On 2015-10-18, Don Y wrote:
This is the key point: ---------------------^^^^^^^^^^
How far do you go in screwing up your lifestyle just for the
sake of *claiming* you've protected your privacy?

What you do consider "screwing up" ones' lifestyle? I pay cash for
all local purchases and rarely buy anything online. I use settings and
install extensions on web browsers that help prevent tracking. I don't
use Microsoft, Apple, or Google products.

To me none of this is "screwing up" my lifestyle. They don't even require
a lot of effort. (In particular buying everything with cash is just a
continuation of what I've always done. Using a credit or debit card for
everything would be the strange, screwed up thing to me.)

--
-----------------------------------------------------------------------------
Roger Blake (Change "invalid" to "com" for email. Google Groups killfiled.)

NSA sedition and treason -- http://www.DeathToNSAthugs.com
-----------------------------------------------------------------------------

On 10/18/2015 6:16 AM, Roger Blake wrote:
On 2015-10-18, Don Y wrote:
This is the key point: ---------------------^^^^^^^^^^
How far do you go in screwing up your lifestyle just for the
sake of *claiming* you've protected your privacy?

What you do consider "screwing up" ones' lifestyle? I pay cash for
all local purchases and rarely buy anything online.

Ever rent a car? Fly on an airplane? Then, you've used a credit card
(and your travels are now, literally, trackable). I was "forced" to
get (several) credit cards in my teen years as I was traveling
extensively for work; impossible to carry that much cash around the
country *or* rent a car with it!

Buy real estate? Purchase a "big ticket item" (e.g., car, expensive piece
of test equipment)? (Sub)contract a job (have your house painted, a major
auto repair, hospital bill)? Then, chances are, you used a charge card or
wrote a check.

Have a prescription filled? I.e., for most meds, it's a simple step
backwards to deduce *why* you're having the Rx filled! The more meds,
the easier the conclusions drawn.

I use settings and
install extensions on web browsers that help prevent tracking.

And, like me, are *more* trackable as a result! Several sites on
the web to check this but here's the first two that popped up:
https://panopticlick.eff.org
https://amiunique.org

The first link claims (for me):
"Within our dataset of several million visitors, only one in
2,987,527 browsers have the same fingerprint as yours"
but, only does so when I enable Jscript.

In the second web site my browser reported as "2 out of 103512"
with Jscript DISabled. I.e., the other site *could* conceivably
have included these similar tests (but didn't?).

And neither tried to take into account my IP address! I.e., any
"other" browsers that were indistinguishable from mine PROBABLY
were *not* within 100 miles of here!

[Ideally, you want to find the site that has had the greatest number
of *unique* visitors]

We already know you use Linux for USENET access -- with slrn v0.9.9p1.
And, that you post through Eternal September with account
"U2FsdGVkX1+baz31s5YbQ3GRKudpY5+z3TIqssyP5v0=" from a host that
can be uniquely identified as "0db17d4457d3cd163162e46470f0c6bf".

I used to routinely mangle the identification strings in my browser,
mail client, DNS service, etc. thinking "that way, no one will know
which versions of these products I'm running"! Of course, that
just made my network presence *incredibly* unique!

I don't use Microsoft, Apple, or Google products.

Anyone send you email? Do you *use* a telephone? Send/receive snail mail?
Each of these people/organizations further refines your profile because,
chances are, *they* have had profiles developed regarding their
behaviors. E.g., the "metadata" tells folks much about you even if the
actual "content" is never examined.

E.g., if they tend to spend a lot on alcoholic beverages, then its
likely that *you* probably also do -- just not with "trackable
currency". And, the fact that you *don't* use those mechanisms
further identifies you ("Ah, he's one of these guys who TRIES
to stay off the radar... I wonder what HE is hiding??")

Have a CATV subscription? (If you *don't*, then the value of
HaveCATVSubscription for *your entry* in the tracking database
is just '0' instead of '1' -- but it doesn't remove you from that
database!)

Have an ISP? Are you *sure* they haven't been served with a warrant
to disclose your email, IP traffic, etc. and ORDERED not to disclose
said warrant to you (or anyone else)? Even *when* you use the network
reveals something about you (owl/lark). The sites you visit even
moreso!

I had an associate who would send his finished designs to his clients
in encrypted "envelopes". And, they always seemed to take days to
arrive -- instead of *minutes*. Does the Internet have a "warehouse"
where packets *sit* during transit (like the Post Office warehouses
snail mail)? grin

To me none of this is "screwing up" my lifestyle. They don't even require
a lot of effort. (In particular buying everything with cash is just a
continuation of what I've always done. Using a credit or debit card for
everything would be the strange, screwed up thing to me.)

Ever go into a bank? Casino? Walk by a CCTV camera? Each of them
are loaded with CCTV cameras that *used* to just want to "gather
evidence" -- in the event of a crime. Now, the video is harvested.
("The guy at teller window #3 always makes CASH withdrawals" And,
no HUMAN needs to make that observation! A machine can watch what
the teller's machine is doing and correlate that with your image
on the video feed. And, associate this with a *name* on the
payroll check, etc. that you are providing or bank account number
from which the funds are being withdrawn. Or, don't you have a bank
account?)

Drive a car down a road? I.e., your license plate has probably been
routinely photographed and sits in a database, somewhere, indicating
when and where it was photographed, direction of travel, etc.

If you're deliberately avoiding all of these "tracking/profiling
opportunities", I suspect your lifestyle has *significantly* been
compromised to make that happen!

On 10/17/2015 7:57 PM, Mayayana wrote:

All I want is a decent computer that I control myself.
I'd be less bothered by people who choose shopping TV,
frankly, if a straight computer was also still an easy option.
But that's becoming an increasingly complex challenge.
The AOL walled garden is not an offering. It's a sneaky
strategy. The complexity of settings and actions required
just to prevent Win7 being overwritten by Win10 is a good
example.

Run whateverOS in a VM under whateverOTHERos.
But, aren't you trading one "walled garden" for another
in the process? How much are you willing to pay
(in lack of convenience) for that?

E.g., none of my machines talks to the outside world
(save this one). This means I don't have to worry about
"security flaws", proprietary/private data leaking out,
hostile interactions (even failed actions can be costly;
e.g., DoS).

But, it also means that when I want to send/receive email,
I must get my *ss out of one chair and find my way to
*this* chair. When I want to upgrade the MS machines,
I must "manually" download those updates -- then sneakernet
them over to the appropriate machines.

I can't video conference with clients -- OTOH, I *can't*
video conference with clients! : And, never have to worry
about whether the lens cap is on the camera, or not!

When doing research, if I find an interesting object, I can't
just query my reference archive to see if I already *have*
a copy of the item; instead, I have to jot down the name
of the item and move to another "internal" machine to
perform that check. Then, come back, here, to actually
*get* the item (if I don't already have it) and, once again,
sneakernet it back to insert it into the archive.

We do our banking and online purchases on an "immutable" laptop;
one that essentially has a "write protected" hard disk. So, never
any fear of a "persistent" infection. But, that means we can't
(easily) *save* anything on that machine, either!

So, my machines *are* (and will remain) "under my control".
It's just that I now *have* to control them! :-/

| Run whateverOS in a VM under whateverOTHERos.
| But, aren't you trading one "walled garden" for another
| in the process? How much are you willing to pay
| (in lack of convenience) for that?
|

I'm not. As far as I'm concerned, VMs are for the
birds, except maybe for fulltime software testing.

| E.g., none of my machines talks to the outside world
| (save this one)....
| We do our banking and online purchases on an "immutable" laptop;

That sounds like a well planned solution, but
it wouldn't work for me. Too much hassle. Most
things I do involve going online. Even if I'm editing
a photo or writing software, it's not unusual to
want to look something up. I don't want multiple
machines any more than I want VMs.

With banking, I just don't do it online. I take
the approach of operating safely when online
and avoiding banking, shopping, etc. Those things
simply can't be made safe. Even with a read-only
laptop you still risk things like man-in-the-middle
attacks in your connection to the bank.

On 10/18/2015 7:39 AM, Mayayana wrote:
| Run whateverOS in a VM under whateverOTHERos.
| But, aren't you trading one "walled garden" for another
| in the process? How much are you willing to pay
| (in lack of convenience) for that?

I'm not. As far as I'm concerned, VMs are for the
birds, except maybe for fulltime software testing.

VM's are an excellent way of supporting multiple machine
configurations without trying to cram everything into a
single physical machine. In hindsight, I wish I had
implemented each of my workstations as a *set* of VM's
instead of trying to get several dozen large apps to
"play well" together.

I also use VM's to support legacy OS's without having to
worry about finding a "vintage" driver that will work on
*modern* hardware.

| E.g., none of my machines talks to the outside world
| (save this one)....
| We do our banking and online purchases on an "immutable" laptop;

That sounds like a well planned solution, but
it wouldn't work for me. Too much hassle. Most

Very little hassle. If you want to save something, you
save it to a thumb drive (we save copies of statements
to a thumb drive as a matter of course -- so they are
available even if a computer crashes OR we have to leave
the house in an emergency -- and can't bother grabbing
a computer to drag along our financial records!).
Or, you set up a "persistent" portion of the disk
(e.g., a "D:") that you can use for that purpose.

The point is, no "software" (or settings governing its
operation) ever gets changed on the machine.

In the future, I'll install Flash on that machine for
those few times SWMBO "needs" to view some Flash
presentation (yet don't want to risk supercookies)

things I do involve going online. Even if I'm editing
a photo or writing software, it's not unusual to
want to look something up. I don't want multiple
machines any more than I want VMs.

I simply could not operate with fewer machines -- let
alone the redundancy issue. I have far too many (big)
apps that would be tedious to get -- and KEEP -- to
play together well. And, too much risked "repair time"
when/if something got munged.

And, no way I want to multiboot Solaris, FreeBSD/NetBSD
and Windows and *hope* the machine stays in a consistent
state.

With banking, I just don't do it online. I take
the approach of operating safely when online
and avoiding banking, shopping, etc. Those things
simply can't be made safe. Even with a read-only
laptop you still risk things like man-in-the-middle
attacks in your connection to the bank.

Then you limit yourself to the range of banks (and other
institutions) with which you can operate. And, your choices
will diminish, over time.

[I've had to close several accounts in recent years when they
changed the terms to effectively push me to access my statements,
etc. "on line"]

"Operating safely" is almost impossible. Too many drive-by
attacks -- even on big "well known" sites. Hence the approach
of getting the machine into a known, safe state and ensuring that
it can't be changed from that state.

| With banking, I just don't do it online. I take
| the approach of operating safely when online
| and avoiding banking, shopping, etc. Those things
| simply can't be made safe. Even with a read-only
| laptop you still risk things like man-in-the-middle
| attacks in your connection to the bank.
|
| Then you limit yourself to the range of banks (and other
| institutions) with which you can operate. And, your choices
| will diminish, over time.
|

I pay $1/month for a paper statement. I doubt
very much that I won't be able to get a statement
any time soon. Even if they didn't mail it, one can
go into any bank for a printout as desired. Doing risky
things online because I *might* have to someday is
not a good reason to me.

| "Operating safely" is almost impossible. Too many drive-by
| attacks -- even on big "well known" sites. Hence the approach
| of getting the machine into a known, safe state and ensuring that
| it can't be changed from that state.

You sound like you know what you're doing, so I
wouldn't be inclined to tell you that you should change,
but my way also works. Nearly all possible online attacks
require javascript. Most of those also use secondary
vulnerabilities, such as iframes or Flash. I rarely enable
script online. When I do, I do it in Firefox with NoScript,
to limit the exposure. I don't have AV or malware
hunter software. And I've never had a malware problem
of any kind.

I wouldn't recommend that approach to everyone.
People who don't want to learn the basics and do
want to access the Internet as "consumers", with
extensive functionality to shop, play games, bank,
Facebook, etc will need AV. But my way, understanding
the risks and disabling script, is far safer than the
person with all the latest patches and AV, but who
enables script online. There's simply no way to make
that safe.

On 2015-10-18, Don Y wrote:
Ever rent a car? Fly on an airplane?

Not for decades.

Buy real estate? Purchase a "big ticket item" (e.g., car, expensive piece
of test equipment)?

All cash.

Have a prescription filled? I.e., for most meds, it's a simple step
backwards to deduce *why* you're having the Rx filled! The more meds,
the easier the conclusions drawn.

Actually unless it's a narcotic it's easy to get a prescription using
an assumed name!

And, like me, are *more* trackable as a result! Several sites on

But not identifiable as to name, address, etc.

We already know you use Linux for USENET access -- with slrn v0.9.9p1.
And, that you post through Eternal September with account
"U2FsdGVkX1+baz31s5YbQ3GRKudpY5+z3TIqssyP5v0=" from a host that
can be uniquely identified as "0db17d4457d3cd163162e46470f0c6bf".

All quite spoofable as well.

Anyone send you email? Do you *use* a telephone? Send/receive snail mail?

Easy enough to cycle through anonmyous pre-paid cell phones if needed.
Same with email addresses.

Have a CATV subscription?

Nope.

Have an ISP? Are you *sure* they haven't been served with a warrant
to disclose your email, IP traffic, etc. and ORDERED not to disclose
said warrant to you (or anyone else)?

Since everything is funneled through a foreign-based VPN service that
keeps not records there is nothing for them to disclose.

Ever go into a bank? Casino? Walk by a CCTV camera? Each of them
are loaded with CCTV cameras that *used* to just want to "gather
evidence" -- in the event of a crime. Now, the video is harvested.

Banks rarely, casinos never. Large reflective sunglasses and broad-brimmed
hats go a long ways to dealing with CCTV systems.

Drive a car down a road? I.e., your license plate has probably been
routinely photographed and sits in a database, somewhere, indicating
when and where it was photographed, direction of travel, etc.

Fresnel lens over the plate takes car of that. If sufficiently motivated
so does having the car registered to an out-of-state entity.

If you're deliberately avoiding all of these "tracking/profiling
opportunities", I suspect your lifestyle has *significantly* been
compromised to make that happen!

You would be wrong.

--
-----------------------------------------------------------------------------
Roger Blake (Change "invalid" to "com" for email. Google Groups killfiled.)

NSA sedition and treason -- http://www.DeathToNSAthugs.com
-----------------------------------------------------------------------------

On 10/18/2015 4:42 PM, Roger Blake wrote:
On 2015-10-18, Don Y wrote:
Ever rent a car? Fly on an airplane?

Not for decades.

Buy real estate? Purchase a "big ticket item" (e.g., car, expensive piece
of test equipment)?

All cash.

If in your name the deed is recorded. You eliminate many, but not all
traces.





Ever go into a bank? Casino? Walk by a CCTV camera? Each of them
are loaded with CCTV cameras that *used* to just want to "gather
evidence" -- in the event of a crime. Now, the video is harvested.

Banks rarely, casinos never. Large reflective sunglasses and broad-brimmed
hats go a long ways to dealing with CCTV systems.

Some banks will not allow you in dressed like that.


Drive a car down a road? I.e., your license plate has probably been
routinely photographed and sits in a database, somewhere, indicating
when and where it was photographed, direction of travel, etc.

Fresnel lens over the plate takes car of that.

Is the plate visible to the eye? I know some states are making thing
like that illegal so the speed cameras can get you. As long as the
police can easily see your plate you may never get caught though.

On 2015-10-18, Ed Pawlowski wrote:
If in your name the deed is recorded. You eliminate many, but not all
traces.

The point isn't going deep underground, if that's what I was after
I would not be here. The point is not forking over information carte
blanche during the course of normal day-to-day life. Of course there
is some paper and/or electronic trail to be found, but it is spotty,
particularly compared to someone who pays for everything via credit or
debit card and goes out and details it all on Facetube or whatever.

Actually for me paying cash and staying out of debt is mostly due to having
been brought up by parents who lived through the Great Depression of
the 1930s. Preserving a modicum of privacy in an increasingly intrusive
environment is a beneficial side effect.

Some banks will not allow you in dressed like that.

Haven't had a problem, but they know me at my bank anyway. (Small community
bank, been a customer there for decades.) It helps being old, of course,
wearing cataract-style sunglasses doesn't raise many eyebrows for people
my age - might not be the case for a 20-something!

Is the plate visible to the eye? I know some states are making thing
like that illegal so the speed cameras can get you. As long as the
police can easily see your plate you may never get caught though.

A proper fresnel lens or louvered covering will look fine straight on
but will obscure the plate from a steep angle. Probably illegal (in
many jurisdictions any plate cover is) but poorly enforced as long as
the plate is properly visible to the cop just behind or ahead of you.

Here's one, there are others, and some homebrew solutions:

http://www.ontrackcorp.com/original-protector.cfm

There would probably also be active solutions possible that would work
in a similar manner to those using infrared LEDs to foil facial recognition
systems.

For myself, I'm in a rural area where plate cameras and scanners are not
much of a concern - yet.

--
-----------------------------------------------------------------------------
Roger Blake (Change "invalid" to "com" for email. Google Groups killfiled.)

NSA sedition and treason -- http://www.DeathToNSAthugs.com
-----------------------------------------------------------------------------

On 10/18/2015 11:38 AM, Mayayana wrote:
| With banking, I just don't do it online. I take
| the approach of operating safely when online
| and avoiding banking, shopping, etc. Those things
| simply can't be made safe. Even with a read-only
| laptop you still risk things like man-in-the-middle
| attacks in your connection to the bank.
|
| Then you limit yourself to the range of banks (and other
| institutions) with which you can operate. And, your choices
| will diminish, over time.

I pay $1/month for a paper statement. I doubt

You're lucky. I've closed accounts when each notified me that
they wanted $8.95/month to mail me a single sheet of paper
with 1, 2 or, at most, *3* transactions on it! Note that
one of the banks was 1500 miles from here -- so its not
a "local phenomenon".

very much that I won't be able to get a statement
any time soon. Even if they didn't mail it, one can
go into any bank for a printout as desired. Doing risky
things online because I *might* have to someday is
not a good reason to me.

Do you own any securities? Do any "trading"?

| "Operating safely" is almost impossible. Too many drive-by
| attacks -- even on big "well known" sites. Hence the approach
| of getting the machine into a known, safe state and ensuring that
| it can't be changed from that state.

You sound like you know what you're doing, so I
wouldn't be inclined to tell you that you should change,
but my way also works. Nearly all possible online attacks
require javascript.

If you look at the history of vulnerabilities, you'd realize that's
not the case. Buffer overflow exploits are still common -- despite
EVERYONE knowing about this sort of potential problem (yet
continuing to write NEW code that has the same flaws).

Are *all* inbound ports on your machine closed?
Have a look at "Shield's Up": https://www.grc.com

Do you "NAT" your connections? Use a STATEFUL firewall?

Ever download/open a PDF?
http://securityxploded.com/pdf_vuln_exploits.php
Open a JPG?
https://www.f-secure.com/v-descs/ms04-028.shtml
Maybe a video (MP4)?
http://www.hacking-tutorial.com/hacking-tutorial/hacking-tutorial-windows-xp-sp3-using-adobe-flash-player-mp4-vulnerability/
Or, perhaps, music (MP3)?
http://www.gnucitizen.org/blog/backdooring-mp3-files/

I.e., any piece of code that can be coerced into "processing"
foreign data represents an attack surface. In the past, JPG's
have been used to inject malware, malformed URL's

Most of those also use secondary
vulnerabilities, such as iframes or Flash. I rarely enable
script online. When I do, I do it in Firefox with NoScript,
to limit the exposure. I don't have AV or malware
hunter software. And I've never had a malware problem
of any kind.

We don't run AV, here as it takes to big a hit on the machine's
performance, requires constant updates (sometimes *introducing*
bugs/false positives in the process), etc.

We practice "safe computing" -- much to SWMBO's dismay (as she
isn't allowed to view much of the cruft her friends send to her
as "funny links"). Periodically, I take the machine down and
mount the disk as a sercondary drive so I can scan it with a
current AV release -- just for peace of mind ("Nothing found
so we've been well behaved")

Of course, the machine is only useful to a hacker as a point from
which to possibly launch another attack -- there's nothing *here*
worth stealing or "snooping"!

I wouldn't recommend that approach to everyone.
People who don't want to learn the basics and do
want to access the Internet as "consumers", with
extensive functionality to shop, play games, bank,
Facebook, etc will need AV. But my way, understanding
the risks and disabling script, is far safer than the
person with all the latest patches and AV, but who
enables script online. There's simply no way to make
that safe.

Having NoScript block all domains, here, means I often
have to take several attempts to view a site -- successively
enabling more and more domains until the site "appears"
to work. Some sites are very deliberate in refusing to work
without Jscript enabled. Some refuse to work without Flash.

Each of these represents an inconvenience to me. But, as most
of the sites that I am interested in are highly technical,
I can put up with these occasional inconveniences.

Roger Blake wrote:
On 2015-10-18, Don Y wrote:
This is the key point: ---------------------^^^^^^^^^^
How far do you go in screwing up your lifestyle just for the
sake of *claiming* you've protected your privacy?

What you do consider "screwing up" ones' lifestyle? I pay cash for
all local purchases and rarely buy anything online. I use settings and
install extensions on web browsers that help prevent tracking. I don't
use Microsoft, Apple, or Google products.

To me none of this is "screwing up" my lifestyle. They don't even require
a lot of effort. (In particular buying everything with cash is just a
continuation of what I've always done. Using a credit or debit card for
everything would be the strange, screwed up thing to me.)

How come? Online shopping is easy and convenient, they can data mine
about me but I block all the spams, junk mails. I don't even see any of
them. I use card paying in full when I get the bill. I pay the bill on
line as well. On small business we have all the payment is done by CC.
Lots of points is being collected plus points I collected when I was
working which pay for our travels like going to see our grand son in
Victoria Island. Been long time since I paid for air line ticket with
paper money. Oh, I book flight online too, LOL! At our store cash sale
amount is less than 10% of total sales in any day.

Don Y wrote:
On 10/18/2015 6:16 AM, Roger Blake wrote:
On 2015-10-18, Don Y wrote:
This is the key point: ---------------------^^^^^^^^^^
How far do you go in screwing up your lifestyle just for the
sake of *claiming* you've protected your privacy?

What you do consider "screwing up" ones' lifestyle? I pay cash for
all local purchases and rarely buy anything online.

Ever rent a car? Fly on an airplane? Then, you've used a credit card
(and your travels are now, literally, trackable). I was "forced" to
get (several) credit cards in my teen years as I was traveling
extensively for work; impossible to carry that much cash around the
country *or* rent a car with it!

Buy real estate? Purchase a "big ticket item" (e.g., car, expensive piece
of test equipment)? (Sub)contract a job (have your house painted, a major
auto repair, hospital bill)? Then, chances are, you used a charge card or
wrote a check.

Have a prescription filled? I.e., for most meds, it's a simple step
backwards to deduce *why* you're having the Rx filled! The more meds,
the easier the conclusions drawn.

I use settings and
install extensions on web browsers that help prevent tracking.

And, like me, are *more* trackable as a result! Several sites on
the web to check this but here's the first two that popped up:
https://panopticlick.eff.org
https://amiunique.org

The first link claims (for me):
"Within our dataset of several million visitors, only one in
2,987,527 browsers have the same fingerprint as yours"
but, only does so when I enable Jscript.

In the second web site my browser reported as "2 out of 103512"
with Jscript DISabled. I.e., the other site *could* conceivably
have included these similar tests (but didn't?).

And neither tried to take into account my IP address! I.e., any
"other" browsers that were indistinguishable from mine PROBABLY
were *not* within 100 miles of here!

[Ideally, you want to find the site that has had the greatest number
of *unique* visitors]

We already know you use Linux for USENET access -- with slrn v0.9.9p1.
And, that you post through Eternal September with account
"U2FsdGVkX1+baz31s5YbQ3GRKudpY5+z3TIqssyP5v0=" from a host that
can be uniquely identified as "0db17d4457d3cd163162e46470f0c6bf".

I used to routinely mangle the identification strings in my browser,
mail client, DNS service, etc. thinking "that way, no one will know
which versions of these products I'm running"! Of course, that
just made my network presence *incredibly* unique!

I don't use Microsoft, Apple, or Google products.

Anyone send you email? Do you *use* a telephone? Send/receive snail mail?
Each of these people/organizations further refines your profile because,
chances are, *they* have had profiles developed regarding their
behaviors. E.g., the "metadata" tells folks much about you even if the
actual "content" is never examined.

E.g., if they tend to spend a lot on alcoholic beverages, then its
likely that *you* probably also do -- just not with "trackable
currency". And, the fact that you *don't* use those mechanisms
further identifies you ("Ah, he's one of these guys who TRIES
to stay off the radar... I wonder what HE is hiding??")

Have a CATV subscription? (If you *don't*, then the value of
HaveCATVSubscription for *your entry* in the tracking database
is just '0' instead of '1' -- but it doesn't remove you from that
database!)

Have an ISP? Are you *sure* they haven't been served with a warrant
to disclose your email, IP traffic, etc. and ORDERED not to disclose
said warrant to you (or anyone else)? Even *when* you use the network
reveals something about you (owl/lark). The sites you visit even
moreso!

I had an associate who would send his finished designs to his clients
in encrypted "envelopes". And, they always seemed to take days to
arrive -- instead of *minutes*. Does the Internet have a "warehouse"
where packets *sit* during transit (like the Post Office warehouses
snail mail)? grin

To me none of this is "screwing up" my lifestyle. They don't even require
a lot of effort. (In particular buying everything with cash is just a
continuation of what I've always done. Using a credit or debit card for
everything would be the strange, screwed up thing to me.)

Ever go into a bank? Casino? Walk by a CCTV camera? Each of them
are loaded with CCTV cameras that *used* to just want to "gather
evidence" -- in the event of a crime. Now, the video is harvested.
("The guy at teller window #3 always makes CASH withdrawals" And,
no HUMAN needs to make that observation! A machine can watch what
the teller's machine is doing and correlate that with your image
on the video feed. And, associate this with a *name* on the
payroll check, etc. that you are providing or bank account number
from which the funds are being withdrawn. Or, don't you have a bank
account?)

Drive a car down a road? I.e., your license plate has probably been
routinely photographed and sits in a database, somewhere, indicating
when and where it was photographed, direction of travel, etc.

If you're deliberately avoiding all of these "tracking/profiling
opportunities", I suspect your lifestyle has *significantly* been
compromised to make that happenn

Simply put they know more about me than I know about myself, LOL!

Ed Pawlowski wrote:
On 10/18/2015 4:42 PM, Roger Blake wrote:
On 2015-10-18, Don Y wrote:
Ever rent a car? Fly on an airplane?

Not for decades.

Buy real estate? Purchase a "big ticket item" (e.g., car, expensive
piece
of test equipment)?

All cash.

If in your name the deed is recorded. You eliminate many, but not all
traces.





Ever go into a bank? Casino? Walk by a CCTV camera? Each of them
are loaded with CCTV cameras that *used* to just want to "gather
evidence" -- in the event of a crime. Now, the video is harvested.

Banks rarely, casinos never. Large reflective sunglasses and
broad-brimmed
hats go a long ways to dealing with CCTV systems.

Some banks will not allow you in dressed like that.


Drive a car down a road? I.e., your license plate has probably been
routinely photographed and sits in a database, somewhere, indicating
when and where it was photographed, direction of travel, etc.

Fresnel lens over the plate takes car of that.

Is the plate visible to the eye? I know some states are making thing
like that illegal so the speed cameras can get you. As long as the
police can easily see your plate you may never get caught though.



I believe it is some kinda mental case. -----phobia?.

| I pay $1/month for a paper statement. I doubt
|
| You're lucky. I've closed accounts when each notified me that
| they wanted $8.95/month to mail me a single sheet of paper
| with 1, 2 or, at most, *3* transactions on it! Note that
| one of the banks was 1500 miles from here -- so its not
| a "local phenomenon".
|

TD Bank. And they're open on Sundays, too.
I'm not sure I even want to know why you have
numerous bank accouts on the other side
of the country.

| Do you own any securities? Do any "trading"?
|

No. I'm not a gambler. Frankly I think straight gambling
on the stock market should be illegal, with something
like a 90 day minimum period that stocks would have
to be held and no option for buying options, which
are merely bets. Then people would be investing in
companies rather than just a big, glorified gambling hall.

| You sound like you know what you're doing, so I
| wouldn't be inclined to tell you that you should change,
| but my way also works. Nearly all possible online attacks
| require javascript.
|
| If you look at the history of vulnerabilities, you'd realize that's
| not the case. Buffer overflow exploits are still common -- despite
| EVERYONE knowing about this sort of potential problem (yet
| continuing to write NEW code that has the same flaws).
|

Buffer overflows require executable code. The point is
to go back to what the Web was meant to be: A resource
that can be accessed. Not remote software.
However you look at it, nearly all risks online require script.
It's true that there has been at least one issue with JPGs.
That was actually a vulnerability in gdiplus.dll, the
Windows extended graphics library. There was also once
an issue with EMF files. It's not impossible to face a
vulnerability with script disabled, but it's *very* unlikely.
With script enabled, on the other hand, you're a sitting
duck.

PDF exploits, as well as Flash, are also script issues.
The MP4 bug you link to is a Flash problem. Likewise,
the MP3 bug you linked to is with script in iTunes. What
you're talking about is all executable code. The point is
to get executable code out of the browser. Don't use
Adobe crap at all. Don't enable script. Don't install Java.
Don't run videos and music in browser plugins like Flash.
Don't enable script in your PDF viewer.
(For me this is easy. I don't like things moving on webpages
while I'm trying to read. If I want to see a video I'll
download it, so I can save a copy, and play it in VLC. If
I can't download it I can't be bothered. I'm not going to
sit around "watching TV" on my monitor.)

| Having NoScript block all domains, here, means I often
| have to take several attempts to view a site -- successively
| enabling more and more domains until the site "appears"
| to work. Some sites are very deliberate in refusing to work
| without Jscript enabled. Some refuse to work without Flash.
|

Yes. I guess it depends a lot on what sites you visit. I
have noticed lately that more sites design to break without
script. Maybe not all deliberately. The code has gotten to
be such a mess that it's hard to tell. I don't use highly
interactive sites, so I've never needed Flash. I've never
even had it installed. And fortunately it's being phased out.

One of the increasing problems I've seen is kiddie sites
hosted by Wix and Squarespace. They get small business
people to set up sites for free or cheap. It's all a very
simple, drag-drop-and-choose-options kind of operation.
People think it's clever that they made their own site. But
the pages are actually pseudo-JSON muck that directs
the loading of the page from the Wix or Squarespace
server. It's completely broken without script. The nasty
thing about it is that it breaks because it's using client-
side processing to put the page together. PHP and ASP
would work just fine server-side, but Wix and Squarespace
are cutting corners.

I was looking at a site yesterday by some very talented
designers and engineers. Heatherwick.com. Their website
is a mess, with the noscript code inside script blocks! These
people are award winning designers with big gallery shows,
yet they can't build a website with the most basic
functionality.

Another one I've noticed recently is Forbes.com. I used
to go there sometimes for news. Now there's actually no
webpage at all. Their pages are either built from script or
hide the content inside script. They're actually, in some cases,
embedding the entire HTML string inside script variables!
That's so idiotic and wasteful that it can only be a case
of trying to make their site break without script.

It's got so bad, and some of the script I see is so bizarre
and convoluted, that I recently wrote a tool to sort it out:

http://www.jsware.net/jsware/scrfiles.php5#jsdeob

It's only for people who are familiar with webpage coding,
but I find it can come in handy sometimes.

On 2015-10-18, Tony Hwang wrote:
How come? Online shopping is easy and convenient, they can data mine
about me but I block all the spams, junk mails.

I find shopping locally using cash to be easy and convenient. It's
what I've always done, I'm not particularly going out of my way
or changing anything to do it.

--
-----------------------------------------------------------------------------
Roger Blake (Change "invalid" to "com" for email. Google Groups killfiled.)

NSA sedition and treason -- http://www.DeathToNSAthugs.com
-----------------------------------------------------------------------------

On 10/18/2015 4:06 PM, Tony Hwang wrote:
Don Y wrote:

If you're deliberately avoiding all of these "tracking/profiling
opportunities", I suspect your lifestyle has *significantly* been
compromised to make that happenn

Simply put they know more about me than I know about myself, LOL!

They have AN INTEREST in knowing -- you probably *don't*! :

My MD asks me questions that I'd never think of asking myself.
*He* knows how those things correlate with things that he might
be looking for.

Similarly, folks thinking of extending credit to me might be
interested in how diligently I get annual physicals (i.e., if
I don't exercise discipline over my own PHYSICAL HEALTH,
I'm probably less likely to exercise discipline over my FISCAL
HEALTH!)

Folks always think there has to be some IDENTIFIABLE *reason*
for a correlation. Actuaries (and others who make decisions
based on probabilities) only care about the fact that a
correlation APPEARS to exist -- they don't really care *why*
as long as the correlation is statistically reliable!

People who drive white cars tend to have fewer accidents.
Is this because white cars are safer? Or, because people
who aren't concerned with the color of their car tend
to have a more cautious personality? Or, because OTHER
drivers can more readily *see* white vehicles (to avoid
them)?

shrug

On 10/18/2015 3:09 PM, Roger Blake wrote:

From the above, it sure looks like you spend a LOT of time trying
to stay hidden. Best hope no one takes an interest in the extent
to which you try to hide -- you may find yourself at the TOP
of their watch list! :

Doesn't take much time at all. Perhaps someone will take an interest, would
love to waste their time. Why not report me?

I suspect your .signature has already done that! :

On 2015-10-18, Don Y wrote:
I suspect your .signature has already done that! :

Quite possibly! Not that I think it would ever happen of course, but if
those responsible for mass gov't surveillance ever were to be properly
punished for their crimes I would volunteer to throw the switch on
the chair - though I'd probably have to wait in a long line for the
privilege. We might need to develop some new tech for the number of
executions that would be needed. Possibly an electric couch?

--
-----------------------------------------------------------------------------
Roger Blake (Change "invalid" to "com" for email. Google Groups killfiled.)

NSA sedition and treason -- http://www.DeathToNSAthugs.com
-----------------------------------------------------------------------------

On 10/18/2015 4:13 PM, Mayayana wrote:
| I pay $1/month for a paper statement. I doubt
|
| You're lucky. I've closed accounts when each notified me that
| they wanted $8.95/month to mail me a single sheet of paper
| with 1, 2 or, at most, *3* transactions on it! Note that
| one of the banks was 1500 miles from here -- so its not
| a "local phenomenon".

TD Bank. And they're open on Sundays, too.
I'm not sure I even want to know why you have
numerous bank accouts on the other side
of the country.

I have lived in many places. It is usually more convenient to
leave an existing account someplace open until I can get a
new account somewhere_else established. And, when they WERE
mailing paper statements, there was virtually no cost to me to
KEEP those accounts open (most of my accounts have had strict
check-writing constraints -- like 3 per month). So, an extra
account would let me handle extra transactions, etc.

I know I had to maintain an account in CT for the tax man
(consultants' time has sales tax applied so they want someplace
to find you to *get* that tax!)

| Do you own any securities? Do any "trading"?

No. I'm not a gambler. Frankly I think straight gambling
on the stock market should be illegal, with something
like a 90 day minimum period that stocks would have
to be held and no option for buying options, which
are merely bets. Then people would be investing in
companies rather than just a big, glorified gambling hall.

+42

I can't see how anyone would consider the "1 year" time limit
to qualify for LONG term gains to really be indicative of
"an investment" (vs. a gamble).

| You sound like you know what you're doing, so I
| wouldn't be inclined to tell you that you should change,
| but my way also works. Nearly all possible online attacks
| require javascript.
|
| If you look at the history of vulnerabilities, you'd realize that's
| not the case. Buffer overflow exploits are still common -- despite
| EVERYONE knowing about this sort of potential problem (yet
| continuing to write NEW code that has the same flaws).

Buffer overflows require executable code.

Yes -- the code in your browser or "helper applications" that it
invokes.

The point is
to go back to what the Web was meant to be: A resource
that can be accessed. Not remote software.

The exploits I mentioned previously don't require any
"remote software" to be executed from the 'net. *But*,
as each of these non-ASCII-text files requires something
to *interpret* their contents (as a photograph, audio
clip, video clip, etc.) then those non-ASCII-text files
are, essentially, *programs*! They control the behavior
of their respective "decoders" when you apply those decoders
to those files.

Bugs in those decoders can thus be exploited to compromise
the machine on which the decoders are executing. This is
because Windows (and virtually all other desktop OS's)
applies the full capabilities of the invoking user to
any program (e.g., the decoder) running on his/her behalf!
There is no way to limit what a particular program can/can't
do -- other than HOPING the program itself "behaves well".

A "capability-based" OS doesn't have this inherent limitation.
E.g., I can let *you* write a hostile program and install
it on my system. But, no matter how hard your program tries,
it won't be able to do anything that I haven't explicitly
allowed it to do. No need for you to be scribbling in the
Registry -- or even *looking* at it; no need for you to be
pushing packets out a network connection; no need for
you to be installing any files; etc. -- all you need to be
able to do is EXACTLY what *I* think you should be able to
do (show me the contents of this JPG in a graphic form, etc.)

However you look at it, nearly all risks online require script.
It's true that there has been at least one issue with JPGs.
That was actually a vulnerability in gdiplus.dll, the
Windows extended graphics library. There was also once
an issue with EMF files. It's not impossible to face a
vulnerability with script disabled, but it's *very* unlikely.
With script enabled, on the other hand, you're a sitting
duck.

If I email you a picture BigBoobs.jpg and you open it, then
I've enticed you to expose your JPEG decoder to whatever
contents that file may contain. Likewise if you visit a
web page with a JPEG. If I email you a receipt for a purchase
as a PDF, then the act of opening it means your "PDF decoder"
has now been tricked into "interpreting" the information
embedded in that file (just like a computer interprets a
computer program).

PDF exploits, as well as Flash, are also script issues.
The MP4 bug you link to is a Flash problem. Likewise,
the MP3 bug you linked to is with script in iTunes. What
you're talking about is all executable code. The point is
to get executable code out of the browser. Don't use

The browser *is* executable code! The OS is executable code.
The JPG decoder is executable code. The PDF reader is executable
code. Anything that *does* anything does it by executing code!

Adobe crap at all. Don't enable script. Don't install Java.
Don't run videos and music in browser plugins like Flash.
Don't enable script in your PDF viewer.
(For me this is easy. I don't like things moving on webpages
while I'm trying to read. If I want to see a video I'll
download it, so I can save a copy, and play it in VLC. If

http://www.zdnet.com/article/vlc-vulnerabilities-exposed/
"Vulnerabilities have been discovered in some versions of the
popular VLC media player which may allow a cyberattacker to
corrupt memory and potentially execute arbitrary code."
http://www.saintcorporation.com/cgi-bin/demo_tut.pl?tutorial_name=VLC_vulnerabilities.html


Note that it doesn't matter if you run VLC from your browser or
download the file and run VLC separately.
"Vulnerabilities in VLC allow for remote code execution or
denial of service. VLC also has a remote code execution
vulnerability in the web interface."

It's like the admonition from my youth regarding unwanted
pregnancies: the only SURE contraceptive is ABSTINENCE!
I.e., the only sure way to avoid these vulnerabilities is
to NOT import anything that you didn't create yourself.

"The only winning move is not to play"
-WOPR

Roger Blake wrote:
On 2015-10-18, Tony Hwang wrote:
How come? Online shopping is easy and convenient, they can data mine
about me but I block all the spams, junk mails.

I find shopping locally using cash to be easy and convenient. It's
what I've always done, I'm not particularly going out of my way
or changing anything to do it.

Of course. Suit yourself. But IMHO, you're weird in this day and age.

On 2015-10-19, Tony Hwang wrote:
Of course. Suit yourself. But IMHO, you're weird in this day and age.

To people my age paying in cash is normal, using credit/debit is the
weird thing. I'm certainly not the only one, those cash registers are
not being kept in service just for my benefit.

What today's young people think of it is really of no interest to me.

--
-----------------------------------------------------------------------------
Roger Blake (Change "invalid" to "com" for email. Google Groups killfiled.)

NSA sedition and treason -- http://www.DeathToNSAthugs.com
-----------------------------------------------------------------------------

Dan Espen wrote in :


Microsoft knew all along they couldn't stay the same size
selling the same old OS for new machines only.
People don't upgrade because the OS is good enough.
MSFT is going to try to create an on-going revenue stream,
but I think they'll fail.

I hope so.

Ultimately, they'll be a smaller company.

Much smaller.

One of my fondest aspirations is to live long enough to see the day that Microsoft files for
Chapter 7 bankruptcy.

On 10/18/2015 06:50 PM, Tony Hwang wrote:
Roger Blake wrote:
On 2015-10-18, Tony Hwang wrote:
How come? Online shopping is easy and convenient, they can data mine
about me but I block all the spams, junk mails.

I find shopping locally using cash to be easy and convenient. It's
what I've always done, I'm not particularly going out of my way
or changing anything to do it.

Of course. Suit yourself. But IMHO, you're weird in this day and age.

I think it's weird when someone pulls out their Mastercard at a grocery
store to pay for a dozen donuts. I really get upset when the charge is
refused and they have to hunt up another card that might have a little
life in it. For a real fun time get in line behind someone with an EBT
card and a pocketful of dead plastic.

| The exploits I mentioned previously don't require any
| "remote software" to be executed from the 'net. *But*,
| as each of these non-ASCII-text files requires something
| to *interpret* their contents (as a photograph, audio
| clip, video clip, etc.) then those non-ASCII-text files
| are, essentially, *programs*! They control the behavior
| of their respective "decoders" when you apply those decoders
| to those files.
|

That's not true. The exploits you listed all
involve a weakness in executable code -- either
compiled binaries or script. Most involve javascript.
Many of those *also* require a binary like Flash.
The rare exception would be something like the
gdiplus.dll bug that could be exploited with JPGs.
(Gdiplus was fairly new at the time.) Data files that
are not interpreted as executable -- whether text
or not -- are almost never a risk because they're
not doing anything. (Again, I'd be interested to
hear if there are any examples besides the one-time
JPG issue, which was many years ago.)

I've never heard of any vulnerability in HTML.
It defines graphical layout. It's not interpreted
as executable code. It's sometimes possible to
crash a browser with faulty HTML, but that's just
a case of "choking" the software. There's no
executable code involved.

| If I email you a receipt for a purchase
| as a PDF, then the act of opening it means your "PDF decoder"
| has now been tricked into "interpreting" the information
| embedded in that file (just like a computer interprets a
| computer program).
|

You're misusing the word interpet. A computer
doesn't interpret a program. The program itself
accesses the CPU, RAM and disk. Script is text
that's interpreted as executable code, but that
makes it just like a compiled program, in that
the interpreter is a program acting under the
direction of the script. A PDF is not interpreted
as executable code. What the PDF reader gets from
the PDF data is information about text, fonts,
colors and layout. The problems with PDF are due
allowing javascript in PDFs to run.

| The browser *is* executable code! The OS is executable code.
| The JPG decoder is executable code. The PDF reader is executable
| code. Anything that *does* anything does it by executing code!
|
I don't know how many ways I can explain it.
As I said, I'd be interested to know if you find
any vulnerabilities that do not directly involve
executable code. They're few and far between.
In other words, a browser is, of course, executable
code, but you can't hijack it by telling it to draw
a table with a blue background. A browser is
hijacked by getting it to run executable code --
via the javascript "engine" or a faulty plug-in.


| Adobe crap at all. Don't enable script. Don't install Java.
| Don't run videos and music in browser plugins like Flash.
| Don't enable script in your PDF viewer.
| (For me this is easy. I don't like things moving on webpages
| while I'm trying to read. If I want to see a video I'll
| download it, so I can save a copy, and play it in VLC. If
|
| http://www.zdnet.com/article/vlc-vulnerabilities-exposed/
| "Vulnerabilities have been discovered in some versions of the
| popular VLC media player which may allow a cyberattacker to
| corrupt memory and potentially execute arbitrary code."
|
http://www.saintcorporation.com/cgi-bin/demo_tut.pl?tutorial_name=VLC_vulnerabilities.html
|

That's interesting. It's good to know about
such things. But I'm not going to lose
any sleep. I'm not using a VLC browser plugin,
and there's very little motive for someone to
put a video on youtube that will attack my
system offline. Especially given that I don't
download wacky cat videos from random posters.

| Note that it doesn't matter if you run VLC from your browser or
| download the file and run VLC separately.
| "Vulnerabilities in VLC allow for remote code execution or
| denial of service. VLC also has a remote code execution
| vulnerability in the web interface."
|

Remote means remote. If you download a file
and play it in VLC that's not remote execution.
Remote would mean playing it via webpage or
some other way of accessing it from a remote
location.

| It's like the admonition from my youth regarding unwanted
| pregnancies: the only SURE contraceptive is ABSTINENCE!
| I.e., the only sure way to avoid these vulnerabilities is
| to NOT import anything that you didn't create yourself.

I suppose that in the most extreme interpretation
you're right. I've decided that having sex carefully,
with my post-menopausal ladyfriend, is a "risk" I'm
willing to take. Good luck with the inflatables.

rbowman wrote:
On 10/18/2015 06:50 PM, Tony Hwang wrote:
Roger Blake wrote:
On 2015-10-18, Tony Hwang wrote:
How come? Online shopping is easy and convenient, they can data mine
about me but I block all the spams, junk mails.

I find shopping locally using cash to be easy and convenient. It's
what I've always done, I'm not particularly going out of my way
or changing anything to do it.

Of course. Suit yourself. But IMHO, you're weird in this day and age.

I think it's weird when someone pulls out their Mastercard at a grocery
store to pay for a dozen donuts. I really get upset when the charge is
refused and they have to hunt up another card that might have a little
life in it. For a real fun time get in line behind someone with an EBT
card and a pocketful of dead plastic.


Hmmm,
I bought a new car with my card. When dealer hesitated I was going to
walk out the door. They don't like cash sale or full payment with CC.
They make better money on financed cars.

Roger Blake wrote:
On 2015-10-19, Tony Hwang wrote:
Of course. Suit yourself. But IMHO, you're weird in this day and age.

To people my age paying in cash is normal, using credit/debit is the
weird thing. I'm certainly not the only one, those cash registers are
not being kept in service just for my benefit.

What today's young people think of it is really of no interest to me.

May I ask how old you are?

On 2015-10-19, Tony Hwang wrote:
May I ask how old you are?

Old enough to have been paying cash at the butcher shop and the baker when
real silver coin was still in general circulation.

--
-----------------------------------------------------------------------------
Roger Blake (Change "invalid" to "com" for email. Google Groups killfiled.)

NSA sedition and treason -- http://www.DeathToNSAthugs.com
-----------------------------------------------------------------------------

Roger Blake wrote:
On 2015-10-19, Tony Hwang wrote:
May I ask how old you are?

Old enough to have been paying cash at the butcher shop and the baker when
real silver coin was still in general circulation.

I still see some silver coins from now and then in our till. That does
not mean you're old.

On 2015-10-19, Tony Hwang wrote:
I still see some silver coins from now and then in our till. That does
not mean you're old.

I'm talking about when they were all silver. When's the last time someone
paid for something at your establishment with silver dollars? I used to
use 'em all the time, they were nothing special.

--
-----------------------------------------------------------------------------
Roger Blake (Change "invalid" to "com" for email. Google Groups killfiled.)

NSA sedition and treason -- http://www.DeathToNSAthugs.com
-----------------------------------------------------------------------------

On 10/18/2015 6:49 PM, rbowman wrote:
On 10/18/2015 06:50 PM, Tony Hwang wrote:
Roger Blake wrote:
On 2015-10-18, Tony Hwang wrote:
How come? Online shopping is easy and convenient, they can data mine
about me but I block all the spams, junk mails.

I find shopping locally using cash to be easy and convenient. It's
what I've always done, I'm not particularly going out of my way
or changing anything to do it.

Of course. Suit yourself. But IMHO, you're weird in this day and age.

I think it's weird when someone pulls out their Mastercard at a grocery store
to pay for a dozen donuts. I really get upset when the charge is refused and
they have to hunt up another card that might have a little life in it. For a
real fun time get in line behind someone with an EBT card and a pocketful of
dead plastic.

The *worst* is someone who fishes around for a checkbook...
then starts hunting for a pen...
then thumbs through *carbons* of previous checks to find check #7125...
then starts writing out the check...
then discovers that the ink cartridge is "retracted"...
then discovering that the pen is *dead*...
then hunting for scrap paper to "scribble on" to "reprime" the pen...
then asking the cashier for a pen...
then asking who the check should be paid to...
then...

and, EVENTUALLY, getting *****y* that someone waiting makes a comment about
how SLOW they are!

On 2015-10-19, Don Y wrote:
The *worst* is someone who fishes around for a checkbook...
then starts hunting for a pen...
...

I'm with you there. I was never inclined to use checks in a store, just
seems like a PITA with little if any benefit.

--
-----------------------------------------------------------------------------
Roger Blake (Change "invalid" to "com" for email. Google Groups killfiled.)

NSA sedition and treason -- http://www.DeathToNSAthugs.com
-----------------------------------------------------------------------------

Roger Blake wrote:
On 2015-10-19, Tony Hwang wrote:
I still see some silver coins from now and then in our till. That does
not mean you're old.

I'm talking about when they were all silver. When's the last time someone
paid for something at your establishment with silver dollars? I used to
use 'em all the time, they were nothing special.

Hey, I am up here in Canuck land. I never carry coins of any kind.
I don't want holes in my pants pockets. Smart phone and CC is all I need.

Don Y wrote:
On 10/18/2015 4:06 PM, Tony Hwang wrote:
Don Y wrote:

If you're deliberately avoiding all of these "tracking/profiling
opportunities", I suspect your lifestyle has *significantly* been
compromised to make that happenn

Simply put they know more about me than I know about myself, LOL!

They have AN INTEREST in knowing -- you probably *don't*! :

My MD asks me questions that I'd never think of asking myself.
*He* knows how those things correlate with things that he might
be looking for.

Similarly, folks thinking of extending credit to me might be
interested in how diligently I get annual physicals (i.e., if
I don't exercise discipline over my own PHYSICAL HEALTH,
I'm probably less likely to exercise discipline over my FISCAL
HEALTH!)

Folks always think there has to be some IDENTIFIABLE *reason*
for a correlation. Actuaries (and others who make decisions
based on probabilities) only care about the fact that a
correlation APPEARS to exist -- they don't really care *why*
as long as the correlation is statistically reliable!

People who drive white cars tend to have fewer accidents.
Is this because white cars are safer? Or, because people
who aren't concerned with the color of their car tend
to have a more cautious personality? Or, because OTHER
drivers can more readily *see* white vehicles (to avoid
them)?

shrug
Maybe it is easier to see white cars day or night. One of my BIL
(wife's side) always buys/drives white cars. Once I heard from a
painter, matching white or ivory black is most difficult.

On 2015-10-19, Tony Hwang wrote:
Hey, I am up here in Canuck land. I never carry coins of any kind.
I don't want holes in my pants pockets. Smart phone and CC is all I need.

You wanted to know how old I was - while I'm loathe to provide specific
personal information I wanted to give you a ballpark indicator. Another
is that I'm old enough to have watched 'I Love Lucy' and 'The Honeymooners'
during their original run, on a TV set like this one:

http://www.vintagetvsets.com/images/philcof1.jpg

(I actually still have a set similar to the above, though it needs to
be serviced.)

If you want the details of your life to be an open book that is totally up
to you. On the other hand, cash is freedom and privacy. I'll be sticking
with it.

--
-----------------------------------------------------------------------------
Roger Blake (Change "invalid" to "com" for email. Google Groups killfiled.)

NSA sedition and treason -- http://www.DeathToNSAthugs.com
-----------------------------------------------------------------------------

On 10/18/2015 6:52 PM, Mayayana wrote:
| The exploits I mentioned previously don't require any
| "remote software" to be executed from the 'net. *But*,
| as each of these non-ASCII-text files requires something
| to *interpret* their contents (as a photograph, audio
| clip, video clip, etc.) then those non-ASCII-text files
| are, essentially, *programs*! They control the behavior
| of their respective "decoders" when you apply those decoders
| to those files.

That's not true. The exploits you listed all
involve a weakness in executable code -- either
compiled binaries or script. Most involve javascript.

Then spend some time and find examples that *aren't*.
I have no skin in this game. Exploits will *always* be
in "compiled code" -- that is being tricked into doing
something that it wasn't properly designed to AVOID!

Many of those *also* require a binary like Flash.
The rare exception would be something like the
gdiplus.dll bug that could be exploited with JPGs.

Have oyou ever read the descriptions for the updates windows
pushes? Ever notice how many claim to be to fix a "security
vulnerability"?

This is the polite way of saying the developer screwed up and
didn't anticipate someone MISUSING the code he wrote. How
does someone misuse code? Ans: they present it with "inputs"
that have been crafted to exploit unexpected patterns in
that data. I.e., violating basic ASSUMPTIONS that the developer
made -- inappropriately.

I received a nastygram from a bank many years ago claiming
that they would have to withhold a portion of my interest
income because I had not provided them with my SSN. Yet,
my SSN was printed right below my name ON THAT LETTER!

Guy who wrote the "code" to decide who should get those letters
assumed "0" (in the corporate database) would indicate "no SSN".
And, I'm sure he tried a test case with a bogus user having a
SSN of "0".

But, he implemented his test in such a way that anyone whose SSN
*began* with '0' would be seen as having *no* SSN on file. Those
of us who had SSN's issued in the Northeast ALL have SSN's
beginning with '0'. Of course, as the bank was in Colorado and
most customers were probably from that area (with SSN's that
reflected that part of the country), it took a while for the
software to stumble on folks (like me) that tickled that bug.

That bug could just as easily have decided to mail me an interest
payment, etc.

(Gdiplus was fairly new at the time.) Data files that
are not interpreted as executable -- whether text
or not -- are almost never a risk because they're
not doing anything. (Again, I'd be interested to
hear if there are any examples besides the one-time
JPG issue, which was many years ago.)

Sit down with Google and an hour of *your* time and
I'm sure you'll be able to find lots of exploits.
PDF's are a habitual source of vulnerabilities -- largely because
PostScript is a Turing-complete programming language (and
PDF's are based on PS).

I've never heard of any vulnerability in HTML.

Thirty seconds with google: CVE-2014-6332

"The IBM X-Force Research team has identified a significant
data manipulation vulnerability (CVE-2014-6332) with a CVSS
score of 9.3 in every version of Microsoft Windows from
Windows 95 onward"

"The bug can be used by an attacker for drive-by attacks to
reliably run code remotely and take over the user’s machine
— even sidestepping the Enhanced Protected Mode (EPM) sandbox
in IE 11 as well as the highly regarded Enhanced Mitigation
Experience Toolkit (EMET) anti-exploitation tool Microsoft
offers for free."

It defines graphical layout. It's not interpreted
as executable code. It's sometimes possible to
crash a browser with faulty HTML, but that's just
a case of "choking" the software. There's no
executable code involved.

All input causes a program to alter its behavior. So,
*any* input can conceivable lead to an exploit in an
inadequately designed application.

Passing letters to a program expecting digits can
cause that program to barf. The Y2K bug could
manifest in many ways based on how the date processing
code responded to the "unexpected" '2' in the leftmost
position (I've seen dates displayed as "1 January 19A0")

Passing too many characters to a program expecting a
lesser number can cause it to barf (buffer overrun).

If "barf" results in the contents of some portion
of memory being overwritten, then you can carefully
craft an exploit that puts "specific" values in that
memory

| If I email you a receipt for a purchase
| as a PDF, then the act of opening it means your "PDF decoder"
| has now been tricked into "interpreting" the information
| embedded in that file (just like a computer interprets a
| computer program).

You're misusing the word interpet. A computer
doesn't interpret a program. The program itself
accesses the CPU, RAM and disk.

It's a semantic difference with no consequence.
Doesn't the CPU's *hardware* "interpret* the bytes
that are fed to it via it's bus interface unit?
If I write a simulator and feed it the same byte
sequence, it is clearly interpreting the bytes
yet the result is the same.

A program processing input is a PROCESSOR. It is
interpreting the input and REACTING according to
rules that are encoded into its implementation.
Just like a CPU interprets opcodes and REACTS
according to the rules encoded in its implementation.

[You do realize that most CPU's, nowadays, are microcoded?
I.e., there are little PROGRAMS running in response to each
byte fetched. These programs *emulate* the legacy
instructions that we think of as "x86 machine language"]

Script is text
that's interpreted as executable code, but that
makes it just like a compiled program, in that
the interpreter is a program acting under the
direction of the script. A PDF is not interpreted
as executable code. What the PDF reader gets from
the PDF data is information about text, fonts,
colors and layout. The problems with PDF are due
allowing javascript in PDFs to run.

No. PDF's encapsulate PostScript. Sit down with a PS
manual and WRITE A PROGRAM... IN POSTSCRIPT... to
print the numbers from 5 through 27. Then, write a PROGRAM
to convert any numeric entry to its textual equivalent;
e.g., 123 -- one hundred and twenty three.

Do this with Acroscript disabled!

Better yet, take that "program" and send it to your PostScript
*printer* (which has no concept of Jscript!). You'll find that
it generates the same correct output!

| The browser *is* executable code! The OS is executable code.
| The JPG decoder is executable code. The PDF reader is executable
| code. Anything that *does* anything does it by executing code!

I don't know how many ways I can explain it.
As I said, I'd be interested to know if you find
any vulnerabilities that do not directly involve
executable code.

What do you mean, like files that compromise the computer WHEN THE
POWER IS OFF? When the computer is *on*, it is executing code.
The code that it executes was created by a fallible human being.
That developer's ASSUMPTIONS are embodied in the code. Exploits
take advantage of these assumptions to trick the code to do
things that it wouldn't otherwise do -- if presenteed with
CORRECT (expected) INPUT.

They're few and far between.
In other words, a browser is, of course, executable
code, but you can't hijack it by telling it to draw
a table with a blue background.

Sure! If the part of the browser that parses the HTML to
recognize "blue" figures the only colors that will ever be
specified in an HTML file ("input" to the browser) are
red
black
chartreuse
yellow
pinkpolkadotted
coffee
and, as a result, pinches pennies and allocated a buffer
to store the color name and allows that buffer to hold
15 characters (the length of the longest expected color
name -- "pinkpolkadotted"), then I can create a web page
that says "draw a table with a background that has the
color DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD DDDDD".
The sloppy browser code sees the "color" keyword and then
gobbles up the next "word" -- expecting it to be a color.
Since it KNOWS the longest (legal) color name is
"pinkpoladotted", it won't be prepared for those extra 40
characters (there are 55 D's in the above example).

So, whatever resides in memory AFTER that buffer that stores
the color will be overwritten with 40 D's (the first 15 D's
will reside in the buffer).

This might have amusing effects. Or, might crash the browser.
Or...?

I might, instead, have to pass a string of 5000! D's in order
to ensure something much farther away from that color bufer
gets clobbered. But, I can play around all day to see what
gives the results I seek -- I've got the same browser
available on *my* computer and I can actually WATCH to see
what gets clobbered *inside* the browser.

A browser is
hijacked by getting it to run executable code --
via the javascript "engine" or a faulty plug-in.

Or a fault in the browser's code itself!

| Adobe crap at all. Don't enable script. Don't install Java.
| Don't run videos and music in browser plugins like Flash.
| Don't enable script in your PDF viewer.
| (For me this is easy. I don't like things moving on webpages
| while I'm trying to read. If I want to see a video I'll
| download it, so I can save a copy, and play it in VLC. If
|
| http://www.zdnet.com/article/vlc-vulnerabilities-exposed/
| "Vulnerabilities have been discovered in some versions of the
| popular VLC media player which may allow a cyberattacker to
| corrupt memory and potentially execute arbitrary code."
|
http://www.saintcorporation.com/cgi-bin/demo_tut.pl?tutorial_name=VLC_vulnerabilities.html

That's interesting. It's good to know about
such things. But I'm not going to lose
any sleep. I'm not using a VLC browser plugin,
and there's very little motive for someone to
put a video on youtube that will attack my
system offline. Especially given that I don't
download wacky cat videos from random posters.

In your last post, you suggested VLC was a way you could *protect*
yourself from browser vulnerabilities. What's your *new* scheme
given that VLC is vulnerable? Are you sure your alternative
won't also have some OTHER vulnerability?

| Note that it doesn't matter if you run VLC from your browser or
| download the file and run VLC separately.
| "Vulnerabilities in VLC allow for remote code execution or
| denial of service. VLC also has a remote code execution
| vulnerability in the web interface."

Remote means remote. If you download a file
and play it in VLC that's not remote execution.
Remote would mean playing it via webpage or
some other way of accessing it from a remote
location.

So, I embed the instructions in the video file to do the damage that
I want OFFLINE! Remote exploits are more precious to a hacker
because *he* can then control the actions of your machine -- instead
of embedding those actions unconditionally in the exploit.

[The days of erasing hard disks as an exploit are long gone]

None of the Iranian centrifuges were internet connected...

| It's like the admonition from my youth regarding unwanted
| pregnancies: the only SURE contraceptive is ABSTINENCE!
| I.e., the only sure way to avoid these vulnerabilities is
| to NOT import anything that you didn't create yourself.

I suppose that in the most extreme interpretation
you're right. I've decided that having sex carefully,
with my post-menopausal ladyfriend, is a "risk" I'm
willing to take. Good luck with the inflatables.

Roger Blake wrote:
On 2015-10-19, Tony Hwang wrote:
Hey, I am up here in Canuck land. I never carry coins of any kind.
I don't want holes in my pants pockets. Smart phone and CC is all I need.

You wanted to know how old I was - while I'm loathe to provide specific
personal information I wanted to give you a ballpark indicator. Another
is that I'm old enough to have watched 'I Love Lucy' and 'The Honeymooners'
during their original run, on a TV set like this one:

http://www.vintagetvsets.com/images/philcof1.jpg

(I actually still have a set similar to the above, though it needs to
be serviced.)

If you want the details of your life to be an open book that is totally up
to you. On the other hand, cash is freedom and privacy. I'll be sticking
with it.

Both you and the TV set is antique, dinosaurs, LOL!
I am guessing I am as old as you are.

On 2015-10-19, Tony Hwang wrote:
Both you and the TV set is antique, dinosaurs, LOL!
I am guessing I am as old as you are.

Always tough to tell in this medium. I've found most of the smartphone
crowd tend to be youngsters but there are always exceptions.

--
-----------------------------------------------------------------------------
Roger Blake (Change "invalid" to "com" for email. Google Groups killfiled.)

NSA sedition and treason -- http://www.DeathToNSAthugs.com
-----------------------------------------------------------------------------

On 10/18/2015 08:11 PM, Tony Hwang wrote:
I bought a new car with my card. When dealer hesitated I was going to
walk out the door. They don't like cash sale or full payment with CC.
They make better money on financed cars.

I just write a check. The last car I bought the salesman kept launching
into his financing deal even though I'd made my intention to pay cash
clear. He just couldn't help himself; it was part of his programming.

The last time I financed was back in '80 when they had a $99 down 0%
deal to try to move cars off the lot. It was GMAC's money and boosted my
credit rating.

I'ts just how I was brought up. You save the money and then you buy what
you want; you don't go in hock for it.

On 10/18/2015 08:37 PM, Don Y wrote:
The *worst* is someone who fishes around for a checkbook...
then starts hunting for a pen...
then thumbs through *carbons* of previous checks to find check #7125...
then starts writing out the check...
then discovers that the ink cartridge is "retracted"...
then discovering that the pen is *dead*...
then hunting for scrap paper to "scribble on" to "reprime" the pen...
then asking the cashier for a pen...
then asking who the check should be paid to...
then...

and, EVENTUALLY, getting *****y* that someone waiting makes a comment about
how SLOW they are!

That really burns my butt at Costco. You sign the check and the cashier
runs it through the machine that prints the rest but you always have
half blind, half senile Aunt Millie trying to fill it out for herself.

On 10/18/2015 08:46 PM, Tony Hwang wrote:
Hey, I am up here in Canuck land. I never carry coins of any kind.
I don't want holes in my pants pockets. Smart phone and CC is all I need.

That works until it doesn't. Around here it isn't hard to find stores
that don't do plastic and cell reception gets spotty outside of town and
the interstates.