Yikes. As some Tor users may know, the UN drafted the Unified Declaration of Human Rights, which in principle calls for privacy respect and inclusion. That same UN blocks the Tor community from their website. Indeed, being denied access to the text that embodies our human rights is rich in irony.

Well that same UN plans to create a “Global Digital Compact” to protect digital human rights. It’s a good idea, but wow, they just don’t have their shit together. I have so little confidence that they can grasp the problems they are hoping to solve. Cloudflare probably isn’t the least bit worried. Competence prevailing, Cloudflare should be worried, theoretically, but the UN doesn’t have the competence to even know who Cloudflare is.

One quite annoying Lemmy behaviour is when you search for a community that has many results spanning multiple screens (e.g. query “software”), the list is largely clusterfucked with crappy centralised instances that go against the #fedi philosophy (e.g. #lemmyWorld, #ShItjustWorks, #lemmyCa, #LemmEE, #LemmyZip, #programmingDev, etc).

I discovered a fix: ctrl-rt-click on every community in the list to open each in a tab. Then click “block community”, then repeat the search. It works the way it should: blocked communities are excluded from search results.

Wish I realised that sooner.. would have saved me some effort and frustration in trying to search only for communities in the decentralised free world.

The problem:

Most #fedi authors post links with no idea if the hosting server discriminates against people, or who. The consequence is that the fedi is muddied with references to exclusive venues that do not treat people equally, which wastes the time of readers who are impacted by discrimination. A variety of walled gardens pollute our threadiverse experience. So how can we remedy this?

Proposed fix:

Suppose we create a community and designate it as a testing area which welcomes bots. So e.g. I post something in the test community, and a bot that is paywall-aware replies yes or no whether the link is paywall-free. A bot that is Cloudflare-aware does the same. A regional bot, such as a bot in Poland can check that Polish IP addresses can reach the URL and make noise if the website blocks Poland. Etc. It need not be just bots.. someone in some oppressed region might manually attempt to visit links and report access problems. We would certainly like a bot in a GDPR region to test whether access is refused on the basis of a data controller’s unwillingness to respect GDPR rules. The OONI project could have a bot that reports anything interesting in their database.

There could also be anti-enshitification bots, which point out things like cookie walls.

There are bots that find better links to replace Cloudflare links. Those bots could help direct authors to better URLs to share.

There could be a TL-DR bot that replies with a summary or even the full text, so an author can decide before posting in the target community whether to omit a shitty link and just post the content.

(update) It’s worth noting that for Mastodon there an ad hoc tool. If you follow @[email protected], that bot will follow you back and analyze every URL you share for whether it is Cloudflared. If yes, it will DM you with alternative URLs.

Note that the mitigator bot is quite loose it its judgement. If the host is not Cloudflared but another host on the same domain is Cloudflared, it is treated as a positive because it’s assumed that when you visit the host it will link to other hosts on the same domain.

The linked¹ #gemini article is the political platform of the French green party in Belguim w.r.t. digital rights. It was translated from French.

I’m overall impressed enough to vote for them. But I do have some concerns:

“At the Belgian level, we propose to establish a legal guarantee of 5 years for new electronic devices.”

Yikes, waaay too short. Needs to be at least 10 years. But it helps that they advocate FOSS:

“Generalize the ability to use free software on all devices to decrease software obsolescence.”

Though this statement is far too vague. If a maker of hardware with proprietary non-free software only gives 5 years of support, there needs to be a legal obligation that they port FOSS to the device at the end of the warranty. This is missing in the green party’s plan.

A lot of other things are missing in their plan, but generally their principles are sensible.

¹ (edit) actually it cannot be linked using the URL field due to a #LemmyBug. But at least it was linkable in the msg body.

Might be useful for some.. but note that it uses CF to get the CIDRs.

Mastodon used to show people the mirrored version of federated content which shielded users from Cloudflare’s discriminatory blockade. But something apparently changed. If I try to visit this mirror of a mastodonapp.uk status on layer8.space:

https://layer8.space/@[email protected]/112387605497275701

it redirects to:

https://mastodonapp.uk/@tmmj/112387605489133663

which is apparently a shitty Cloudflare node that deceives us into thinking the account does not exist. If you are logged into the mirrored node, then it does not redirect and you can see the content. Of course, only if you have an account on the mirror which means anonymous viewing is no longer possible.

If I want to share that layer8.space link with other people, it would be an injustice to share the mastodonapp.uk link because it’s in a walled garden that excludes people. It would be like sharing a Facebook link with an audience that includes people outside of Facebook. So naturally I would share the layer8.space version because layer8.space allows all people to visit. But now this is impossible. Cloudflare’s stranglehold of control has been increased by this Mastodon move.

Worse, Cloudflare has started pushing error code 404, not 403. So CF is misrepresenting the error to suggest that the page does not exist. Cloudflare has carte blanche in fucking up the web. A 404 error is supposed to inform users that an object is not found, not that they are not authorised to access it.

The attached image is what Cloudflare-excluded people see when trying to visit this image:

https://files.mastodonapp.uk/media_attachments/files/112/387/580/865/787/635/original/f4442c8789ad52c2.png

When an image is posted by someone on a Cloudflared instance like the following:

• #LemmyWorld
• #ShitJustworks
• #LemmyCA
• #LemmyEE
• #LemmyZip
• #LemmyOne

the image is inaccessible to all demographics of people who Cloudflare discriminates against because images are not mirrored to federated nodes.

We expect corporations to not give a shit about marginising people who are not profitable enough to care about. But when naive asshole users outnumber progressive egalitarians, it highlights a problem with the fedi, which still lacks the tooling needed to keep oppression at bay.

The six listed nodes above effectively host the AOL users of our time. Lacking the sophistication needed to detect and grasp situations of eroded digital rights with a degree of blindness and lack of concern for centralised corporate control.

Suggestions needed for Lemmy nodes that are defederated from the above listed six.

cross-posted from: https://sopuli.xyz/post/11709471

Many political parties are allowing Cloudflare to block some demographics of voters from seeing election info on their own candidates. These political parties are running exclusive websites:

• PS/Vooruit (Socialist / Parti Socialiste [fr/nl])
• Défi (previously part of the MR, now more at the center [fr])
• CD & V (center / Christen Democratisch en Vlaams [nl])
• Groen (Green Party [nl])
• Open VLD (liberal [nl])

Effectively they are operating in an anti-democratic fashion. Open and inclusive access to election info is paramount to democracy.

The political parties who are running inclusive websites are (quite ironically) the right-wing parties. And funnily enough, some of the right-wing parties actually have an English version of their website as well. This defies their historic reputation as being relatively xenophobic. If voting purely on the basis of digital rights and digital inclusion fostered by their website implementation, the right-wingers are the clear winners here.

Voting left entails supporting parties that suppress election info from some demographics of people. Voting right is a non-starter on general principle (e.g. climate denial). Voting is mandatory but there is said to be a “none of the above” option.

(edit) OTOH, the French green party (ecolo.be) has an open website. Perhaps that’s a decent way to vote.

IMO this is a #netneutrality issue due to lack of access equality. People with old phones are discriminated against.

cross-posted from: https://infosec.pub/post/11021006

…
TLS-encumbered captive portal (transit service)

A transit service offered wi-fi but the network forcibly redirected me to a captive portal that triggers this error:

net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH

I tried a couple browsers and tried rewriting the https:// scheme as http:// but SSL redirect was forced consistently. The error apparently implies my phone’s browser can’t do TLS 1.3.

It seems like a shitty move for a transit service to require passengers to use TLS 1.3 just to tick a fucking box that says “I agree” (to the terms no one reads anyway). Couple questions:

• I’m generally in the /protect everything by default/ school of thought. But I cannot get my head around why a captive portal where people just tap “I agree” would warrant disclosure protection that could hinder availability. In reality, I don’t really know what the captive portal at hand requests.. maybe it demands people’s phone# or email, in which case it might make sense (though I would object to them collecting that info in a GDPR region in the 1st place).

• Is there a good reason for a captive portal to require TLS 1.3? It seems either the network provider does not trust their own network, or they’re simply incompetent (assumes everyone runs the latest phones). But if I’m missing something I would like to understand it.

I still have to investigate what limitation my browser has and whether I can update this whilst being trapped on an unrooted Android 5.

Bypass methods

I guess I need to study:

• ICMP tunnel (slow, but IIUC it’s the least commonly blocked)
• SSH tunnel
• others?

Are there any decent FOSS tools that implement the client side of tunnels without needing root? I have openvpn but have not tested to see if that can circumvent captive portals. I’ve only found:

• MultiVNC - VNC over SSH
• AVNC - VNC over SSH
• ConnectBot - Can all traffic be routed over this SSH tunnel, or just a shell session?
• VX ConnectBot - same as connectBot but expanded

I’m curious if the VNC clients would work but at the same time I’m not keen to bring in the complexity of then having to find a VNC server. Running my own server at home is not an option.

My to-do list of things to tinker with so far:

• Captive Portal Controller
• ~~CaptivePortalLogin~~ (AOS 6+, and no Izzy archives on this)
• Hotspot Login

Legal options

If a supplier advertises Wi-Fi but then they render it dysfunctional by imposing arbitrary tech requirements after consumers have already bought the product/service it was included with (coffee, train/bus/plane fare, etc), then they neglect to support it, doesn’t that constitute false advertising? Guess this is out of scope for the community but I might be ½ tempted to file false advertising claims with consumer protection agencies in some cases.

And when a captive portal demands email or phone number, it would seem to be a GDPR violation. Some public libraries make wi-fi access conditional on sharing a mobile phone number which then entails an SMS verification loop.

Some people think Cloudflare is not a “walled garden”. This article goes to a great extent to show not only that Cloudflare is a #walledGarden, but it’s actually more of a walled garden than the well known ones (Facebook & Google).

(⚠ Enshitification warning: The linked article has a cookie wall; just click “reject” and the article appears)

Google is ending the public access to the cache of sites it indexes. AFAICT, these are the consequences:

• People getting different treatment due to their geographic location will lose the cache they used as a remedy for access inclusion.
• People getting different treatment due to having a defensive browser will lose access.
• The 12ft.io service which serves those who suffer access inequality will be rendered useless.
• Google will continue to include paywalls in search results, but now consumers of Google search results will be led to a dead-end.
• The #InternetArchive #WaybackMachine will take on the full burden of global archival.
• Consumers will lose a very useful tool for circumventing web enshitification.

Websites treat the Google crawler like a 1st class citizen. Paywalls give Google unpaid junk-free access. Then Google search results direct people to a website that treats humans differently (worse). So Google users are led to sites they cannot access. The heart of the problem is access inequality. Google effectively serves to refer people to sites that are not publicly accessible.

I do not want to see search results I cannot access. Google cache was the equalizer that neutralizes that problem. Now that problem is back in our face.

There is hardly any discussion on this trending variety of web enshitification where a website needs to give physical locations to people. Many web devs are starting to spotlight their profound incompetence in accomplishing this very simple task. They throw up an interactive map which requires the full utilization of fancy GUI browser frills that excludes all but those who “chase the shiny”. A 1990s high schooler to do this better in plain HTML.

Doesn’t this screw over blind people? How does a screen reader handle a map?

My hardened low-bandwidth browser can’t handle this absurd degree of putting fancy above access equality. When this shit happens on a vendor’s website and I’m trying to locate them to give them business, the answer is easy: they can fuck off and lose my business. But it’s sad when a government does it and the information has medical relevance.

This is what it looks like when a Tor user attempts to fetch a file or even just obtain the size of a file from a Cloudflared resource like #LemmyWorld.

TMC is a broadcast of traffic information which usually uses an FM signal. These protectionist countries encrypt the data:

• #Australia
• #Finland
• #Germany
• #Italy
• #Norway
• #Sweden

That’s fucked up, is it not? Shouldn’t publicly funded information be open to the public? These countries provide unencrypted #TMC data:

• Estonia
• France

#openData

cross-posted from: https://lemmy.dbzer0.com/post/6251633

LemmyWorld is a terrible place for communities to exist. Rationale:

• Lemmy World is centralized by disproportionately high user count
• Lemmy World is centralized by #Cloudflare
• Lemmy World is exclusive because Cloudflare is exclusive

It’s antithetical to the #decentralized #fediverse for one node to be positioned so centrally and revolting that it all happens on the network of a privacy-offender (CF). If #Lemmy World were to go down, a huge number of communities would go with it.

So what’s the solution?

Individual action protocol:

1. Never post an original thread to #LemmyWorld. Find a free world non-Cloudflare decentralized instance to start new threads. Create a new community if needed.
2. Wait for some engagement, ideally responses.
3. Cross-post to the relevant Lemmy World community (if user poaching is needed).

This gets some exposure to the content while also tipping off readers of the LW community of alternative venues. LW readers are lazy pragmatists so they will naturally reply in the LW thread rather than the original thread. Hence step 2. If an LW user wants to interact with another responder they must do so on the more free venue. Step 3 can be omitted in situations where the free-world community is populated well enough. If /everything/ gets cross-posted to LW then there is no incentive for people to leave LW.

Better ideas? Would this work as a collective movement?

Before sharing a link I would like to determine whether the website excludes people from access, and who is excluded. I can test for myself whether the Tor community is excluded but what about:

• VPNs
• i2p
• public libraries
• #cgNAT-issued IP addresses (often from impoverished regions)
• various geographical regions
• particular browsers (e.g. lynx, w3m, non-chrome-based…)

for example? I cannot check all those means of access. If a website is implementing some form of digital exclusion, I would like to ensure that I am not helping the exclusive website gain visitors.

#askFedi #netneutrality