In a vast stretch of the Sonoran Desert, between the towns of San Luis Río Colorado and Sonoyta in northern Mexico, sits a modest building of cement, galvanized sheet metal, and wood—the only stop along 125 miles of inhospitable landscape dominated by thorny ocotillo shrubs and towering saguaro cactuses up to 50 feet high.
By doing so, she relieves the thirst of bighorn sheep, ocelots, pronghorn, coyotes, deer, and even bats that have been deprived of access to their natural water sources.
“The crows come to the house and scream to warn us that there is no more water ... it’s our alarm,” says Ortiz Ramos in her distinct northern Mexico accent.
“This vital source supplies both humans and animals over an area of more than 1 million hectares,” Federico Godínez Leal, an agronomist from the University of Guadalajara, explains to me.
Godínez Leal and his team have been documenting the stark difference between each side: Their poignant photographs show skeletons of wild boar, deer, and bighorn sheep lying on Mexican soil.
In turn, villagers in some spots on the Mexican side of the border have organized to try to alleviate the thirst of many animals that have been left without access to water.
The original article contains 526 words, the summary contains 204 words. Saved 61%. I'm a bot and I'm open source!
Linux people generally use adblockers so I somewhat doubt all these analytics websites that don't have a methodology that wouldn't be blocked by adblockers listed
A lot of students do not perform well under exam conditions due to stress and pressure. Also, unless you're entirely eliminating coursework, it doesn't remove the issue.
It's not my job to educate you on how the education industry works. Go and read what qualified people have already written about it in academic journals.
How much of this is regular people just not buying new computers anymore?
A lot of households that used to have had a laptop for each person have replaced those devices with phones and tablets. They weren't using Linux, so by removing them Linux market share would go up even if it hasn't actually grown.
I think the argument is that as less people have desktops and laptops, the only people left will be more technical (otherwise they'd just use a phone or tablet). The more technical people are also likely to use Linux. So as non-technical people move to tablets and phones, technical people make up a larger share of laptop/desktop users.
Just a reminder to take the data in that site with a grain of salt. I used to share them a lot, but then decided to read more about their methodology, and turns out it's mostly a black box, so they may be subject to several kinds of biases, and we can't even know. For example, we don't know which sites use their analytics and if there's a geographical bias. We also don't know how their scripts work and how the data is collected from devices. It would be nice if we had more sources of marketshare data to compare
Technically, yes. Practically, it's complicated. It doesn't really exist within the same ecosystem as other Linux distros.
It's not as different as Android (which is also technically a Linux distribution), but running a normal DE and all the programs that come with it is very clearly still an advanced user thing locked behind knowledge of how bash and virtual environments work.
Once installed, Temu can recompile itself and change properties, including overriding the data privacy settings users believe they have in place
If this is actually possible then isn't that a huge security vulnerability in Android and/or iOS? I feel if this was the case we'd be hearing about it from security researchers rather than a lawyer.
I'd believe it because I remember the same being true for TikTok.
I don't have the links on me right now, but I remember clearly that when tiktok was new, engineers trying to figure out what data it collected found that the app could recognize when it was being observed, and would "rewite" itself to evade detection.
They noted that they'd never seen this outside of sophisticated malware, and doubted that a social media company had the resources to write such a program.
doubted that a social media company had the resources to write such a program.
Em... writing a different manifest and asking the OS to reinstall itself, is not rocket science. Detecting that it's running in a testing environment and not asking for permission to access some types of data, is also quite easy. Downloading a different update or modules depending on which device and environment it gets installed to, is basic functionality.
It's still sneaky behavior and a dark pattern, but come on.
There is some irony to be had, in discussing this stuff on a page that starts by asking me to login, then to be good and disable my ad blocker, only to proceed with keeping half the text of the article as images so you can't copy+paste it... and even all the comments!
Using that as a baseline... the CPU type, memory usage, disk space, etc. are some extra data points freely available to all apps.
A developer can distribute an app with multiple versions, some targeting more modern and capable devices, some older and more limited. It's a feature, not a bug!
*Other apps you have installed (I've even seen some I've deleted show up in their analytics payload - maybe using as cached value?)
This is overreaching for an app that has nothing to do with managing other apps. Still, you may want some app with those capabilities... so let's call it "sus".
*Everything network-related (ip, local ip, router mac, your mac, wifi access point name)
Your IP is... well, you're using it to connect, they will see it, duh.
The rest is overreaching and comes into PI violation terrain, but can be used for geo location... the OS does it, that's the data it uses to fine-tune the GPS's location.
*Whether or not you're rooted/jailbroken
Typical feature for banking ad DRM protected apps. Nothing to see here.
*Some variants of the app had GPS ping- ing enabled at the time, roughly once every 30 seconds - this is enabled by de- fault if you ever location-tag a post IIRC
Best answered by a comment [1] (SEE BELOW).
TL;DR: more DRM stuff.
*They set up a local proxy server on your device for "transcoding media", but that can be abused very easily as it has zero authentication
This is somewhat sus, but a local proxy by itself, doesn't mean any sort of risk, or that it could be exploited.
For example, Tor can be accessed using a local proxy (although VPN mode is safer).
The scariest part of all of this is that much of the logging they're doing is remotely configurable,
Not exactly. It's how feature flags, and remote testing/debugging works too.
and unless you reverse every single one of their native libraries (have fun reading all of that assembly, assuming you can get past their customized fork of OLLVM!!!) and manually inspect every single obfuscated function.
This is worse (why do they use a custom OLLVM fork?), and obfuscation usually means they have something to hide. It's the opposite of security for the user.
They have several different protections ir. place to prevent you from reversing or debugging the app as well. App behavior changes slightly if they know you're trying to figure out what they're doing.
Not good, but unfortunately allowed. That behavior is shared by both DRM protected software, and malware.
There's also a few snippets of code on the Android version that allows for the downloading of a remote zip file, unzipping it, and executing said binary. There is zero reason a mobile app would need this functionality legitimately.
False.
There are two legitimate reasons: plugins, and DLCs.
It can be used for shady stuff, but is also a "feature, not a bug".
On top of all of the above, they weren't even using HTTPS for the longest time. They leaked users' email addresses in their HTTP REST API, as well as their secondary emails used for password resets. Don't forget about users' real names and birthdays, too. It was alllll publicly viewable a few months ago if you MITM'd the application.
Well, that's just stupid, there is zero reason to send data unencrypted.
They encrypt all of the analytics requests with an algorithm that changes with every update (at the very least the keys change) just so you can't see what they're doing.
Ehm... this is the correct behavior. See previous point.
They also made it so you cannot use the app at all if you block com- munication to their analytics host off at the DNS-level.
Sus... but see the introductory part of this comment. Should boredpanda also be banned?
TikTok put a lot of effort into preventing people like me from figuring out how their app works. There’s a ton of obfuscation involved at all levels of the application, from your standard Android variable renaming grossness to them (bytedance) forking and customizing ollvm for their native stuff. They hide functions, prevent debuggers from attaching, and employ quite a few sneaky tricks to make things difficult. Honestly, it’s more complicated and annoying than most games I’ve targeted,”
This is bad, and a reason to use FLOSS apps... but since it's been an accepted behavior for Privative Software, along with DRM... don't blame the player, blame the game.
No, seriously, blame the DMCA and friends. There is no way to at the same time "enforce DRM, keep a copy of all keys at a trusted third party, and keep users secure"... so the current situation is "you get none of those".
[1]
sr71Girthbird 39 points 1 day ago
Not OP but I work at a company providing video infrastructure, and one of our products is an analytics suite. It provides all the data he men- tioned and ton more. Turner, Discovery, New York Times, Hulu, and everyone's favorite company, MindGeek all use our Analytics, among hundreds of other large customers. Specifically where this guy says, "Some variants of the app had GPS pinging enabled at the time, roughly once every 30 seconds" that's called a heartbeat. The app or video player within the app has to have a heart- beat so that the player can detect if a viewer is still watching video etc. Our analytics + video player services send a regular heartbeat every 8 seconds. It definitely pulls in your exact location.
Uh, as someone who does malware analysis, sandbox detection is not easy, and is certainly not something that a non-malware-developer/analyst knows how to do. This isn't 2005 where sandboxes are listing their names in the registry/ system config files.
I haven't done sandbox detection for some years now, but around 2020, it was already "difficult" as in hard to write from scratch... yet already skid easy as in "copy+paste" from something that does it already. Surely newer sandboxes take more stuff into account, but at the same time more detection examples get published, simply advancing the starting point.
So maybe TikTok has a few people focused on it, possibly with some CI tests for several sandboxes. I don't think it's particularly hard to do 🤷
I hate Temu, but this (apparently contracted?) Grizzly Reports report isn't really all that trust inspiring, tbh.
Our experts identified a stack of software functions that are completely inappropriate to and dangerous
The stack difference to the Amazon app they list:
Package compile
Requesting system logs
Some code obfuscation
Mac address collection
Install permission
Wake lock
Meh. That's just a sliver worse than your regular, off the shelves proprietary corporate app. I don't see how they can pull off the promise of being a truly dynamic Android app from that report.
I do believe they hover up data, but they aren't otherworldly super hackers. They will probably just ask for the data and the users will hand it over in a second. For most people, it really is that simple.
arstechnica.com
Newest