Posted on 08/04/2024 12:35:56 PM PDT by Openurmind
Restart, Load NordVPN before doing anything and then proceed or are the hidden cookies going to give you away?
Security vs. Convenience
More than 70 percent of computer users choose Convenience entirely.
Too many users click on links in e-mail messages and text messages. DO NOT CLICK ON ANY LINK IN AN E-MAIL MESSAGE NOR IN A TEXT MESSAGE.
As a security guy, years ago, I used to “watch” the sun rise around the globe . . . by observing the morning-time, TURNING ON, of Windows OS machines that were compromised.
Thailand . . . India . . . Egypt . . . Morocco . . . Cayman Islands . . . Samoa . . .
Boy are you right. If you want to be safe you need to make the extra effort and make sacrifices period. You can’t be lazy.
“Too many users click on links in e-mail messages and text messages. DO NOT CLICK ON ANY LINK IN AN E-MAIL MESSAGE NOR IN A TEXT MESSAGE.”
And even just opening that email it’s self can nail you. That is why I never use a local email client. Opening them up on someone else’s remote server is much safer. And even at that never click links unless you absolutely KNOW they are from a trusted source.
“Restart, Load NordVPN before doing anything and then proceed or are the hidden cookies going to give you away?”
I am not sure what protections Nord can give you to prevent loading the JavaScript into your browser. They have the mess packaged with the JavaScript. And they make your browser accept the JavaScript to even use their site. Once it is attached to your browser it is riding around with you everywhere you go with that browser.
What they are doing should be illegal. They should dump absolutely nothing into your browser unless you agree to it. Some sites do this by telling you that it uses cookies and asks if you agree to them. Most sites do not, they just secretly dump them on you as soon as you land on the page.
In the very least they should have to have a disclaimer that they are using hidden tracking cookies even if you just happened to land there and have not agreed.
“Security vs. Convenience
More than 70 percent of computer users choose Convenience entirely.”
Even worse is the addiction. You could prove that a user is going to get an unwanted anal exam if they go there and they will STILL go there anyhow.
And this is why we have the problems we have. No one can just say no and boycott these sites in mass. If they did it would change.
When I saw those settings I thought something was wrong. The same thing happened when I opened up Google Maps and my GMail. You’re right, though, this is gonna be a learning curve for me, and it angers me that Google is the cause of all this. If I can ever get away from all things Google I will; email, Youtube, everything, at least as much as I can.
It is not just google. They are obviously much more aggressive at doing it than others because they are the government tracking folks. But just about every site is doing it in the name of “free market advertising”. Despite the “business can never do wrong” cult there IS A LIMIT!!! This is pick-pocketing our wallets and private credentials! Pick-pocketing is a CRIME... It is THEFT not “business as usual”.
It is basically legal HACKING.
And it gets worse. There are a lot of platforms now crytojacking. Any site that makes you install an app/client to use their platform is cryptojacking your resources. I even caught Starlink installing a client that was cryptojacking my resources behind my back. It is a damned carnival full of scam stands...
When you connect to the Internet, the Internet connects to you.
“When you connect to the Internet, the Internet connects to you.”
Yep.
“So it detected the second IP address trying to access my account along with my current IP address as soon as I landed on youTube.”
What are the first 16 bits of the “second IP address”? Are they always the same?
bookmark
“What are the first 16 bits of the “second IP address”? Are they always the same?”
I have no way to check that without going through thousands of server hit logs. I didn’t think to do that right away like I should have. Our site security tool doesn’t give me this information off hand. It just detects and protects automatically by kicking us out when it sees a new IP address highjacking an account. Or... if someones dynamic IP changes during a session. But my own IP address did not change, it remained the same. That was the first thing I checked.
Are you familiar with a particular problem address? I could ban an address if it is consistent and the same like that... That would help protect the site, but it wouldn’t help the the user’s browser hole much?
How do you know it was a Google address if you do not know the Class B part of the address?
I guess they no longer use the “Class” system and have switched to Classless Inter-Domain Routing (CIDR) which I know nothing about.
Because I had only one site up, our own. and when I copy and pasted a Youtube link into another tab it kicked me out because it detected the New IP address. Simultaneously I got a cross site warning from NoScript about Youtube by name trying to identify.
There was no other source it could be. I had just cleared my cache and had only logged into our own site. NoScript straight up told me the source. I repeated it two more times with the exact same conditions with the same results.
I could have tracked down the address if I had gone right to my server hit logs and dug around for a few. It would have showed me the address change hit to my account session.
I’m confused by this. You are positive the “second IP address” isn’t merely a different YouTube host then the first browser instance was being serviced by? That’s what it sounds like to me.
Nope, I was fresh and logged into my account in our site. As soon as I clicked submit to a Youtube link in a second tab all hell broke loose and my site detected an address change and immediately kicked me out while NoScript hit me with the cross site warning about Youtube BY NAME. I had absolutely nothing else happening from any other source. It was the action of loading the Youtube page that set it all off. >And my site would not have kicked me out unless it absolutely detected an address change to my account<. Except I checked my own IP address and it had not changed.
Like I say, I started from scratch with a clean cache and replicated it two more times. It was a bot server from Youtube with a different IP address hitchhiking into my account. There is no mistake.
Simultaneous warning from NoScript:
“You are about to load a page from timelessauthors.com
if you are a timelessauthors.com logged in user, information
about your identity might be acquired by youtube.com”
This isn’t my first rodeo with Youtube. Years ago they were accessing cameras and microphones. And all you had to do is land on their page. No login required to get hit with the requests.
Had someone ask this great question on the side:
“I see the DOJ and various other search pages have embedded YOUTUBE videos. Can Google do it’s spyware thing with embedded youtube videos?”
The answer is yes. At request of this prominent member I am sharing a post from our site about it:
“Since the beginning our main goal and principle here has been to provide a safe and private place to practice free speech without worry. And currently this has become even more important than ever. We have done everything we can with the tools we have to make the domain as secure as possible for our members. We have no leaks of our own implemented to the outside world or third parties such as click counting revenue, fingerprinters, or user data collecting. We take pride that we are able to do this even though we take a hit by not being able to take advantage of Search Engine Optimization to spread and advertise the domain content so more find us. Bots are turned off so that they cannot access any of our content.
Now let me get to the current problem at hand. The government is sneaking in the backdoor using 3rd and 4th party spyware content collection, tracking, and finger printing scripts through the media embedding system. We cannot stop it as long as we are allowing it to be utilized. And they are collecting data to sell for themselves and not giving the TA one dime of it. We don’t want it, and we don’t want them coming in the back door like they are. But as long as we allow embeds of certain domain services it will continue.
Now to be clear it was NOT like this when we started the domains here. There were only a couple benign scripts that were fairly harmless and did not collect information or content. But now they have gotten out of hand and are adding too many 3rd and 4th party hitchhikers in with the embeds. Now it is not all of them, most are still safe to embed. It is only Youtube and Twitter who are raping us through the backdoor like this. Rumble and other services are so far still safe. So we will leave them as embedded until they are no longer safe.
Used to be, Youtube only had the one “Youtube.com” script which only told them what domain the video was viewed at. We didn’t mind this. But now they have a whole suite of tracking, finger printing, data collection, and revenue scripts from Goggle included. This is a huge security risk for the members and the domain here. As soon as it is posted they execute real time connections and a data gathering process in that thread and even follows you around to other threads and other websites. Twitter used to be safe also, but now they are also letting too many scripts to ride in that are doing the same thing. Musk has recently made a deal with Goggle to collect data and information.
We now have no choice but to shut them off from embedding if we want to actually protect the privacy of our members and the domain. Now here is the only difference. We can indeed add the link in our post of the video over at Youtube or Twitter post and it is safe for us. It will just open in a new tab to go watch it at Youtube or Twitter without any connection to us here at all because I have “no follow” implemented to prevent tracking back to us.
We stalled this as long as we could for you but they have both recently added a whole bunch more scripts to their embeds. They have made it unacceptable and I really hope more domains do the same thing we are now forced to do. We have only one request that would be very courteous if you don’t mind. Please copy and paste, or create, the short title of the Video or Post over at Youtube or Twitter when you add a link so that members have some idea what the content of that media is in that link. But please continue to post all the video links you like! We still need these to go watch!
Thank you for your patience and understanding. But we should not be helping Youtube, Twitter, Google, or the Government gather data on our members or the domain or make money off of our website. It would be absolutely wrong for us to continue to do this because of our own principles of privacy and security. Please add any questions or comments you might have. And if you would like to know what these scripts are connected to on their end just let me know. It will scare you...”
And it gets worse, These embeds are not only collecting information, they are READING every post folks make in the thread they are posted into. So even though our forum is not public and behind closed doors except to logged in members, They are STILL gathering everything we post in that thread where there are embeds. And like the FR we have absolutely NO 3rd party API services, so allowing embeds was a huge security risk for us and we had to drop embeds for both Youtube and Twitter. Musk tied Twitter directly to Google and the Government tracking machine just recently.
Seriously, get “NoScript” an see for yourself what all these sites are doing to us with real time 3rd party API scripts. You can disable it if you like, but it is scary as hell when you hit a site with 75 3rd party scripts it hits you with even though you are not logged in, just landing on their homepage loads you up with these because it is packaged in their JavaScript.
Both Twitter and Youtube are doing this. And just recently even the “trusted” Rumble and Truth social are doing it too. It is way past time for a reset and boycott of everyone who is using Google 3rd party services. In fact, as soon as I get caught up with extreme life challenges I am going to get a domain and build another site dedicated to exposing every website that uses these spy 3rd party services.
They are HIDDEN and no one knows what kind of crap pile they are stepping into when they land on a site. It is time to put a stop to this mess... I used to use this tool to check websites for safety and connections:
https://themarkup.org/blacklight
This is absolute BS:
The last year I have investigated and discovered they are working with the U.S. intelligence services serving the CIA, FBI, NSA, and DoD intelligence agencies. So they hide information about all the government tracker scripts when you try to check a site. It does no good to use it anymore if you are looking for government connections.
Thank you for asking, it is time, folks need to understand the whole truth of it... :)
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.