windowed envelope

\usepackage{ragged2e} % needed to restore the loss of paragraph indents when \raggedright is used
\usepackage{hyperref}

\setlength{\RaggedRightParindent}{\parindent} % restore the loss of paragraph indents when \raggedright is used
\RaggedRight

\newcommand{\appliance}{washing machine} % replace with whatever you need to buy
\newcommand{\mfr}{Machine Maker} % replace with Whirlpool, or whatever
\newcommand{\mfrAddress}{123 sesame street\\90210} % replace with mfr address

\begin{letter}{%
  \mfr\\
  \mfrAddress}

  \opening{Dear \mfr,}

I am in the market for a \appliance.
When I asked the local retailer (whose profession is to sell your products)
which \mfr\ models include service manuals, they were helpless.
Could not find a single machine that respects consumers and thus their right to repair.
Zero. Every product by \mfr\ in their showroom was anti-consumer.

There are no service manuals published on your website either. 
When looking at various second-hand models, many basic user guides were missing as well,
apparently depending on the age of the unit.

I will not buy a disposable anti-consumer \appliance.
Those are for stupid consumers.
A \emph{\bfseries good} \appliance\ meets this criteria:

  \begin{enumerate}
  \item has a \emph{good} service manual which is available to anyone, free of charge
  \item has no cloud-dependency (\emph{all} functionality accessible without Internet)
  \item has no app, OR has a \emph{good} app
  \end{enumerate}

  A \emph{good} app satisfies this criteria:
  \begin{itemize}
  \item open source
  \item requires no patronisation of Google or Apple to obtain
  \item has an APK file directly on your website or on f-droid.org
  \end{itemize}

  A \emph{good} service manual meets this criteria:
  \begin{itemize}
  \item wiring diagram
  \item parts diagram with part numbers
  \item inventory of components including the manuafacturers and models, and functional resistence ranges (Ω)
  \item error codes and their meanings
  \item steps to reach diagnostic mode and steps to use it
  \end{itemize}

Do you make any \emph{good} pro-consumer \appliance s with a good service manual, with no bad apps?
If yes, please send me the service manual and I will take your product seriously.
If not, you are sure to lose the competition.
If everyone else loses the competition as well, then I will continue washing my clothes by hand
-- perhaps with this repairable machine: \url{www.thewashingmachineproject.org}.


  \closing{Sincerely,}
\end{letter}

I suggest sending that letter to every manufacturer making machines for your region. It will get no results but it will send the message they don’t hear enough of.

cross-posted from: https://lemmy.sdf.org/post/38677119

Indeed it was stupid for someone to send a large sensitive dataset over email. But what I find annoying is the lack of chatter about which email servers were compromised.

Was it Microsoft, considering probably 90+% of all gov agencies use it?

cross-posted from: https://lemmy.sdf.org/post/38191434

High-level EU courts apparently assume all those who read their acronym-littered opinions and judgements are Subject Matter Experts (SMEs) who already know what the acronyms stand for.

I’m not a lawyer but this seems sloppy from a legal standpoint because an acronym that is never expanded is ambiguous. It creates room for confusion and misinterpretation in the worst case, and in the very least wastes the reader’s time on investigation.

Have lawyers and judges not been trained on this? As a technologist, my training included the good practice of expanding every single acronym the first time it appears, as I did above with “SME”, as well as the extra diligent but optional practice of including a section at the end with all expansions.

I realise that the whole legal industry is made up of mostly tech illiterates. Geeks have the advantage of being able to use LaTeX with the acro package¹, which enables us to write acronyms without thinking about where it first appears because the software automatically expands the first occurrances (or as we specify). Legal workers have probably limited themselves to dumbed down tools like MS Word which probably does not automate this, but nonetheless it’s the writer’s duty to see that acronym expansion happens.

Abbreviations:

SME: Subject Matter Expert

¹ In LaTeX, the preamble would have \DeclareAcronym{sme}{short=SME, long=Subject Matter Expert} and throughout the document each instance would be written as \ac{sme}.

It’s worth watching; interesting.. insightful. But it’s very disturbing that they concealed the most important fact: how she was caught.

Most printers secretly print a concealed unique code (typically a serial number) on every printed page using small faint yellow dots. The naked eye overlooks them but under magnification they can be seen. Reality Winner printed the classified document from a shared office printer. Then she simply mailed the paper doc to The Intercept.

IIUC, the Intercept was not smart enough to do any further processing. They simply published an exact copy that was high enough quality that the tracker dots were reproduced. (really? Hard to believe). The leak was thus easily tracked to the shared printer used by Winner. Then it was trivial to narrow down to Winner.

The omission in the documentary is disturbing because that is the one fact that touches everyone. It’s a missed opportunity to inform consumers, who buy printers with an expectation that the printer will serve them - the owner. Printer makers have no legal obligation to surreptitiously fingerprint every page printed. They voluntarily decided to conspire against the hand that feeds them, the consumer, whose trust they should have lost.

Initially the EFF was tracking the models of compromised printers. Then they decided one day to end the project stating that so many printers do it that there is insufficient value to keeping track of them.

This is why I will not buy a color printer. No, it’s not paranoia (neither sensible paranoia nor crazy). It’s ethics. I have enough dignity and self-respect to refuse to feed my oppressors and buy something that is designed to deceptively work against me. Omitting the widespread existence of tracker dots from the video strips consumers of information about the insideous extent to which they are buying anti-consumer products.

The documentary itself is another instance of a supplier disservicing the paying consumer, by witholding useful information.

There is a periodic meeting of linux users in my area where everyone brings laptops and connects to a LAN. Just wondering if I want to share files with them, what are decent options? Is FTP still the best option or has anything more interesting emerged in the past couple decades? Guess I would not want to maintain a webpage so web servers are nixed. It’s mainly so ppl can fetch linux ISO images and perhaps upload what they have as well.

(update) options on the table:

• ProFTPd
• OpenSSH SFTP server (built into SSHd)
• SAMBA
• webDAV file server - maybe worth a look, if other options don’t pan out; but I imagine it most likely does not support users uploading

I started looking at OpenSSH but it’s very basic. I can specify a chroot dir that everyone lands in, but it’s impossible to give users write permission in that directory. So there must be a subdir with write perms. Seems a bit hokey.. forces people to chdir right away. I think ProFTPd won’t have that limitation.

Translating the Debian install instructions to tor network use, we have:

  torsocks wget https://apt.benthetechguy.net/benthetechguy-archive-keyring.gpg -O /usr/share/keyrings/benthetechguy-archive-keyring.gpg
  echo "deb [signed-by=/usr/share/keyrings/benthetechguy-archive-keyring.gpg] tor://apt.benthetechguy.net/debian bookworm non-free" > /etc/apt/sources.list.d/benthetechguy.list
  apt update
  apt install makemkv

apt update yields:

Ign:9 tor+https://apt.benthetechguy.net/debian bookworm InRelease
Ign:9 tor+https://apt.benthetechguy.net/debian bookworm InRelease
Ign:9 tor+https://apt.benthetechguy.net/debian bookworm InRelease
Err:9 tor+https://apt.benthetechguy.net/debian bookworm InRelease
  Connection failed [IP: 127.0.0.1 9050]

Turns out apt.benthetechguy.net is jailed in Cloudflare. And apparently the code is not developed out in the open -- there is no public code repo or even a bug tracker. Even the forums are a bit exclusive (registration on a particular host is required and disposable email addresses are refused). There is no makemkv IRC channel (according to netsplit.de).

There is a blurb somewhere that the author is looking to get MakeMKV into the official Debian repos and is looking for a sponsor (someone with a Debian account). But I wonder if this project would even qualify for the non-free category. Debian does not just take any non-free s/w.. it's more for drivers and the like.

Alternatives?

The reason I looked into #makemkv was that Handbrake essentially forces users into a long CPU-intensive transcoding process. It cannot simply rip the bits as they are. MakeMKV relieves us of transcoding at the same time as ripping. But getting it is a shit show.

From the article:

“In terms of cost, we estimate that – during over 13 years of its deployment – 819 million hours of human time has been spent on reCAPTCHA, which corresponds to at least $6.1 billion USD in wages. Traffic resulting from reCAPTCHA consumed 134 Petabytes of bandwidth, which translates into about 7.5 million kWhs of energy, corresponding to 7.5 million pounds of CO₂. In addition, Google has potentially profited $888 billion USD from cookies and $8.75-32.3 billion USD per each sale of their total labeled data set.”

This means when a CAPTCHA serves as a barrier between people and an essential public transaction, people are being forced into involuntary uncompensated servitude. I believe this is a human rights issue.

Since this community discusses CAPTCHA (see sidebar), I thought I should plug a community I just started. !captcha_required@lemmy.sdf.org is not about CAPTCHA in general, but it has the sole purpose of collecting situations where people are forced to solve a CAPTCHA in the public sector.

cross-posted from: https://lemmy.sdf.org/post/24645301

They emailed me a PDF. It opened fine with evince and looked like a simple doc at first. Then I clicked on a field in the form. Strangely, instead of simply populating the field with my text, a PDF note window popped up so my text entry went into a PDF note, which many viewers present as a sticky note icon.

If I were to fax this PDF, the PDF comments would just get lost. So to fill out the form I fed it to LaTeX and used the overpic pkg to write text wherever I choose. LaTeX rejected the file.. could not handle this PDF. Then I used the file command to see what I am dealing with:

$ file signature_page.pdf
signature_page.pdf: Java serialization data, version 5

WTF is that? I know PDF supports JavaScript (shitty indeed). Is that what this is? “Java” is not JavaScript, so I’m baffled. Why is java in a PDF? (edit: explainer on java serialization, and some analysis)

My workaround was to use evince to print the PDF to PDF (using a PDF-building printer driver or whatever evince uses), then feed that into LaTeX. That worked.

My question is, how common is this? Is it going to become a mechanism to embed a tracking pixel like corporate assholes do with HTML email?

I probably need to change my habits. I know PDF docs can serve as carriers of copious malware anyway. Some people go to the extreme of creating a one-time use virtual machine with PDF viewer which then prints a PDF to a PDF before destroying the VM which is assumed to be compromised.

My temptation is to take a less tedious approach. E.g. something like:

$ firejail --net=none evince untrusted.pdf

I should be able to improve on that by doing something non-interactive. My first guess:

$ firejail --net=none gs -sDEVICE=pdfwrite -q -dFIXEDMEDIA -dSCALE=1 -o is_this_output_safe.pdf -- /usr/share/ghostscript/*/lib/viewpbm.ps untrusted_input.pdf

output:

Error: /invalidfileaccess in --file--
Operand stack:
   (untrusted_input.pdf)   (r)
Execution stack:
   %interp_exit   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   --nostringval--   --nostringval--   false   1   %stopped_push   1990   1   3   %oparray_pop   1989   1   3   %oparray_pop   1977   1   3   %oparray_pop   1833   1   3   %oparray_pop   --nostringval--   %errorexec_pop   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   --nostringval--   --nostringval--   %array_continue   --nostringval--
Dictionary stack:
   --dict:769/1123(ro)(G)--   --dict:0/20(G)--   --dict:87/200(L)--   --dict:0/20(L)--
Current allocation mode is local
Last OS error: Permission denied
Current file position is 10479
GPL Ghostscript 10.00.0: Unrecoverable error, exit code 1

What’s my problem? Better ideas? I would love it if attempts to reach the cloud could be trapped and recorded to a log file in the course of neutering the PDF.

(note: I also wonder what happens when Firefox opens this PDF considering Mozilla is happy to blindly execute whatever code it receives no matter the context.)

They emailed me a PDF. It opened fine with evince and looked like a simple doc at first. Then I clicked on a field in the form. Strangely, instead of simply populating the field with my text, a PDF note window popped up so my text entry went into a PDF note, which many viewers present as a sticky note icon.

If I were to fax this PDF, the PDF comments would just get lost. So to fill out the form I fed it to LaTeX and used the overpic pkg to write text wherever I choose. LaTeX rejected the file.. could not handle this PDF. Then I used the file command to see what I am dealing with:

$ file signature_page.pdf
signature_page.pdf: Java serialization data, version 5

WTF is that? I know PDF supports JavaScript (shitty indeed). Is that what this is? “Java” is not JavaScript, so I’m baffled. Why is java in a PDF? (edit: explainer on java serialization, and some analysis)

My workaround was to use evince to print the PDF to PDF (using a PDF-building printer driver or whatever evince uses), then feed that into LaTeX. That worked.

My question is, how common is this? Is it going to become a mechanism to embed a tracking pixel like corporate assholes do with HTML email?

I probably need to change my habits. I know PDF docs can serve as carriers of copious malware anyway. Some people go to the extreme of creating a one-time use virtual machine with PDF viewer which then prints a PDF to a PDF before destroying the VM which is assumed to be compromised.

My temptation is to take a less tedious approach. E.g. something like:

$ firejail --net=none evince untrusted.pdf

I should be able to improve on that by doing something non-interactive. My first guess:

$ firejail --net=none gs -sDEVICE=pdfwrite -q -dFIXEDMEDIA -dSCALE=1 -o is_this_output_safe.pdf -- /usr/share/ghostscript/*/lib/viewpbm.ps untrusted_input.pdf

output:

Error: /invalidfileaccess in --file--
Operand stack:
   (untrusted_input.pdf)   (r)
Execution stack:
   %interp_exit   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   --nostringval--   --nostringval--   false   1   %stopped_push   1990   1   3   %oparray_pop   1989   1   3   %oparray_pop   1977   1   3   %oparray_pop   1833   1   3   %oparray_pop   --nostringval--   %errorexec_pop   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   --nostringval--   --nostringval--   %array_continue   --nostringval--
Dictionary stack:
   --dict:769/1123(ro)(G)--   --dict:0/20(G)--   --dict:87/200(L)--   --dict:0/20(L)--
Current allocation mode is local
Last OS error: Permission denied
Current file position is 10479
GPL Ghostscript 10.00.0: Unrecoverable error, exit code 1

What’s my problem? Better ideas? I would love it if attempts to reach the cloud could be trapped and recorded to a log file in the course of neutering the PDF.

(note: I also wonder what happens when Firefox opens this PDF, because Mozilla is happy to blindly execute whatever code it receives no matter the context.)

A home insurance policy offers a discount to AAA members. The discount is the same amount as the cost of membership. I so rarely use a car or motorcycle that I would not benefit significantly from a roadside assistence plan. I cycle. But there are other discounts for AAA membership, like restaurant discounts. So my knee-jerk thought was: this is a no-brainer… I’m getting some benefits for free, in effect, so it just makes sense to get the membership.

Then I dug into AAA a bit more. The wiki shows beneficial and harmful things AAA has done. From the wiki, these points stand out to me:

Even though the roadside assistence is useless to me, the AAA membership comes with 2 more memberships. So I could give memberships to 2 family members and they would benefit from it. But it seems I need to drop this idea. AAA seems overall doing more harm than good.

(edit) And doesn’t it seem foolish to oppose mass transit even from the selfish car driver standpoint? If you drive a car, other cars are in your way slowing you down and also increasing your chances of simultaneously occupying the same space (crash). Surely you would benefit from others switching from car to public transport to give you more road space. It seems to me the anti mass transit move is AAA looking after it’s own interest in having more members paying dues.

I also noticed most AAA club’s websites block Tor. So the lack of privacy respect just made my decision to nix them even easier.

This is what my fetchmail log looks like today (UIDs and domains obfuscated):

fetchmail: starting fetchmail 6.4.37 daemon
fetchmail: Server certificate verification error: self-signed certificate in certificate chain
fetchmail: Missing trust anchor certificate: /C=US/O=Let's Encrypt/CN=R3
fetchmail: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page. See README.SSL for details.
fetchmail: OpenSSL reported: error:0A000086:SSL routines::certificate verify failed
fetchmail: server4.com: SSL connection failed.
fetchmail: socket error while fetching from user4@server4.com@server4.com
fetchmail: Query status=2 (SOCKET)
fetchmail: Server certificate verification error: self-signed certificate in certificate chain
fetchmail: Missing trust anchor certificate: /C=US/O=Let's Encrypt/CN=R3
fetchmail: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page. See README.SSL for details.
fetchmail: OpenSSL reported: error:0A000086:SSL routines::certificate verify failed
fetchmail: server3.com: SSL connection failed.
fetchmail: socket error while fetching from user3@server3.com@server3.com
fetchmail: Server certificate verification error: self-signed certificate in certificate chain
fetchmail: Missing trust anchor certificate: /C=US/O=Let's Encrypt/CN=R3
fetchmail: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page. See README.SSL for details.
fetchmail: OpenSSL reported: error:0A000086:SSL routines::certificate verify failed
fetchmail: server2.com: SSL connection failed.
fetchmail: socket error while fetching from user2@server2.com@server2.com
fetchmail: Query status=2 (SOCKET)
fetchmail: Server certificate verification error: self-signed certificate in certificate chain
fetchmail: Missing trust anchor certificate: /C=US/O=Let's Encrypt/CN=R3
fetchmail: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page. See README.SSL for details.
fetchmail: OpenSSL reported: error:0A000086:SSL routines::certificate verify failed
fetchmail: server1.com: SSL connection failed.
fetchmail: socket error while fetching from user1@server1.com@server1.com
fetchmail: Query status=2 (SOCKET)

In principle I should be able to report the exit node somewhere. But I don’t even know how I can determine which exit node is the culprit. Running nyx just shows some of the circuits (guard, middle, exit) but I seem to have no way of associating those circuits with fetchmail’s traffic.

Anyone know how to track which exit node is used for various sessions? I could of course pin an exit node to a domain, then I would know it, but that loses the benefit of random selection.