Sooo this. I have a YouTube account with history and tracking turned off since the day I signed up. All of the promoted content is divisive hysteria, mostly alt-right fascist rage-bait.

Yeah, reading the followup to that post, I think they just created a new intermediate with the same key as the old one & pushed this to chromecasts. I didn’t know this was a thing you could do. Learn something new every day 😁.

I’ve seen enterprise network equipment with this same issue, but the manufacturer instead forced owners to manually renew device certificates. Their device authentication is now broken because the certificate private keys were poorly protected in transit.

I’m wondering now why they didn’t just use this key rewrap trick

If the problem is an expired device certificate then this was a very quick turnaround.

All shipped chromecast receiver devices have the device cert private key safely locked behind a TPM. Sending new certificates across the network without carefully planning things gives us a chance to intercept them & use them in our own receiver software which could e.g. download streams from Netflix/ Disney etc.

Paragraphs 3 & 4 describe the (free) Leaked Credentials Detection service they’re leveraging for this research.

Could this be a bug caused by the fact that I have two screens (Moto Razr+)?

Doubt it. This happens a lot for me too on a boring single-screen S23.

I assumed it was crappy devs not testing on FF anymore & have lived with it (since it’s a pain to debug css/js problems on mobile).

Next time I see it happening I’ll reproduce on desktop FF with responsive emulation & report the bug.

And yet, just across the ditch …

$35k in NZ for the base electric model: https://www.fiat.co.nz/en/offers/500e.html

And Facebook & Instagram were plastered with ads for the 500e last time I visited.

(Tweaked) Verdana FTW.

I liked proportional fonts for reading code - several of my favorite programming books used proportional fonts for code examples - so when Verdana was released in 1996 I switched to using it in my IDEs. I’ve had 27 years of pleasantly ergonomic coding - it has a high x-height, different 0/O, I/l/1, and impeccable hinting and kerning. ❤️❤️❤️

So uncomfortably true!

I recall spending a (large) number of weeks struggling through Elementary Stochastic Calculus, which had an incredibly misleading sticker on the cover proclaiming:-

“This book is suitable for the reader without a deep mathematical background.”

The first report I looked at was Entrust refusing to revoke certs because their clients’ manual processes would make applying reissued certificates inconvenient.

Quite fun reading, surprisingly - a mid thread revelation that they’d pulled the exact same shit 4 years ago, an attempt by Entrust to kill the issue because unattributed legal advice said they’d misreported the error. And then, just when their chutzpah seemed to be wearing everyone down, a good ‘fuck you’ from Apple forced them to revoke the certs after all.

I’m not surprised Google had enough & yanked their license to print money.

This. Exactly the same response where I worked.

I’m not sure how much money they’ll actually get from this.

The (50,000 employee) company I worked for had very slow IT processes at the time, but when the licensing changed they treated it like a critical security vulnerability because of the amount of money involved: they very quickly migrated their software packages to include non-Oracle OpenJDK builds & rolled out an update to uninstall Oracle java from all PCs. And all server owners were given a deadline to migrate or start paying recovery costs.

I imagined it’d be smaller organisations which would’ve sat on this issue.

I think life insurance is already pretty grabby with data, behind the scenes. We had a ton of data on some high value life policies we’d bought - down to records of all doctors visits. And even for lower value policies they can currently just ask you the important actuarial questions (e.g. are you a poor obese guy who smokes, rides a motorcycle & lives alone) and then deny the payout if you lied.

Given how disgustingly evil the US health insurance system is, my hope is that NZ resists the temptation to go there. I don’t have health insurance since moving back to NZ and it’s been fine. All the things I was told by the doctor “go private or the wait will be too long” turned out to have reasonable waits after all.

This is the real problem. And this ship has already sailed - google and data brokers are already creepily tracking your every online and offline move and tying them together.

Your financial providers are covered by a much, much more restrictive set of regulations preventing them from screwing you over like that.

Open Banking seems generally aimed at attacking the nasty behaviour banks have been getting away with, where they gatekeep your financial data in order to prevent you from getting any useful utility out of it unless you pay them extortionate fees.

Europe has GDPR, so you’re not legally allowed to collect data unless it’s necessary for the actual service you’re providing your customer, and you’re not allowed to use data for anything else once you’ve collected it for the purpose you stated.

Having said that, your customer will always have to prove who they are, how they acquired funds, and where funds are going. This is to prevent bribery & corruption, money laundering, terrorist financing, tax evasion etc.

I was working as a software developer for an EU investment bank when the EU implemented GDPR, and the amount of paperwork required to collect and hold personal data meant we destroyed a ton of data & documentation and rewrote a lot of software. And every spreadsheet containing personal data or which was used more than once had to be recorded in an EUC register with signed commitments about GDPR compliance. Even if data wasn’t strictly forbidden by GDPR we’d be very wary asking for any information which could theoretically be misused to discriminate against protected classes.

The NZ Privacy Act 2020 looks broadly similar in intent to the GDPR, so I imagine there’d be the same disinclination to collect information which can’t be proven necessary to perform the requested service or satisfy regulatory requirements.

I have several NZ insurance policies and they had no interest in transaction history. Same with my mortgage. I sent bank statements, but only as proof of address.

Only my credit card application wanted to drill into my spending, which is not unexpected considering it’s unsecured lending. For sure I’d rather approve the API access than try to find where I can download (& probably pay extortionate fees) for copies of historic statements

And working in finance (in UK & Europe), they generally collect and keep as little data as is necessary anyhow - personal data is a pain to safely manage these days, and I’m always keen to be responsible for as little of it as possible.

They’ll already insist on whatever information they feel is useful. This just saves them from scanning in your statements.

It sounds similar to the UK’s open banking system. https://www.rnz.co.nz/news/business/517885/open-banking-how-to-opt-in-and-out-of-the-new-payment-system

I use UK open banking often. I’m always asked to approve the specific access requested, and this takes place at my bank’s website or app. This could be permission to take an amount of money; or for apps which manage multiple accounts (e.g. Emma) this could be all historical transactions; or my accountant uses an open banking service provider (Armalytix) to request transactions for an explicit date range. So far, touch wood, there’s always been an alternative - for example I can use open banking to send my transactions to my accountant or I can manually download a CSV statement from my bank and upload it into their portal.

Or, from the 99PI podcast a month ago…

https://99percentinvisible.org/episode/towers-of-silence/

Same thing happened to me in January (Fendalton). Broke the quarter window, bent the panel, and made a mess tearing the ignition out.

Seems to be a pretty safe crime: police didn’t bother coming out to look & just gave me a reference number for my insurance.

You’ll lose your no-claims bonus.

Linux font rendering is generally very good now, so I think they’ve gotten past that. Apart from a System76 desktop, which was terrible, I haven’t hated the rendering for many years. It’s just that Microsoft’s font rendering (maximizing clarity at the expense of destroying the font metrics) is exactly what I want to look at all day if I’m staring at code. When I look at screenshots of vscode on Linux and Mac the code looks beautiful, because the font renderer hasn’t beaten the characters with a big stick to make them fit the pixel grid, but when I switch back to windows after using Linux/Mac then it feels like someone fixed the focus and de-blurred everything.

And now that I can have as many Linux installs as I like running concurrently via WSL2, I get to use Linux all day without losing the stuff I like about Windows.