Would you consider making available a video showing someone using the app?

I've tried it various times over the last couple years, using different browsers with various privacy settings enabled and a VPN.

I can get good partial results and am able to reset my fingerprint by changing my OS and browser at the same time, so it's not entirely there with regards to sniffing the hardware. But I can never revisit the site and have it not recognize me. Is there no one but me using (for example) Debian testing Librewolf with resistFingerprinting on Proton VPN? If there are others, then resistFingerprinting is doing a bad job hiding my hardware.

That's depressing! Despite our genuine best efforts, enough identifiers leak that it seems to me there's no practical solution. I am genuinely at a loss for what we can do.

(If you're reading this and think it doesn't matter, it's possible you're not realizing that this means that any site collecting and storing these identifiers now will be able to talk to any site in the future and link your identity. Your past actions on every website on a given piece of hardware are liable to be linked to create a detailed profile in the future, so even if Reddit and Pornhub and Discord and the government aren't talking to each other now, you can put some decent probability in the fact that if they decided to share identifiers, they could link all your historical (signed out) activity to your real-world identity without much effort. I use those sites as examples because they're sites where people tend to generate information that they may want private, but they visit using the same hardware identifiers.)

There's definitely problems but the solution isn't to make the iPhone a general purpose computer. We definitely need to defend the existence of general purpose computing at a time where regulation is likely to begin encroaching on it, but the promise of the App Store is "pay a 30% tax and any app you download here will be safe." In my mind, at least, that's the promise, and perhaps one solution to the situation would be to erect consequences to breaking that promise.

Yes, this has the side effect of making them more money and allowing a walled garden to form, but given that the vast majority of users wouldn't do anything different with their phones if a shell was present, this is in my opinion not that large of an effect.

The snide around "clicking on links is dangerous" and locking down the bootloader is unwarranted, because for most people a phone is not a toy (or at least, not just a toy) - it has their communications history, their bank information, their passwords, any many more. And it's really easy to steal people's phones on the subway. This isn't about freedom of computing, this is about the fact that an iPhone in BFU is nearly as secure as a GrapheneOS phone.

There are many problems with Apple software. It's buggy, uses proprietary formats that you can't export, and interoperable with open standards. It's bad, and is the primary reason why I won't buy another iPhone, but Macs have that same problem. On the other hand, being cryptographically locked-down is an optional feature. If you don't like it, buy a computer without that feature. It's harmful to us, to tinkerers and people who want to see how things work, but the average person does not care at all and just wants to be able to open LOVE-LETTER-FOR-YOU.TXT.vbs without having their 401k get drained.

Can you give an example of how less private solutions will benefit them and their sponsors? I could see big tech / adtech and government surveillance benefitting but I don't think they're the ones behind this push.

As another example, consider the "small web" community, say at Bear Blog, which is a group of technically sophisticated people who routinely complain about the harms of traditional social media. I doubt most of them would support this particular implementation, but they show that there is popular support for solving the ills of at least one of the targets of this legislation.

So to answer your question, yes, I do see this as an attempt to protect people. The restriction of free speech is in my opinion a side effect of this legislation opening the way to worse-designed laws in the future.

Let's try to figure out what a good policy solution looks like:

- entities with harmful or adult content must require proof of the user being over 18

- entities cannot ask for, store, or process more detailed information without explicit business needs (this should be phrased in a way that disallows Instagram from asking for your birth year, for example)

- entities cannot share this data with other sites, to avoid privacy leaks, unless there is an explicit business need (this is tricky to get right; someone might try to set up a centralized non-anonymous age-verification service, erasing many benefits)

- entities must in general not store or process information about the user that is not strictly relevant to their function

- there ought to be different treatment for anonymous users (which ideally these protocols will allow, just submit proof of work plus a ZKP that you are a human and authorized to access the resource) compared to pseudonymous and non-anonymous users, who are more at risk of being censored or tracked.

There's some loopholes here, but if the government can enact good policy on this I personally think it's feasible. Please share your thoughts, if you have a minute to do so.

There's also an interesting political split to note among the opposition here. I see a lot of people vehemently against this, and as far as I can see this is largely for concerns regarding one of 1) privacy abuses, 2) censorship, or 3) restriction of general computing. Still, there is a problem with harmful content and platforms on the web. (Not just for minors, I don't think we should pretend it doesn't harm adults too.) The privacy crowd seems to be distinctly different from the computing-freedom crowd; the most obvious example is in attitudes towards iOS. As I personally generally align more towards what I perceive as the privacy-focused side, I'm very interested in what people more focused on software freedom think about zero-knowledge proofs as a politically workable solution here.

The easiest source of this is local network attacks, and it's not that unusual. In this case you could imagine a teacher at school who knows how to use Metasploit.

It doesn't seem like it has to be local network, though, the computer just has to receive the packet somehow. So for example if the watch loads a website or connects to some service on the internet (firmware updates, cloud sync, telemetry, whatever), an attacker could try to receive/intercepts/redirect that traffic and serve the payload through that channel.

You might need the watch has no certificate pinning or weak certificate validation if it's using TLS but IoT devices often skip TLS.

Let me know if I'm misunderstanding the quote.

In the related links at the bottom, https://gdir.telae.net/links.html, the Git repo https://github.com/pafoster/gdir.telae.net is available along with some other cool things.

For example, Scott Alexander wrote in 2014 on his blog Slate Star Codex about how Omega-3 lowers crime rates and Omega-6 increases crime rates. And he links to some cool RCTs where you can check the methodology yourself.

https://slatestarcodex.com/2014/02/18/proposed-biological-ex...

Eat your fish!

I found some search results about Texas Instruments' digital signal processors using 16-bit bytes, and came across this blogpost from 2017 talking about implementing 16-bit bytes in LLVM: https://embecosm.com/2017/04/18/non-8-bit-char-support-in-cl.... Not sure if they actually implemented it, but that was surprising to me that non octet bytes still exist, albeit in a very limited manner.

Do you know of any other uses for bytes that are not 8 bits?

I'm aware of the programs Snowden revealed, Tempora / XKeyscore / Longhaul / the like, plus I've heard J. Edgar Hoover did bad things and lots of CIA meddling internationally was bad. Still, these seem qualitatively different to the explicit blackmail you're referring to.

Do you (or someone else reading this) know of historical examples that demonstrate a pattern of this sort of thing? You can interpret "this sort of thing" as you wish.

That's a lot to ask for on the spot, so if not, I would be interested in what generally makes you approach the situation from this cynical angle, especially given that it's the FBI. In my experience, which is fairly limited but is as a US citizen, most of the time the US government mostly follows the law and doesn't do this sort of thing to citizens.

Very cool writeup, thanks for digging into all those data sheets and sharing it with us! I feel like the hands-on electronics stuff has always been a little bit inaccessible to me, but posts like these always make me a little more excited to start doing little projects myself. So thanks for posting.

Bubblewrap is a it's a very minimal setuid binary. It's 4000 lines of C but essentially all it does is parse your flags ask the kernel to do the sandboxing (drop capabilities, change namespaces) for it. You do have to do cgroups yourself, though. It's very small and auditable compared to docker and I'd say it's safer.

If you want something with a bit more features but not as complex as docker, I think the usual choices are podman or firejail.

How are you guys dealing with this risk? I'm sure on this site nobody is naive to the potential harms of tech, but if you're able to articulate how you've figured out that the risk is worth the benefits to you I'd love to hear it. I don't think I'm being to cynical to wait for either local LLMs to get good or for me to be able to afford expensive GPUs for current local LLMs, but maybe I should be time-discounting a bit harder?

I'm happy to elaborate on why I find it dangerous, too, if this is too vague. Just really would like to have a more nuanced opinion here.

I also suspect that those who lived through the days of frequent Windows errors and Chrome running out of memory all the time often expect software to fail in weird and unexpected ways, and a lot of people adopt a "don't fix it if it isn't broken" mindset.

Still, uBlock Lite and Brave browser are definitely easy wins and I'm glad to see more random people in my life using them than I would have expected. :)

I like using silly fonts, e.g. Comic Sans Mono has been my daily driver for the past year or so, and it's really fun to see the Minecraft fonts and old DOS and VT323 fonts. If anyone's into retro computing, it's worth checking those out, particularly the website link for the IBM VGA 9x16, which has loads and loads more old fonts.

I think I'll try using Monocraft in the shell for a while and see if it works well for me, though I might stick to Comic Sans for actual coding :)