> In the grand scheme of things, nothing matters and we’re all going to die. It’s been a while since I read the GDPR, but I don’t remember a section titled “personal data which is OK to leak because it doesn’t matter in the grand scheme of things
Best comment on HN. Ever.
Both clever and informative on so many levels.
It seems half of the HN crowd work in the Ad industry and never cease coming up with ridiculous excuses for why it's OK to abuse other people's PII. I was surprised to see there wasn't the usual gnawing of teeth this time, about the GDPR which tend to follow whenever that fine regulation is mentioned.
My list is a bit smaller, but has some overlap. For all platforms (Linux, Windows, MacOS):
1. Sublime Text & VIM (for all things text)
2. Firefox with tampermonkey & ublock origin (browsing 101)
For Windows additionally and in general:
3. Everything (Uses it as my launcher and finder of everything on my computer)
4. Irfanview (must-have for everything image-related)
5. Classic Shell/Explorer (to get a usable winXP-like desktop)
6. Gamma Panel (Adjust brightness via keyboard shortcut presets)
7. O&O Shut Up (for same reason as you)
8. Autoruns (to disable all useless services & scheduled crap-ware in windows)
9. MSys (for linuxy everyday tools, can't work without 'em).
10. Conda (with opencv, torch ... for automation and graphics munging)
11. Winamp (For all things music consumption)
12. VirtualDub ("Irfanview" for Video)
13. MediaPlayer Home Cinema + ffdshow & LAV filters/splitter (Better VLC)
14. Avisynth (All things video processing)
For Linux:
3. Irfanview (must-have for everything image-related)
4. Conda (for heavier automation than bash)
5. Wine + (Irfanview, Virtualdub, Avisynth)
For Mac:
3. iTerm (for a usable terminal)
4 Homebrew (to get linux tools so I can work)
5. iStat Menu (to know what the heck my laptop is doing)
6. Conda (for automation)
Mac's built-in brighness buttons serve sufficiently well as an alternative to Gamma Panel.
(Haven't found a wine-variant for MacOS, so I have to make do with the shtty preview instead of irfanview. For Video stuff I'm forced to use Linux or Windows for via remote desktop).
I wish there was cross-platform install bundle that contained:
* Irfanview, Everything, Avisynth, Virtualdub, MPCHC with LAV filters
... wrapped up in whatever emulation layer suitable for the platform (cross-over/wine or whatever)
If someone aims to create such, that'd be awesome :)
I'm using Mellanox ConnectX-3 cards, IIRC they're HP branded. They shipped in Infiniband mode and required a small amount of command line fiddling to put them in ethernet mode but it was pretty close to trivial.
They're PCIe 3.0 x8 cards so they can't max out both ports, but realistically no one who's considering cheap high speed NICs cares about maxing out more than one port.
I disable automatic updates for all extensions, as well as personally reviewing the source of every extension before installation.
The review doesn't take much time. What I look for:
1. The manifest for what network endpoints the extension is allowed to call.
2. Any URL in the code that is external to the extension.
3. Any remote network function (fetch/XHR/links) and traceback to the call sites.
4. Whether there is any obfuscated code or not.
If anything found in those spots seems fishy / unclear, I don't install the extension.
Takes a few minutes, but catches most of the threat vectors. Skimming the code also gives me a sense of what sort of developer is behind the extension. Some code clearly shows a developer cares about privacy and / or security, which unconsciously adds karma for that dev in my book.
Like others above, I don't use many extensions, but those I use I have to trust.
If it rains it gets wet outside. But if it's wet outside does not mean it's rained. This is an example of a recurring case where snakeoil and dishonest companies use this seemingly obvious logic puzzle, because people in general are bad at logic.
To answer your question directly. TLS encryption from your phone to apple's servers means they terminate encryption at the other end when they receive your data. This means "they decrypt the information that was in transit". Then they explicitly apply another encryption to the received and decrypted data before storing it on disk. Since these are two separate steps, you have no protection what-so-ever since apple will have a registry of all decryption keys for the disk backups that they'll happily use for whatever reason when they want to get hold of your data.
The only thing their disk encryption protects against is if someone were to walk away with the physical disks. It protects squat against the threats customers actually care about (unauthorized access to the data by someone other than the customer owning that data).
And seeing as they run on AWS, physical security means that the only way metal leaves the data center is if it's in millimeter sized shredded metal grain. So the threat model of concern here is exactly what apple has decided not to provide customers any protection against.
That's the cheapest. It's not really that hard to understand. I'm not a lawyer, read it and had a GDPR consulting firm review the tweaks we made of our systems. They were happy with it.
But if you're working for a larger company, then consult with their legal department or have the company hire a GDPR consulting firm. They should be able to afford it without a problem, and will likely be happy to support such an action if the non-compliance risk is deemed large enough. A business decision, not a technical one.
There's not a standard copy-paste-ready set of phrases because it would be impossible for the law makers to craft such.
They couldn't possibly know what site A or B respectively does with a user's data. That differs from site to site.
It is therefore of course the obligation of each site that directly or indirectly works with user PII to explain to its users how that specific site is using the data.
If you had you would know that the regulation isn't there to nail companies from other regions. Anyone doing business with Europeans is subject to the same rules of the game, and that naturally also includes European businesses.
"It's also quite ironic that the EU now cares about privacy considering that a decade ago they passed the Data Retention Directive. I guess privacy didn't matter then, huh?"
This is a very astute observation, and is causing some angst among parts of the European population.
However, this seemingly conflicting behavior has a cultural rationale behind it.
In general, Europeans see government as trying to look out for their best interest, while they view corporate power with large skepticism. "Americans" hold the complete opposite view.
So when the governments in the EU tout sheepish clichés like "think about the children, catch terrorists, pedophiles" etc, by being able to retain data for those purposes, the public falls flat and lets Orwellian laws pass without much fuss. Because ... "the government is our ally, and we trust it, the claims, and that the data will be managed responsibly".
However, when corporations do the same, there's more fuss.
The one european people that is of sane mind here is those of germany, due to their history. Unfortunately germans are also deceived by their government through back-room deals on EU level, and with the national security excuse, when it can be kept out of the public eye; effect same as the other EU nations. The good thing however is that the german people are not as gullible as other parts of europe when it comes to surveilance and tracking, and they do tend to kick up a big fuss when this sh*t goes down. So they act as a sort of moral calibration for the other nations, such as mine.
Understanding this fundamentally different mindsets between US and European citizen will hopefully help explain quite a lot, for those who didn't already know this. This is why "american" views are insane to some europeans, and why EU is naive/retarded in the eyes of the US. (very generalized)
1. You ARE allowed to use any cookies you like without popup warnings, as long as the cookie can't be used to bind the session to personal identifiable information (PII) about the user. Session cookies are perfectly fine when used to manage webapp state, such as what page a user is on, what feature has been enabled and so on. Likewise are other identification methods, for this sort of purpose.
2. Any technical means used to make a connection to a user's PII does fall under GDPR.
Seeing the underlying intent?
GDPR is about avoiding invisible tracking (connection to a european citizen). The regulation is written to bring that sort of behavior to an end. Your fingerprinting example, as well as any other "clever" technical ways of achieving the identification objective, when the purpose is that of invisible tracking; tracking where the user isn't in control of the profile information generated, is explicitly what the regulation aims to nail.
GDPR is about users gaining control of the lifecycle of information pertaining to their identity, so if you or your proxies (googl/fb or other ad companies for example) have PII about a user, then the GDPR stipulates processing constraints on that information, which includes any information that can be associated with the user. E.g. building a profile about a user that can be tied to a user's PII becomes part of the user's PII, and thus subject to the intended end-user lifecycle control. What that control means is stated clearly in the document linked above.
When the web plays its normal chinese-whispers-game on any kind of fact, it's always best to go directly to the source to see what was actually said or written. In this particular case with GDPR, this is definitely the case. Not a single of my US colleagues nor friends had even an inkling of what GDPR actually is about, and it seems most of this community is in the same boat.
I guarantee that reading the actual doc will dispel a lot of unfounded fears.
If you happen to have even the slightest layman interest in law, or appreciate games / brain teasers, then you might actually be a bit impressed by the cleverness of the wording in parts of the document, and how it all comes together. Myself, having been in the dev field for 20 years, I've read my fair share of EULAs, licenses and contracts, and to me I saw some true genius shine through half way through the document, like watching a good chess player setup a board and guard against obvious attacks by the opponent. I felt I could almost see into the minds of the authors; what they sought to accomplish, loopholes they tried to close, and an attempt at creating a defensive shield that would be as "future proof" as they could make it, against new unknowns introduced by rapid technical innovation.
Best comment on HN. Ever.
Both clever and informative on so many levels. It seems half of the HN crowd work in the Ad industry and never cease coming up with ridiculous excuses for why it's OK to abuse other people's PII. I was surprised to see there wasn't the usual gnawing of teeth this time, about the GDPR which tend to follow whenever that fine regulation is mentioned.