Christian Stadelmann

@genodeftest@digitalcourage.social
148 Followers
527 Following
226 Posts

Verfechter von Klima- und Artenschutz, Datenschutz, Demokratie und Freier Software | wissbegierig

Aktiv bei #ÖDP

Profile picture sourcehttps://climatejustice.social/@stefanmuelller/113890214500384569
LanguagesGerman, English
Warum Gendern?https://zeitzeichen.net/node/10874?utm_source=browser
Born at355 ppm
Christian Stadelmann1h ago
Meredith Whittaker3h ago

'Meredith,' some guys ask, 'why won't you shove AI into Signal?'

Because we love privacy, and we love you, and this shit is predictable and unacceptable. Use Signal ❤️

Christian Stadelmann1h ago
Anne Rabe3h ago
Dieses Schweigen in der CDU zur Personalie Spahn, erzählt auch viel über das Innenleben dieser Fraktion. Dort hat offenbar niemand den Anstand das zu fordern, was bei einem solchen Totalversagen angemessen wäre - den Rücktritt des Fraktionsvorsitzenden und ja auch die Niederlegung des Mandats. 1/5
Christian Stadelmann1h ago
Guido Kühn1d ago

Verzweiflungsmedien
Wie prekär mittlerweile die Lage von Jans Spahn geworden sein muss, erkennt man übrigens auch daran, dass Springer Redaktionen wieder angefangen haben Habeck anzugreifen. …

Zum Weiterlesen den Link benutzen.
https://cartoons.guido-kuehn.de/verzweiflungsmedien/
#csu #habeck #korruption #masken #spahn #union

Christian Stadelmann16h ago
Jordan Maris 🇪🇺 🇺🇦 #NAFO17h ago

The brutal, daily bombing and murder of innocent civilians, in #Palestine and #Ukraine are signs of a collapsing rules-based world order.

It is not collapsing because of #Russia or #Israel, but because the west, who was supposed to uphold it, chose not to for the simple reason that it was inconvenient.

Today Ukrainians and Palestinians are suffering the consequences. Tomorrow it will be Europeans and Americans.

If you don't stop evil in it's infancy you might not be able to when it grows.

Christian Stadelmann16h ago
cR0w 20h ago
Looks like today's theme is
Christian Stadelmann17h ago
Dr. Amy, Psy.D.23h ago
I love that cats that aren’t domesticated don’t meow when they grow up, but domesticated cats do because they learned humans don’t understand their natural communication, so they keep meowing beyond the kitten stage just for us. So basically cats made up a language just to talk to us. And that language is essentially baby talk.
Christian Stadelmann1d ago
taz1d ago
Ob Scheuer, Spahn oder Dobrindt – rechte Akteure hinterlassen gern einen Scherbenhaufen. Oft kommen sie dann auch noch ungeschoren davon.
https://taz.de/!6091530
Konservative Politik: Arbeit für die Aufräumer

Ob Scheuer, Spahn oder Dobrindt – rechte Akteure hinterlassen gern einen Scherbenhaufen. Oft kommen sie dann auch noch ungeschoren davon.

TAZ Verlags- und Vertriebs GmbH
Christian Stadelmann1d ago
Heidrun Müller1d ago

„Wir müssen alle Grenzen zu machen!“
„Ja genau, mauern wir uns ein, treiben Inzucht, sitzen nach Generationen wieder sabbernd auf den Bäumen. Egal, die Welt dreht sich dennoch weiter.“

*Manche sind einfach nicht ganz dicht im Oberstübchen bzw. gänzlich ausgelaufen.

Christian Stadelmann1d ago
Show threadjackcole1d ago

@billyjoebowers An old joke:

Trump aide tells him excitedly about a dream she had of a big celebration for him. Huge crowds of people, all shouting and laughing, waving flags as Trump passed by. Trump asked the aide "How did my hair look, was it ok?" The aide responded "I couldn't see, it was a closed casket."

Christian Stadelmann1d ago
Show threadbenny2d ago
@Mela meine Frau sagt grad, wenn Klöckner so an Neutralität liegt, hätte sie auch nicht zum Kirchentag gedurft.
Ich finde, da ist was dran...
×
Patrick Breyer5d ago

🇩🇪Den EU-finanzierten DNS-Dienst #DNS4EU kann ich nicht empfehlen, weil Zugriffe protokolliert werden - bei "schädlichen Inhalten" sogar mitsamt IP-Adresse. https://www.techradar.com/vpn/vpn-privacy-security/the-eu-challenges-google-and-cloudflare-with-its-very-own-dns-resolver-that-can-filter-dangerous-traffic

Es gibt gute nichtstaatliche Alternativen: https://www.privacy-handbuch.de/handbuch_93d.htm

Update: Es scheint, die IP-Speicherung erfolgt im o.g. Fall für 24 Stunden, damit die Warnung vor den Inhalten nicht immer wieder angezeigt wird.

Show threadPatrick Breyer5d ago

🇬🇧I can't recommend the EU-funded DNS service #DNS4EU because access is logged. When you override warnings to access "harmful websites" they even log your IP address. https://www.techradar.com/vpn/vpn-privacy-security/the-eu-challenges-google-and-cloudflare-with-its-very-own-dns-resolver-that-can-filter-dangerous-traffic

There are government-free services that do not log: https://www.privacyguides.org/en/dns

Update: I understand now the IP address is kept for 24 hours to prevent the confirmation prompt from showing again.

Show threadFrehi5d ago

@echo_pbreyer I'm much more concerned by DNS4EU keeping logs of all DNS requests for up to 6 months, with an identifier for every /24 subnet which changes only every 24 hours. And this in hands of a private company.

Nice trove of data which you can correlate easily and surely the domain names will give lots of information about who is behind the identifier.

The question of the Quad9 CTO at the end is spot on: https://www.youtube.com/watch?v=rXpyUkBOw3A

DNS4EU for Public anonymization

YouTube
Show threadColm Donoghue5d ago
@frehi @echo_pbreyer what's the basis for processing personal data?
How are people informed about the processing?
Show threadFrehi5d ago

@ColmDonoghue @echo_pbreyer

From what I understand, saving the IP address when a user is dismissing the warning and wants to visit the site anyway, is a technical requirement to temporarily whitelist the domain for your IP. (Well, these 24 hours are arbitrarily chosen and this could definitely be shorter).

The other data with the anonymized ID which is saved for up to 6 months, strictly speaking is not PII, although in practice it can contain many hints to who is behind them.

Show threadOsma A 🇫🇮🇺🇦5d ago
European regulation does not discuss PII so there is no "strictly speaking" about it. What we have is a very, very wide definition of personal data which, among other things, includes anything which, when combined with data *collected by any other party* could be used to identify a person.
@frehi @ColmDonoghue @echo_pbreyer
Show threadSpeed demon 🇪🇺 🇳🇴🇺🇦5d ago
@echo_pbreyer
There is a valid technical explanation right there in the capture.
Show threadBikeTuBS5d ago
@hakona @echo_pbreyer The explanation shows a very serious flaw in their filtered resolvers:
Nearly all home installations use NAT and some carriers use CGNAT. As a result, multiple persons use the same IPv4 address, in case of CGNAT even multiple homes. Because of that only the first person using that address will receive the warning and all others will directly proceed to the website.
Show threadSpeed demon 🇪🇺 🇳🇴🇺🇦5d ago
@bike_bs True
@echo_pbreyer
Show threadSpeed demon 🇪🇺 🇳🇴🇺🇦5d ago
@bike_bs I've got dns-blacklisting set up on my router, but finding lists/curators to decide what to blacklist seems a full time job, so I disabled it. Should I consider pi-hole? How is maintaining those lists on pi-hole? I've got to trust *somebody* . @echo_pbreyer
Show threadSpeed demon 🇪🇺 🇳🇴🇺🇦5d ago
@bike_bs Anyway, the eu offering for unfiltered should be good for anonymising. Or? @echo_pbreyer
Show threadHenrik Kramselund - kramse 🍉4d ago

@hakona @echo_pbreyer
Can you point out exactly what you mean by "valid"?

At this point I am very curious

Show threadSpeed demon 🇪🇺 🇳🇴🇺🇦4d ago
@kramse
If a user wants an exception for a domain, the system will keep the exception in place for a reasonable time, during which time it will *have* to remember which clients want that exception.
@echo_pbreyer
Show threadMalte Engeler5d ago
@echo_pbreyer I find it worrying that "government-free" seems to be a feature in your statement. At least in theory services that are democratically governed should be framed as a goal not something to be avoided, no?
Show threadFrehi5d ago
@malteengeler @echo_pbreyer In my opinion a problematic thing is that DNS4EU is actually not really government managed but is managed by a private company (Whalebone). This company has access to the logs containing all DNS queries, and use this information for security research improving their commercial offerings.. Quad9 and DNS0 are at least managed by independent foundations and only share much more limited data with their security providers.
Show threadRalf Bendrath5d ago
@malteengeler @echo_pbreyer "government-free" = "does not contrain traces of state surveillance". I hope you both can agree on that.
Show threadMalte Engeler5d ago
@bendrath @echo_pbreyer It depends very much on what you call surveillance. The EFF thinks that looking at a Blockchain to collect taxes from crypto gambling is "state surveillance"
Show threadRalf Bendrath5d ago
@malteengeler @echo_pbreyer I don't see the link between a DNS service logging private user behaviour (bad) and the EFF or tax authorities looking at public blockchains (I could not care less).
Show threadDavid Culley5d ago

@malteengeler I guess what Patrick wanted to say is:

If you use a privately operated service, some will log you, to profit from you.

If you use a state-operated service, some will log you, to persecute you (if you pirate stuff protected by copyright).

This service logs you, and is apparently operated by the state. So he recommends services that don't log you (and happen to not be operated by the state).

Show threadDave5d ago

@malteengeler @echo_pbreyer since we all know the track record of the current president of the European Commission, I'm unwilling to touch any DNS service operated by the EU with a 10 mile pole.

I haven't forgotten the dumb stop sign campaign, I'm aware of the EU's hate for encryption, so off is the general direction in which I wish them to fuck.

Show threadmiiko5d ago
@echo_pbreyer Dude what? I expected a decent service from that.
Show threadArthur van der Harg5d ago
@echo_pbreyer “Logging”? As I read it, getting a warning is a service that you opt in to. And if you do, the DNS records when you choose to access a site anyway and keeps that record for 24 hours. Perfectly normal, desirable even, because if it didn’t, you’d get the warning every time a hostname resolves to that IP address. That would be annoying.
Show threadTerence Eden5d ago

@echo_pbreyer how would you implement a service which doesn't temporarily log an IP address in that case?

If I access badsite.example, and click through the warning, my browser will need to load multiple files from the domain. I can't click through a warning to download badsite.example/style.css

So it needs to know not to block me. How else would you do that other than by IP address?

Show threadvekkq5d ago

@Edent It is a rare case that a DNS server provides individual unblocking. Since this service requires tracking to do that, it should be avoided.

About the same blocking can be achieved from client/user-site without third-party tracking.

Show threadnoa4d ago
@Edent @echo_pbreyer If DNS4EU is actually doing that (showing a landing page and unblocking on request for particular user) it's just not what any DNS server should do ever. Won't work properly most of the time because of HSTS, ESNI etc. anyways and makes the UX actually worse than just plain blocking.
Show threadTerence Eden4d ago

@noa how else would you make a user-friendly DNS?

You either serve NXDOMAIN which means you need to be reasonably technical to unblock it (which is how nextdns works).

Or you temporarily redirect to a page which let's the user choose to unblock or not.

Which would you think gets more users?

Show threadnoa4d ago

@Edent IMO: There is no user-friendliness concern at the DNS level. If unblocking of pages by the user should be possible, that needs to be solved at other levels of the stack.

Even ignoring any privacy concerns, trying to serve landing pages just doesn't work properly with encrypted protocols without MITM, and for better or worse that's 99 % of what we're speaking today.

If MITM is an acceptable scenario, then yes there are fewer technical concerns and landing pages can be a solution.

Show threadTerence Eden4d ago

@noa how do you go from "this site isn't available" to "please unblock this site"?

And, let's suppose you have a non-DNS level way of doing that. Where do you record that this specific user doesn't want that specific domain blocked?

At some point you have to save their IP and the domain.

Show threadHenrik Kramselund - kramse 🍉4d ago

@Edent @noa

How can you redirect when using HSTS?

Show threadTerence Eden4d ago
@kramse @noa
You can't.
But most sites aren't on HSTS.
Show threadHenrik Kramselund - kramse 🍉4d ago

@Edent @noa a third or so, according to
https://www.ssllabs.com/ssl-pulse/

We can discuss this, but IMHO the concept of inserting a page in between, is unreliable at worst, and harmful to teach users too.

And edit, as Schneier said, give the user a choice to see a pink elephant and they will select it, today we have taught people that clicking through will get on with their task

Unsure about the precise quote, but users don't read warnings and don't know how to react, so it is not helpful

Qualys SSL Labs - SSL Pulse

Show threadTerence Eden4d ago
@kramse @noa
Hmmmm. That doesn't match my experience of looking inside it.
https://shkspr.mobi/blog/2024/01/a-quick-look-inside-the-hsts-file/
But there will be multiple ways to measure it.
A quick look inside the HSTS file

You type in to your browser's address bar example.com and it automatically redirects you to the https:// version. How does your browser know that it needed to request the more secure version of a website? The answer is... A big list. The HTTP Strict Transport Security (HSTS) list is a list of domain names which have told Google that they always want their website served over https. If the user …

Terence Eden’s Blog
Show threadHenrik Kramselund - kramse 🍉4d ago

@Edent @noa asking for the web page and reading the answer in the headers IS the way.

Preload list is nice, but not really indicative of the use of HSTS

We have seen quite a shift into most sites being HTTPS today, and I imagine HSTS use will go up with it, as most testing sites like internet.nl etc check for it.

Show threadwaldi3d ago
@kramse @Edent @noa And browsers start to do https by default.
Show threadFazal Majid4d ago

@Edent @echo_pbreyer in an era of Carrier Grade NAT, using the IP address to identify the user makes no sense

You could do DoH or DoTLS with a personal URL, but that is not something most users can configure on their systems.

Show threadSeedymofo5d ago
@roninkensho above 👆
Show threadRonin Kensho4d ago
@Seedymofo Thanks!
Show threadRonin Kensho4d ago
@mbootsman @vaneeten ik kreeg bovenstaande nog als tip!
Show threadMarcel Bootsman4d ago
@roninkensho Thanks!
Show threadMartin Boller 🇬🇱 🇺🇦     5d ago
@echo_pbreyer Or get your nearest geek to install a RDNS on your home network such as PiHole. DNS was built to be decentralized.
Show threadBen Tasker5d ago

@echo_pbreyer That doesn't seem to say that they log the IP?

It sounds like they keep your IP* in memory so you don't get reprompted about a site that you've chosen to bypass warnings on.

IMO, that's a *good* thing because it means average consumers won't simply switch away from the service if it accidentally overblocks

*In fact, not your IP, they've gone to quite extreme lengths to anonymise - they're not just masking octets, it all gets HMAC'd with a rotating key: https://142290803.fs1.hubspotusercontent-eu1.net/hubfs/142290803/DNS4EU%20Public%20DNS%20Resolver%20policy%202025.docx.pdf

Show threadPatrick Breyer4d ago
@ben Ah, I understand now. Ok, that makes sense. But they could do better than storing plaintext IP addresses, no?
Show threadWilliam Oldwin4d ago
@echo_pbreyer True anonymisation has to be irreversible. If they cache the client IP address in an irreversibly transformed way, they can't determine whether the new request IP address matches one that has previously clicked unblock. If they cache the IP in a reversibly transformed way, they may as well just store the address untransformed - the original address is available either way.
Show threadBen Tasker4d ago

@echo_pbreyer

What they're doing can only be achieved by storing some of kind of unique (and semi-persistent) identifier.

The only information available to them to identify the user is an IP, so whatever they do will always have to be derived from that - at a certain point, you're adding computational cost for no routine privacy benefit (where there is benefit though, is if that information somehow leaks).

I think they could do more, but they're also already well above most other providers

Show threadMarkus Peuhkuri4d ago
To be pendantic, the method they describe is not anonymization of IP addresses but pseudonymization as it maintains 1:1 mapping and it is feasible (in cryptology terms) to recover original IP address from the peudonymized value.
But still much more better what many other public resolvers do.
Also dropping queries that have only < 100 requests (per day?) is a good policy although some cyber security analysis may be lost.
The compromise epends on reseach goals.
@ben @echo_pbreyer
Show threadBen Tasker4d ago

@puhuri @echo_pbreyer Yeah, that's a fair bit of pedantry.

Rolling the key passed into the HMAC daily is a nice touch too. Assuming that they don't keep a record of the key, that should help prevent correlation across days

Show threadwaldi3d ago
@ben @echo_pbreyer hmac at 4B Inputs is nothing safe.
Show threadBen Tasker3d ago

@waldi @echo_pbreyer

I'm not sure I agree, depending on your threat model.

If its leakage/compromise then the keys covering the relevant timescale also need to be compromised along with the inputs to the modulo (which they claim is derived from the amount of traffic handled over the previous 24h)

If the model is *them* then they'd also need to be lying about not retaining keys, at which point they could just as easily be lying about the whole thing and storing in plaintext anyway.

Show threadBen Tasker3d ago

@waldi @echo_pbreyer Admittedly, that does assume the key is being safely generated etc etc.

If they *were* malicious, it'd probably be easier for them to periodically resolve certain names to an IP they control (with a very short TTL) and see who connects there - correlation of real ip to psuedo-id would then be near trivial

Show threadMallory 🏳️‍⚧️4d ago
@echo_pbreyer Another reason: they offer an option called "Protective resolution with child protection". Putting aside for one moment the question of whether it's ethical to even try to create a blocklist of sites "inappropriate" for children, I think we can all agree that websites helping opioid addicts find naloxone or sterile syringes/needles are good, and we can agree that sometimes children are addicted to opioids, and that therefore it's totally unacceptable to block children from accessing a website like this: https://harmreduction.org/ (and that's literally just the first result for harm reduction on DuckDuckGo)
National Harm Reduction Coalition

National Harm Reduction Coalition works to increase access to evidence-based harm reduction strategies like overdose prevention and syringe access programs.

National Harm Reduction Coalition
Show threadFink 4d ago
@echo_pbreyer When I select the “I don’t want X” variant, I definitely don’t want some mitm to allow me to still visit X 🙄
Show threadKDSZ Bayern5d ago

@echo_pbreyer

Das mag ja sein, dass es technisch so abläuft. Aber bei diesem Dienst gilt immerhin die EU-Datenschutzgrundverordnung (DSGVO), so dass die kurzfristig gespeicherten Daten nicht verwendet werden dürfen.
Ich würde den guten Ansatz des Dienstes nicht gleich wieder verteufeln.

Show threadFalk S. 🇨🇦🐕🔋 #ElbowsUp!5d ago
@kdsz_bayern @echo_pbreyer Na ja, ein wirklich guter Ansatz würde nicht gleich gegen die Privacy by Design-Anforderung verstoßen.
Show threadDJGummikuh5d ago
@echo_pbreyer wait to be fair das liest sich aber wie eine vernünftige Aussage. Hier wird von optionalen Diensten, die vor schädlichen Inhalten warnen sollen gesprochen, bei denen du dann einzelnle Seiten für dich whitelisten lassen kannst. Dass sie dafür deine IP speichern müssen (damit das Whitelisting funktioniert) erscheint absolut plausibel
Show threadArchaide 5d ago
@DJGummikuh @echo_pbreyer
Das "liest" sich aber nur so.
Erst ist es "freiwillig", dann wird ist es Pflicht.
Warnungen kommen dann bei allem was irgendwer als "gefährlich" deklariert hat. Und klickst du trotzdem drauf wird deine IP gespeichert und spätestens bei der nächsten "Gesinnungsprüfung" ist man dann dran.
Klar, das ist jetzt herbei phantasiert. Aber warum muss man den ganzen nach extrem rechts rückenden Regierungen auch noch einen Überwachunsapparat von Steuergeldern bauen?
Show threadArchaide 5d ago
@DJGummikuh @echo_pbreyer und die genannten Vorteile sind imho technisch auch ohne #DNS4EU und ohne Regierungsbeteilung und Kommerzialisierung von #DNS4EU umsetzbar.
Show threadDJGummikuh5d ago
@Archaide @echo_pbreyer das sei ja mal dahingestellt. Trotzdem finde ichim diese Formulierung und Tatsache, dass sie das so anbieten (wie es andere Anbieter z.b. von VPNs ja auch machen ) erst einmal nicht verwerflich. Wenn man pauschal alles verteufelt was staatlichen Hintergrund hat darf man sich nicht wundern, wenn die Gesellschaft immer weiter durch Privatisierung zersetzt wird.
Show threadJens4d ago

@DJGummikuh @Archaide @echo_pbreyer

Die reden von "technisch notwendig". Nein ist es nicht. Wenn klar ist was warum geblockt ist - transparente Blocklisten wie wenn ich selbst nen pihole betreibe - dann wird mit 0-Blocking geblockt, DNS auf 0.0.0.0. Statt dessen laden sie eine Seite (also gibt es positives Caching) was an sich schon Verstoß gegen DNS Grundsätze ist & loggen dann noch, wenn man trotzdem weiter will. Und natürlich nur dann? Sobald was geladen wird (wo ist das gehostet?) wird es