That… depends.

Lemmy is just a carrier software, its license has nothing to do with comments.
Instances however, each have their own TOS and can enforce license controls.

Ideally, all comments should have a “license” field, so stuff like instances with ads on them, or subscription-only instances, or CC0/CC-AS only instances, could inform other instances of their rights, and avoid comments that don’t meet their policies.

I haven’t done sandbox detection for some years now, but around 2020, it was already “difficult” as in hard to write from scratch… yet already skid easy as in “copy+paste” from something that does it already. Surely newer sandboxes take more stuff into account, but at the same time more detection examples get published, simply advancing the starting point.

So maybe TikTok has a few people focused on it, possibly with some CI tests for several sandboxes. I don’t think it’s particularly hard to do 🤷

There is some irony to be had, in discussing this stuff on a page that starts by asking me to login, then to be good and disable my ad blocker, only to proceed with keeping half the text of the article as images so you can’t copy+paste it… and even all the comments!

Anyhow…

https://www.boredpanda.com/tik-tok-reverse-engineered-data-information-collecting/?utm_source=twitter&utm_medium=social&utm_campaign=organic

Thanks for telling us where you got the link from, I didn’t care really.

Static backup (possibly): https://archive.is/UD2SA

*Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)

Check out: https://amiunique.org/fingerprint

No app needed!

Using that as a baseline… the CPU type, memory usage, disk space, etc. are some extra data points freely available to all apps.

A developer can distribute an app with multiple versions, some targeting more modern and capable devices, some older and more limited.

It’s a feature, not a bug.

*Other apps you have installed (I’ve even seen some I’ve deleted show up in their analytics payload - maybe using as cached value?)

This is overreaching for an app that has nothing to do with managing other apps. Still, you may want some app with those capabilities… so let’s call it “sus”.

*Everything network-related (ip, local ip, router mac, your mac, wifi access point name)

Your IP is… well, you’re using it to connect, they will see it, duh.

The rest is overreaching and comes into PI violation terrain, but can be used for geo location… the OS does it, that’s the data it uses to fine-tune the GPS’s location.

*Whether or not you’re rooted/jailbroken

Typical feature for banking ad DRM protected apps. Nothing to see here.

*Some variants of the app had GPS ping- ing enabled at the time, roughly once every 30 seconds - this is enabled by de- fault if you ever location-tag a post IIRC

Best answered by a comment [1] (SEE BELOW).

TL;DR: more DRM stuff.

*They set up a local proxy server on your device for “transcoding media”, but that can be abused very easily as it has zero authentication

This is somewhat sus, but a local proxy by itself, doesn’t mean any sort of risk, or that it could be exploited.

For example, Tor can be accessed using a local proxy (although VPN mode is safer).

The scariest part of all of this is that much of the logging they’re doing is remotely configurable,

Not exactly. It’s how feature flags, and remote testing/debugging works too.

and unless you reverse every single one of their native libraries (have fun reading all of that assembly, assuming you can get past their customized fork of OLLVM!!!) and manually inspect every single obfuscated function.

This is worse (why do the use a custom OLLVM fork?), and obfuscation usually means they have something to hide. It’s the opposite of security for the user.

They have several different protections ir. place to prevent you from reversing or debugging the app as well. App behavior changes slightly if they know you’re trying to figure out what they’re doing.

Not good, but unfortunately allowed. That behavior is shared by both DRM protected software, and malware.

There’s also a few snippets of code on the Android version that allows for the downloading of a remote zip file, unzipping it, and executing said binary. There is zero reason a mobile app would need this functionality legitimately.

False. There are two legitimate reasons: plugins, and DLCs.

It can be used for shady stuff, but is also a “feature, not a bug”.

On top of all of the above, they weren’t even using HTTPS for the longest time. They leaked users’ email addresses in their HTTP REST API, as well as their secondary emails used for password resets. Don’t forget about users’ real names and birthdays, too. It was alllll publicly viewable a few months ago if you MITM’d the application.

Well, that’s just stupid, there is zero reason to send data unencrypted.

They encrypt all of the analytics requests with an algorithm that changes with every update (at the very least the keys change) just so you can’t see what they’re doing.

Ehm… this is the correct behavior. See previous point.

They also made it so you cannot use the app at all if you block com- munication to their analytics host off at the DNS-level.

Sus… but see the introductory part of this comment. Should boredpanda also be banned?

TikTok put a lot of effort into preventing people like me from figuring out how their app works. There’s a ton of obfuscation involved at all levels of the application, from your standard Android variable renaming grossness to them (bytedance) forking and customizing ollvm for their native stuff. They hide functions, prevent debuggers from attaching, and employ quite a few sneaky tricks to make things difficult. Honestly, it’s more complicated and annoying than most games I’ve targeted,”

This is bad, and a reason to use FLOSS apps… but since it’s been an accepted behavior for Privative Software, along with DRM… don’t blame the player, blame the game.

No, seriously, blame the DMCA and friends. There is no way to at the same time “enforce DRM, keep the keys at a trusted party, and keep users secure”… so the current situation is “you get none of those”.

[1]

sr71Girthbird 39 points 1 day ago

Not OP but I work at a company providing video infrastructure, and one of our products is an analytics suite. It provides all the data he men- tioned and ton more. Turner, Discovery, New York Times, Hulu, and everyone’s favorite company, MindGeek all use our Analytics, among hundreds of other large customers. Specifically where this guy says, “Some variants of the app had GPS pinging enabled at the time, roughly once every 30 seconds” that’s called a heartbeat. The app or video player within the app has to have a heart- beat so that the player can detect if a viewer is still watching video etc. Our analytics + video player services send a regular heartbeat every 8 seconds. It definitely pulls in your exact location.

an article about Xi Ping’s government warning about USAian surveillance

Not possible. The CCP doest “warn”, it orders to block the app/site/word/photo, and it never existed. Anyone daring to say that it did, or to warn of stuff the CCP didn’t say, gets imprisoned or worse (see: the doctor who dared to warn abot COVID, instead of following CCP’s truth).

On modern Android, apps need to ask for each permission when they’re about to use it for the first time. Not sure about Apple.

Google Play will also periodically revoque permissions to apps that haven’t used them for some time.

Did you mean, “Yankee”?

https://www.merriam-webster.com/dictionary/American

https://www.merriam-webster.com/dictionary/Yankee

This comment © 2024 by jarfil is licensed under CC BY 4.0. To view a copy of this license, visit https://creativecommons.org/licenses/by/4.0/

No they don’t. It’s not only not applied to their comment, but also misnamed.

doubted that a social media company had the resources to write such a program.

Em… writing a different manifest and asking the OS to reinstall itself, is not rocket science. Detecting that it’s running in a testing environment and not asking for permission to access some types of data, is also quite easy. Downloading a different update or modules depending on which device and environment it gets installed to, is basic functionality.

It’s still sneaky behavior and a dark pattern, but come on.

Ah… I didn’t catch on that. Nvm then.

Keep in mind that “having a plan”, doesn’t say when that plan is to be executed.

If you asked me, every object launched into orbit, should have a safe de-orbit plan beforehand. Chances are, as more private entities get onboard launching space stations, there might be regulations put in place to require a de-orbit plan for the launch to get approved.

Getting a de-orbit plan for the ISS now, might be just a preemptive plan for when those regulations get enacted.

There is no Lagrange point “North”.

L1 is sunwards, L2 is counter-sunwards, L3 is on the other side of the Sun, L4 is Eastwards, and L5 is Westwards.

Going from LEO to L1/L2, requires a ∆v of 7.5km/s, which is comparable to the 9.4km/s ∆v required to go from Earth surface to LEO.

Meanwhile, the ISS keeps getting slowed down by Earth’s atmosphere, and it only takes a ∆v of 1km/s or less, to plunge it into denser atmosphere for reentry.

The US, has a history of slavery.

China has a history of suicide prevention nets, docking pay for not finishing your lunch, millions of undocumented illegal migrant workers, houses full of camgirls “because they’re young and need to be controlled”, closed apartment complexes with thousands of catfishing “remote workers”, and so on. AKA: outsourced slavery.

But you’re right, it’s the capitalist way.

a Taliban spokesman also denied there had been any arrests for “bad hijab” and said: “The issue of rape is not at all possible because there is not just one or two people [in the room with a prisoner] and when there are three people, such a crime would not happen …[this is] a very sensitive issue for the Taliban. I am sure such a thing did not happen.”

Translation: gangbang is not possible. 🙄

Would be quite a plot twist if it resulted that the whole “seizures cure” spiel from electroshock therapy, resulted in it being “electrical waves help the brain to clean itself”, and have nothing to do with brain-destroying seizures.

How so?

Anyway, it’s not our call what people in 100+ years will think the exchange rate of Bitcoin should be.

As Bitcoin has grown, transactions have become slow

Except for Bitcoin Lightning Network:

https://en.m.wikipedia.org/wiki/Lightning_Network

Bitcoin is always being diluted

It’s also constantly getting un-diluted by people losing their keys.

Current estimates put the “lost coins” at around 25% of the total. That is twice as many as there are left to mine.

it is possible that transaction fees will need to be raised to compensate miners.

That’s been the plan from the beginning.

Mining halving has been defined with a rough estimate of adoption, volume, and technological advances. It’s why Lightning Network was developed, and why Ethereum has switched to a Proof-of-ownership mining scheme.

The estimate is rough and quite inflexible, which has lead to cyclic fluctuations around the period of halvings… but from a long term perspective, it has been working reasonably well for the first 10% of Bitcoin’s starting period.

This is a fancy way to say that it is slower unless you pay higher fees.

My bank takes:

• 24-48 hours for 0€, only in the EU, up to 15k€
• 5 minutes for 0.50% (min 1.25€), only in the EU, up to 900€
• 48-120 hours for 0.70% (min 35€), international, up to 20k€

So my bank is also “slower unless you pay higher fees”… or “slower even with higher fees”… and on top of that, it has an amount cap.

Meanwhile, on Bitcoin Lightning (https://1ml.com/statistics):

• Median Base Fee: $0.000617

fork the network and update it if they had 50%+1

No. There are 3 components to Bitcoin: Miners, P2P nodes. and coin owners.

• Getting 1 miner and 1 P2P node, allows forking… and getting kicked off the network.
• Getting >50% of mining power, allows a chance at double-spending some own coins.
• Getting 100% of miners AND/OR 100% of P2P nodes, allows taking over the network.
• Getting an owner’s key, allows full access to the coins tied to that key.

Neither of those are impossible, some are just easier and have a higher ROI than others.

The tax and identity layers have to be added on top. They are not built-in.

Same as with cash.

Yes, this is one of the selling points of Bitcoin vs. Banks, in an age where cash is getting phased out.

The opposite, is also a selling point of “OpenSource Money with Taxes built-in” vs. Bitcoin.

Pick whichever side you prefer.

Why not call it by its full name: Decentralized Peer-to-peer Open-source Cryptographically-secured Self-custodial Money

“Everyone” doesn’t have a clue about “crypto” other than “there are scams”.

If it did it from a bit lower altitude, it wouldn’t be that bad… at least for some AA batteries. And look, the package even landed with the ⬆️⬆️ arrows the right side up! (/jk)

Depends on what interests are linked to the sides.

In the case of Taiwan, the PRC is the main worldwide producer of cheap goods, so nobody wants to antagonize them, but at the same time many countries have interests in outsourcing and importing from Taiwan, so they end up in a “low-key recognize” situation.

In other cases… some countries have a direct strategic interest in one side, some have economic relations with one side but not the other, and others just don’t care.