Currently ongoing until Jan 5 2024. $10 per ticket. https://shop.proton.me/products/2024-lifetime-raffle-ticket

Where will the funds go?

Proceeds will go to 10 organizations selected with the support of our community and to a handful of past fundraisers beneficiaries, with Proton matching up to $150,000 in donations. The new recipients this year are:

• Freedom House
• Free Software Foundation Europe
• OpenStreetMap
• The Tech Oversight Project
• Ladybird Browser
• Nothing2hide
• Open Data Institute
• Ada Lovelace Institute
• Law for Change
• Free Press Unlimited

This is fascinating as I didn’t even know about it for one, and for two it’s based on having legal standing as a customer of the product, not the developer of the GPL code. I’ll be interested to see where this goes.

Good thing they found some in Montana. Not that it’ll be online for a while.

I think the market is going to struggle with this for a while yet, in the mist of this brewing trade war.

They had their chance at the voting booth… Fighting the good fight is hard when people vote against their interest.

Not all care, but it still impacts them.

Rhythms at the bottom of the deep sea: Cyclic current flow changes and melatonin patterns in two species of demersal fish

Beyond this, the diurnal cycle does filter down into the disphotic zone and does influence species. It does weaken with depth.

Local send works well for me between android and iDevices in most cases. I will say it struggles with VPN’ed connections, which is by design of the network and some VPN will block local connections.

I know sharedrop.io uses a similar web based model as pairdrop and runs into the same VPN issue, but I’m curious if the room function might overcome that in pairdrop.

I’ve been working with this issue for along time. Trying to find something platform agnostic and works with vpns.

App wise, I suggest Localsend for files

Information wise, I suggest Saladroom although there are several alternatives as well like ToffeeShare and ShareDrop

I mostly use Signal though, as it’s the simplest at hand app which fairly reliably makes it accessible to my various devices… With the downside of storing it.

If approved, it will affect all Safari certificates, which follows a similar push by Google, that plans to reduce the max-validity period on Chrome for these digital trust files down to 90 days.

Max lifespans of certs have been gradually decreasing over the years in an ongoing effort to boost internet security. Prior to 2011, they could last up to about eight years. As of 2020, it’s about 13 months.

Apple’s proposal would shorten the max certificate lifespan to 200 days after September 2025, then down to 100 days a year later and 45 days after April 2027. The ballot measure also reduces domain control validation (DCV), phasing that down to 10 days after September 2027.

And while it’s generally agreed that shorter lifespans improve internet security overall — longer certificate terms mean criminals have more time to exploit vulnerabilities and old website certificates — the burden of managing these expired certs will fall squarely on the shoulders of systems administrators.

Over the past couple of days, these unsung heroes who keep the internet up and running flocked to Reddit to bemoan their soon-to-be increasing workload. As one noted, while the proposal “may not pass the CABF ballot, but then Google or Apple will just make it policy anyway…”

…

However, as another sysadmin pointed out, automation isn’t always the answer. “I’ve got network appliances that require SSL certs and can’t be automated,” they wrote. “Some of them work with systems that only support public CAs.”

Another added: “This is somewhat nightmarish. I have about 20 appliance like services that have no support for automation. Almost everything in my environment is automated to the extent that is practical. SSL renewal is the lone achilles heel that I have to deal with once every 365 days.”

Until next year, anyway.

Agreed, now the fun part of coming up with a legal basis to do so and convincing regulators.

I don’t think this requires an act of congress. I think you might see more consumer advocation on the part of FTC (although it doesn’t currently regulate online broadcast), or potentially the CFPB.

Admittedly it’s more likely to see the EU do some regulations, but it all depends on the election.

I’d you have android, I recommended newpipe or one of it’s fork like tubular. Or Seal or it’s fork Ytdlnis.

There are several front ends for yt-dlp on Mac and Windows as well.

While I agree, I have a hard time seeing how people will stop using it until the field changes. Maybe in 10 years it will the the MySpace of the sitcom era, but right now it’s still growing. That growth is giving it carte blanche to manipulate the users as it sees fit. Regulation might impact it, but it’s still a bit of a Goliath.

• Compared to 2023, YouTube’s user base has grown by 20 million this year, representing a 0.74% increase. From Global media insights

Also the active user base is 2.7 billion people in 2024 from the same source above.

The alternatives are out there, but just not in the same league.

Yt-DLP and it’s variation (Seal, YTDLnis, etc.), newpipe and it’s variation (Tubular, Newpipe Sponsorblock, etc) already allow you to do this without having to get manual.

Want countries to re-dollarize, you have to incentivize the, which probably means making the US the dynamic yet stable economic it was. Punishing countries, how laughable.

I think that ship has sailed though, as globalization has caught up yet again.

[# Systematic Destruction (Hacking the Scammers pt. 2)

Taking on the “Smishing Triad”](https://blog.smithsecurity.biz/systematic-destruction-hacking-the-scammers-pt.-2) g

His blog on the topic if you don’t want the wired summary.

A brief technical summary from iMAP reveals what happens when users attempt to access sites using Cloudflare and Google DNS.

• On Maxis, DNS queries to Google Public DNS (8.8.8.8) servers are being automatically redirected to Maxis ISP DNS Servers;

**

• On Time, DNS queries to both Google Public DNS (8.8.8.8) and Cloudflare Public DNS (1.1.1.1) are being automatically redirected to Time ISP DNS servers.

“Instead of the intended Google and Cloudflare servers, users are being served results from ISP DNS servers. In addition to MCMC blocked websites, other addresses returned from ISP DNS servers can also differ from those returned by Google and Cloudflare,” iMAP warns.

…

"Users that are affected, can configure their browser settings to enable DNS over HTTPS to secure their DNS lookups by using direct encrypted connection to private or public trusted DNS servers. This will also bypass transparent DNS proxy interference and provide warning of interference,” iMAP concludes.

Essentially Malaysia law required ISP to drop DNS entries for some sites, local users started using public DNS. ISP started redirecting public DNS requests, and local users started using DNS over HTTPS.

The pirate wars continue in their arms races.

I did a quick search and they don’t make it easy. Peter Lowe’s ad and tracking server blocklist is the only one I found. EasyList doesn’t seem to have a donation link, nor Dan Pollock at someonewhocares.org. Also worth noting that UBO doesn’t take donations. You could always subscribe to AdGuard, but that’s mixed.

Alternative link non paywalled

https://archive.ph/vY4le

If this request worked, it meant that I could use an “encryptedValue” parameter in the API that didn’t have to have a matching account ID.

I sent the request and saw the exact same HTTP response as above! This confirmed that we didn’t need any extra parameters, we could just query any hardware device arbitrarily by just knowing the MAC address (something that we could retrieve by querying a customer by name, fetching their account UUID, then fetching all of their connected devices via their UUID). We now had essentially a full kill chain.

I formed the following HTTP request to update my own device MAC addresses SSID as a proof of concept to update my own hardware:

…

Did it work? It had only given me a blank 200 OK response. I tried re-sending the HTTP request, but the request timed out. My network was offline. The update request must’ve reset my device.

About 5 minutes later, my network rebooted. The SSID name had been updated to “Curry”. I could write and read from anyone’s device using this exploit.

This demonstrated that the API calls to update the device configuration worked. This meant that an attacker could’ve accessed this API to overwrite configuration settings, access the router, and execute commands on the device. At this point, we had a similar set of permissions as the ISP tech support and could’ve used this access to exploit any of the millions of Cox devices that were accessible through these APIs.

Blows me a away that an unauthenticated API with sensitive controls and data was publicly facing. Corporations these days want all your data but wonder why some customers are worry about how it is protected, it let alone if it’s being sold. Why should I allow you to control my hardware when you can’t protect yourself.

Trying to find independent analysis that I read, but can’t find it. This will likely have the most impact on swing voters in the 7 states, which are the most important voters in the US. Everyone else is much more likely to have already made their mind up. And remember about 50-66% of the registered voters in the US actually vote even in a presidential year, although the electoral college complicates the proportional representation of those voters.

From Washington post article

With 158 days until Election Day, he is fighting for a plurality of 30 million voters in seven battleground states — a far cry from the tens of thousands of Iowa party activists he courted a year ago. His advisers have long feared that a felony conviction could hurt Trump with independent voters, particularly skeptical suburban women. In places such as the Atlanta suburbs, those voters cost him the 2020 election.