HackerTrans
TopNewTrendsCommentsPastAskShowJobs

chjj

1,492 karmajoined 15 yıl önce
Christopher Jeffrey (JJ)

github: https://github.com/chjj

x: https://x.com/_chjj

keybase: https://keybase.io/chjj

[ my public key: https://keybase.io/chjj; my proof: https://keybase.io/chjj/sigs/WX2-zE10N2fWbWUNf_8PDXWgifPpJWb0PEIs_5oQnbk ]

comments

chjj
·12 dakika önce·discuss
It doesn't. This case applies more to MVB.
chjj
·54 dakika önce·discuss
> Why give up information when you don't have to?

Yeah, I generally agree with that viewpoint, but you are giving up that information, even without JS.

Your TCP stack can be fingerprinted through long enough observation. Windows, Mac, and Linux all look different on a network level. It's not as simple `if XYZ then OS = Windows`, it's more holistic/probabilistic, but it's possible nonetheless.

e.g. One thing that bugs me about arch linux is that they recently changed the kernel default TCP keepalive time to be shorter (much shorter[1]), making arch users stand out a lot. So, not only can a fingerprinter identify your OS, they might be able to pin down your exact distro based on TCP behavior alone.

I guess my point is that hiding the OS would be a massive amount of effort to plug a hole that cannot be plugged without effectively controlling the entire OS. TB/MVB is limited in what it can do by itself.

[1] https://rfc.archlinux.page/0051-tcp-keepalive/
chjj
·1 saat önce·discuss
I think they made the right call on that. It's unclear to me whether hiding the OS is even possible. There's just too much OS-specific behavior that happens inside (and outside) a web browser. It's hard to account for all of it.

OS rendering differences can likely betray you even when canvas extraction is blocked/noised. At least one tor-browser dev has publicly confirmed that you can't even hide the difference between X11 and Wayland[1], nevermind two entirely different OSes.

[1] https://forum.torproject.org/t/linux-is-it-alright-to-run-th...
chjj
·2 saat önce·discuss
The analogy falls apart when "your store" is actually a handful of multi-billion dollar corporations that surveil a significant portion of the internet and covertly grant government agencies (and god knows who else) access to the data.

It's passive surveillance on the order of billions of people. It's not a mom-and-pop shop.
chjj
·2 saat önce·discuss
I'm not even sure I'd want to make it narrow. I'd start with:

"Information gained via side-channel for the purpose of correlating individuals."

But you'd have to add an enormous amount of legalese after that to make it ironclad. They'll start arguing "this isn't a side-channel", "we're targeting bots, not individuals", etc. You'd have to define every word in that sentence very carefully.

I'd make it sweeping. "Individual" can mean "person", "bot", "suspected bot", "AI agent", "a piece of autonomous or non-autonomous software", basically anything. The "side-channel" definition might get trickier, but I'd rather legit use-cases get burned than privacy get burned.

The OP was downvoted, but I agree. I think fingerprinting should be in the same criminal category as an illegal wiretap.
chjj
·3 saat önce·discuss
it's elegant, but i prefer:

    Math.tanh = Math.random;
chjj
·3 ay önce·discuss
They didn't call it a day. They created an entire deceptive hype cycle around it.
chjj
·4 ay önce·discuss
Yeah, it never works though, as you can see from this example.
chjj
·4 ay önce·discuss
You should use AI.
chjj
·4 ay önce·discuss
If this is your opinion, I ask you: are you okay with AI reviewing the PRs as well, or do you prefer a human to do it?

Think carefully before responding.
chjj
·4 ay önce·discuss
That means all AI code would simply be rejected. This saves time.
chjj
·7 ay önce·discuss
Very cool project. Is it always an LD_PRELOAD or can it function as a standalone SOCKS proxy similar to wireproxy?
chjj
·7 ay önce·discuss
Fair enough. I haven't looked at the internals of ghostty, so I'll take your word for it.

I'm probably also just taking things personally.
chjj
·7 ay önce·discuss
I don't mean to derail discussion about a cool project, but it still seems to imply xterm.js is somehow "improper" emulation (though I might be misreading it).

Terminal emulators are all approximations of terminals, regardless of the programming language.