4oh9do's comments

> Activists also use virtual private networks, which can minimize data collected about browsing, and encourage Polish women to contact them on encrypted channels like Signal. They delete all online conversations after the person has had the abortion and caution the person not to post on social media about their experiences, after some faced online harassment. One organization that provides funds for Polish people to get the procedure in Germany pays abortion clinics directly, rather than providing funds to patients, to ensure there are no digital records.

I don't understand why this paragraph is buried in the middle of the article. It should be a prominently featured tooltip.

I don't understand the cognitive dissonance seemingly on display by the game collector throughout the article:

> He’d had a kind of philanthropic hubris as an owner and collector, someone who never gave a second thought to keeping his legendary game collection a secret. He’d gladly let YouTubers film in the back; he would even open the safe back there and show them, item by item, his Louvre. Other collectors had rare games, sure, but in the back room of his store, and especially in the safe, he was proud to own 10,000 of what he described as “cherry” copies—his preferred term for virgin condition.

and again...

> And though the value of retro games had exploded in the past few years, he’d never been concerned about the safety of the thousands of games from his legendary collection—some of the most valuable video games on earth.

and yet again...

> Though the vault door didn’t work then and was mainly for show, that anything behind it could be, would be, stolen seemed unimaginable.

It is repeated time and time again that these items are valuable, that the collector was keenly aware that they are extremely valuable, and yet he also repeatedly seemed to refuse to acknowledge that you need to take steps to protect valuables, and the more valuable something is the more steps you need to take to protect it.

I don't want to 'victim blame', suffering a burglary is a horrible experience, but it is one compounded by foolhardiness.

I am not making a claim, I am laying out how the process could hypothetically occur, hence the use of "would" in my post.

I'm curious, however, why did you not make a similar post to the parent comment...in that the parent comment has presented no evidence whatsoever to support the claim that Coinbase is only using publicly-available information, and therefore by your own reasoning the parent poster should not make the claim.

> This is a public blockchain analytics service that has nothing to do with Coinbase's other services.

Are you familiar with the concept of parallel construction? It's a tactic LEOs use when they don't want to reveal how they actually obtained information. For instance, if they obtain information using method A, but want to conceal method A, they state that they actually obtained the information using method B (because the information actually is, after the fact, obtainable via method B as well, once you know what to look for).

In Coinbase's case the way this would work is Coinbase sources data from their internal databases (method A), and then after the fact they do let's say a Google search or some other public search for the names or whatever they found in their internal databases, and state that all data is sourced from online, publicly available data (method B).

Kind of like we find out weekly what happens when Facebook decides it needs to enforce US foreign policy for its worldwide users?

Yeah, I'm aware of the any number of infinite Evil China (TM) hypotheticals. Let's put the sinophobia on hold for just a second, and answer my question: what are the practical (meaning documented) privacy/security concerns with TikTok? I linked to a report from a (gasp, Western) group showing that there weren't any, but I'm aware that the report is a year old, so I'm very interested in documented recent information, not just mindless anti-China ranting.

What are the actual privacy/security issues with TikTok, concretely?

Citizen Lab published a report last year - https://citizenlab.ca/2021/03/tiktok-vs-douyin-security-priv... - which found that the app does not engage in any overtly malicious behavior:

> TikTok and Douyin do not appear to exhibit overtly malicious behavior similar to those exhibited by malware. We did not observe either app collecting contact lists, recording and sending photos, audio, videos or geolocation coordinates without user permission.

And if there's any organization I trust about this sort of thing, it's Citizen lab, owing to their groundbreaking work around Pegasus and other APTs.

> You're going really hard in the paint to defend Chinese genocide of Muslim Turkic people.

Where did I do so? Please either provide a quote of me doing so, or retract your statement as it otherwise amounts to libel.

To clarify if somehow you managed to misinterpret my comments: I am in no way defending any $bad_shit that China does/has done, I am pointing out that the other nations involved have likewise done so, and therefore focusing on just one nation is disingenous because it gives all the others a pass.

The war on the free and open web has been waged just as much, if not more so, by Western powers as it has by Eastern ones.

> Why is Beihang involved in hosting the W3C?

Why is MIT? Do you not have an issue with them also getting funding from the American defense department? Or if you're concerned with the open web, do you not remember when they persecuted Aaron Swartz for the heinous crime of downloading knowledge?

> Government should mandate only allowing SSN for tax identification purposes.

CafePress was presumably collecting SSNs precisely for tax identification purposes.

> Again, 2FA isn't an account recovery process at all; it's a reason you need account recovery.

Your reading of the FTC text seems to be that you think the FTC has conflated account recovery with 2FA, but I don't think that's the case. Instead, my read is that they're suggesting that password breaches can be rendered moot points by requiring 2FA for accounts, so that the compromise of a password would not require an account reset in the first place.

As per NIST 800-63B:

> To maintain the integrity of the authentication factors, it is essential that it not be possible to leverage an authentication involving one factor to obtain an authenticator of a different factor. For example, a memorized secret must not be usable to obtain a new list of look-up secrets.

And further:

> Methods that do not prove possession of a specific device, such as voice-over-IP (VOIP) or email, SHALL NOT be used for out-of-band authentication.

> But requiring 2FA tokens is not a universal practice.

It is not universal practice, but it is industry-standard, so I don't particularly understand why it is surprising that the FTC is recommending that CafePress adhere to industry standards.

What I mean is that executives value their personal livelihoods above money, though the two are often correlated. Therefore the punishment needs to strike at the core, their personal as opposed to financial freedom. "Big" fines for corporations have been around forever, I don't see them changing anything.

It's all Monopoly money to corporations. If there is no fear of an actual corporal punishment, then there is no personal skin in the game, so to speak. An executive who causes a corporation to be fined may worry about losing their job, but they'll be much more worried if the risk is going to prison.

And it's not that we love to imprison people in the US, it's that we love to imprison the wrong people.

> But the simpler fix here is just to require password reset emails, not to mandate multi-factor authentication.

Password resets lead to iterative passwords, which lead to password reuse, which lead to email compromise, which leads to it being pointless to use email as some ersatz second factor.

If we want to move towards a world where phishing attacks and password breaches are obsolete, then we need to press full-throttle to mandating hardware security keys for all accounts.

Bullshit like this will continue happening en masse until there are mandatory prison sentences for C-suite executives for negligence and malice like this.

What does "inviting" mean? It sounds like it means "Facebook wants free labor instead of paying for formal and expensive security audits".

Not my list, but I use https://gist.github.com/0XDE57/fbd302cef7693e62c769#privacy-...

> Firefox security patches are applied to prevent vulnerabilities

Sure, but at what rate? If Mozilla releases a critical patch today, and the core maintainer responsible for build maintenance is away on vacation for two weeks, what happens?