DoH/DoT over Tor will provide stronger security and privacy guarantees across the board, but a well run .odns (anycast, good caches) could probably provide better performance.
The .odns anonymity is strictly weaker than DoH-over-Tor because the .odns operator can see which recursive resolver is in use, and not all such resolvers serve large enough audiences to provide strong anonymity.
The .odns requests are also very easy to identify, monitor and block, and it's likely that metadata (query size, timings) will still leak a fair bit of information, especially if correlated with other network activity.
You can make query size non snoopable if you include padding, and say, always pad to 512 bytes. I didn't read the article closely, but if this is via TLS, TLS 1.3 includes optional padding in all application data, so should be doable (depending on tls api design).
I'd hesitate to implement it though, because of secondary risks. It would need to be thought through very carefully, and there are a whole bunch of abuse scenarios that would need to be avoided or mitigated.
As a rule, Mailpile does very little when it receives a mail - until the user has interacted with it, we have to assume the mail is junk and/or potentially hostile.
This applies not only to cryptographic attacks, but also to more pedestrian exploitation of bugs in the app itself, or silly things like turning Mailpiles into DDoS attack robots.
Unless your adversary has a time machine, deleting from the server protects your past e-mails from any server-side compromise.
That's not nothing. :-)
But you're right there are trade-offs. If you don't have good backups, you are indeed increasing the odds of data loss by managing the data yourself. That is also true of encryption of data at rest, you are increasing the odds of data loss to buy some protection against unauthorized access. There are always trade-offs.
I had grand visions for how Mailpile could help mitigate such issues by encrypting the mail and re-uploading back to an IMAP server. But I haven't gotten that written, so for now it's just an idea. Someday, I hope.
I'm going to go out on a limb, and assert that THE most common attack performed against peoples' e-mail, is a jealous person who knows their partner's password logging on to their e-mail and reading their mail.
I know people who have done this. You probably do too.
People trust each other, people routinely tell their loved ones their passwords. And relationships routinely fall apart and trust is routinely violated.
Deleting from the server mitigates this problem and greatly reduces the window of opportunity for the attacker.
The privacy cost/benefit ratio for routinely deleting from the server probably beats every other privacy enhancing technique out there. Super simple, super effective.
Techies too often forget that privacy isn't just about the NSA, APTs and TLAs. The fact is, the people most interested in violating your privacy are the people who know you personally...
Why do you say it was censored and removed? It's dropped down to page two, but that's perfectly normal once something has been on the front page for a while.
It's only been 5 hours since it was posted, and the story has ~450 upvotes. In contrast, I see another story on the front page right now that was posted 18 hours ago and only has ~250 upvotes.
A big factor of the ranking algorithm is related to the number of comments; as the number increases, the ranking of the article goes down. This is intended to penalize controversial articles that may result in flame wars.
This article has <200 comments, while the other one has >400; this is likely a significant factor in the falling ranking, in addition to the age.
I also believe that upvote velocity is weighted more heavily than upvote quantity, but I could be wrong there.
The comment algorithm seems backwards. I hope HN at least does sentiment analysis to see if the flavor of the comments tends toward being negative before downgrading the post.
The HN mods routinely drop stories off the front page which they apparently deem overly political. I've seen many political stories instantly drop from the top 10 to page two.
I actually feel it's misleading and wrong at a very fundamental level; this was the only thing I disagreed with in the whole press release!
Consumers "pay" for Google's services by giving ads attention so the ads have value and Google can sell them.
All the data harvesting is a means to a end: to make the ads more appealing so you'll click. Google don't profit from the data directly; in fact all the data harvesting and processing is a significant cost factor. There are certainly other businesses that resell data and profit directly from data harvesting, but AFAIK, Google is not really one of them.
It's a bit like saying that you pay a café by letting them observe you while you sit in their chairs. A basic misunderstanding of what's actually going on.
But in order to make the advertising business very profitable (this is, in order to give a reason for other businesses to use Google Ads to advertise themselves), Google needs to know all about you: who you are, where you are, what you like, what you don't like, what you like at certain times, what are your needs, etc, etc.
The real value of advertising is in showing the right advertisement at the right time at the right person.
Personal data is to advertisement what sugar is to candy.
Your analogy with the café is very misguided and not related at all with the situation.
It's still a means to an end. You don't pay with your data, you "pay" by interacting with ads.
Consider that Google actually became super profitable well before all the detailed tracking started. You grossly underestimate the synergy of "people searching for products" and "displaying ads". Everything else is an optimization.
You're describing Facebook... which is no where near as profitable as Google, in spite of much more invasive tracking.
If you never click an ad and use an adblocker so you never even see them, your traffic and your data just cost Google money. They may be able to extract some small amount of value by observing your behaviour and using those insights to improve their products, but they don't make any money until someone pays for an ad.
I agree the café analogy isn't perfect. I was just pointing out that outsiders who don't understand what's going on may fundamentally misunderstand the transaction. You can still provide value to the café by sitting in their chairs if you liven up the place and give them feedback on how to make the place nicer.
But if customers never buy anything, the café goes broke. And people stop interacting with ads on Google, Google does too.
You are wrong that by stating that if we don't click on ads or use adblockers we are costing money to Google.
Even if you don't use the ads or if simply ignore them, you still represent a group of interests that can be used to feed and train the machine.
Google learns through the searches you make and through the videos you watch and your behaviour will be used to improve the accuracy of ads shown to other people. That's your payment for using Google's services.
The only reason people stop interacting with ads it's because ads don't bring any real value, And any data that Google might collect brings up that value a lot.
I think you underestimate a lot of the number of people unaware of Google's presence and influence when it comes to advertisement. This number is much bigger than the number of people who install adblock on their browser.
Neither of us knows this, so we may as well stop arguing about it. What we do know, is that running the servers and hiring all those engineers costs money, and their revenue is almost entirely ads.
I don't think it's a stretch to assert that users that engage with and click on ads are much more valuable to Google than users that don't.
Whether the users that do neither contribute positively or negatively to the bottom line is an interesting question. I suspect they're a net negative, but obviously you disagree.
Google themselves probably know the answer, but I doubt they're telling...
Aside: a supporting data-point for my gut feeling here is that AdSense has always contributed much, much less to Google's revenue than AdWords does. The difference between the two gives a clear indication of how capturing user intent (searching for products) completely dominates how valuable (=effective) the ads are, and is much more important than all the other tracking combined. Google could probably turn off all the tracking and still make tons of money. Some numbers are here: http://www.investopedia.com/articles/investing/020515/busine...
Also you can't adblock paid top ranked search result so even if you don't click, and even if you know it's an ad, you've seen the brand in the top result, and the brand pay Google for that.
No it's not so you will click it. They collect the data from customers and offer it to the advertisers. The data is a big part of the product they sell to advertisers: targeting advertising. They don't sell user clicks (why would anyone pay for that?), they sell targeted advertising.
Advertisers quite literally pay for clicks. That was part of how Google disrupted the market back in the day; most other advertising networks were selling "impressions", but Google was so confident in the relevance of their ads that you got impressions for free and only paid when a customer actually clicked on it.
The click is worth paying for, because it is a signal that the user has seen the ad, thought about the ad, and is interested in the ad. Advertising gold.
Obviously Google have many products (they bought Doubleclick an "impressions" company), and there are analytics value-ads and all sorts of things. But the core of their business is still pay-per-click advertising.
Your idea that advertisers are buying raw data is a misunderstanding.
The "pay for click" is how they sell their product to advertisers. But advertisers do not pay for clicks. A click is worthless. They pay because they know that their adverts are being shown to the right people and there's a guarantee there in the "pay for click" thing. In order for Google to actually get those clicks, it must show them to the right people, and it does that by targeting.
Google sells targeted advertising, not clicks. Nobody pays for clicks. I do not think advertisers are buying raw data. I think they are buying advertising which is targeted based on that raw data.
In pay-for-click, advertisers are paying for advertising which is effective. The click is how that is measured.
There are other ways to measure effectiveness, but measuring clicks is simple and reliable. No matter how you do it, advertisers ultimately want to pay for ads that work and lead to sales.
Everything else is a means to an end, targeting in particular. Ineffective advertising is a worthless waste of money, no matter how well targeted it is. Untargeted advertising which leads to sales on the other hand, is very valuable.
So sure, advertisers will prefer targeted advertising. But that's because they expect it will work better than the alternative. What matters to them is whether it works, not how.
To the general public the how is critical though. If there was less tracking and spying and data harvesting we'd all be better off. So it's very important to squash the misunderstanding that tracking and targeting itself has intrinsic value for anyone. For society (and for the ad networks), tracking has a significant cost and is in many ways a significant liability. For advertisers it's a tool in their toolbox, and if we could replace it with a more benign one, that'd be good for everyone.
If the social contract says "delete things when you see a delete message", then that's useful in a federated environment.
Only bad actors will disobey and they will have to modify their software in order to do so. This doesn't provide absolute protection against bad actors, but since most bad actors don't own a time machine, it reduces the scope of the harm they can enact.
Consider the adversary "angry ex-boyfriend." Let's assume he wasn't always angry and isn't a sociopath. By the time he has become angry, the sensitive posts have already been deleted. This makes a difference in real life to real people.
There is indeed a user-interface concern, to not over-promise to the end-user. But that doesn't justify leaving such a useful thing out at the protocol level.
> Only bad actors will disobey and they will have to modify their software in order to do so.
I have an hourly bup backup for each of my servers, that goes to a backup host. I am not a bad actor, have not modified any software, and yet if I run an activityhub server I will have a complete timeline at 1hr granularity, so basically anything not deleted within minutes of posting.
(Considering a switch to borg backup when I have the time to really evaluate it)
Actually, this is a real issue. For one, there is the Wayback Machine, which could very well see increased usage and mindshare as legally mandated content takedowns increase. For another, if, say, Facebook wanted to harvest data from this network to create shadow profiles and flesh out missing patterns in their analytics, then they could easily follow everything, keep the raw data/content internal, and never develop the ability to retroactively un-analyze that data when a delete request comes in.
I would not put it past Facebook (or other businesses which are addicted to harvesting user data) to behave badly against networks like this. However, for the sake of their reputations they'd still probably do it quietly, which means many of the person-to-person attacks that deletion protects against would still be thwarted.
This is a problem the same way Facebook's privacy controls are a problem. Facebook themselves are not bound by them, but they're still useful if you want to protect your data from other users of the platform.
And FWIW, I think most of the big crawlers respect robots.txt - this is the same sort of thing.
I am so happy to hear somebody say this. But to take it even further than the extinction of species: nobody seems to care about the suffering and/or loss of billions of individual animal lives that are and will be occuring as a direct result of our negligent behaviour.
It's not mentioned in the article, but there is an underlying point that affects hiring for roles like this: you need people who can and will admit they don't know everything and will ask for help rather than wing it.
"Rock stars" are downright dangerous, as are people who prefer to make things up rather than admit ignorance.
A new SRE doesn't need to know everything (and can't). But he absolutely needs to be curious and willing to ask for help.
It's an interesting dilemma in my mind. I remember reading through the SRE book about how SREs a required to have both depth and breadth. Seems like a nearly impossible target to hit IMO, so how are you supposed to simultaneously reconcile deep/broad abilities with humility when hiring for SREs?
Our litmus test is this, I don't know if it gets to the heart of the question but I feel it does.
We look at essentially, (but not unequivocally) these things
1. Proven experience and desire to learn is a must. One of the best i have ever worked with came from a place where they worked pilot projects, and had to manage all their infrastructure themselves as the developers. No certs, no formal SRE experience (IE, thats not why he was employed previously). One of the best. He loved the work, and I could tell he learned so much doing this. It doesn't have to be this extreme, but having a proven interest in this line of work is top priority.
2. Is their depth better than their breadth? It is correct that you need a LOT of breadth, however I value the depth first. I'd rather someone have say, a medium about of breadth on the different technologies out there and a lot of depth on core subjects, like container management (this happens...everywhere nowadays) or cluster management. I don't need you know every single implementation of this in depth though. I need you to at least know one implementation of this in depth. I can build on that.
3. Because of the first 2, I need someone who is team oriented, as always.
> core subjects, like container management (this happens...everywhere nowadays) or cluster management
Curiously, these are subjects which most Google SREs won't know much about. One team deals with all that stuff as a service so the rest of us can get on with something else.
What would I pick out as our core skill sets? Ignoring technology-specific details that won't apply anywhere else: troubleshooting a system that you don't understand (reverse-engineering it as you go), and non-abstract large system design.
Depth + breath is another way of saying experience. Program long enough and you'll learn all sorts of little nasty things about garbage collection and permissions and tcp packet headers and faulty JSON parsers. All of it crystalizes into those little moments when you think "I've seen this shit before".
I always reconciled this as a T shaped graph instead of a box. It's important to have depth in the service area you can control and a breadth of understanding across your dependencies since Google builds service oriented architectures.
Mailvelope is a much better choice if your goal is to interact with the existing OpenPGP ecosystem; E2E was using ECC keys only if I recall, which makes their crypto incompatible with many other OpenPGP setups.
The E2E promise was that with Google's backing, suddenly millions of people would/could encrypt and PGP would take a big step forward, making some forced upgrades in the rest of the community worthwhile. That is seeming less likely to happen now.
DoH/DoT over Tor will provide stronger security and privacy guarantees across the board, but a well run .odns (anycast, good caches) could probably provide better performance.
The .odns anonymity is strictly weaker than DoH-over-Tor because the .odns operator can see which recursive resolver is in use, and not all such resolvers serve large enough audiences to provide strong anonymity.
The .odns requests are also very easy to identify, monitor and block, and it's likely that metadata (query size, timings) will still leak a fair bit of information, especially if correlated with other network activity.